microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix for CVE-2024-39908 in rubygem-rexml (#10188)

This commit is contained in:
bhagyapathak 2024-08-27 09:47:28 +05:30 коммит произвёл GitHub
Родитель cded74d345
Коммит 5216feb6fc
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
4 изменённых файлов: 7 добавлений и 134 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

129
SPECS/rubygem-rexml/add-support-for-old-strscan.patch
Просмотреть файл

@ -1,129 +0,0 @@
From f1df7d13b3e57a5e059273d2f0870163c08d7420 Mon Sep 17 00:00:00 2001
From: Sutou Kouhei <kou@clear-code.com>
Date: Mon, 20 May 2024 12:17:27 +0900
Subject: [PATCH] Add support for old strscan
Fix GH-132
If we support old strscan, users can also use strscan installed as a
default gem.
Reported by Adam. Thanks!!!
---
.github/workflows/test.yml | 32 ++++++++++++++++++++++----------
lib/rexml/parsers/baseparser.rb | 11 +++++++++++
rexml.gemspec | 2 +-
3 files changed, 34 insertions(+), 11 deletions(-)
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fd26b9a..f977de6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,14 +3,14 @@ on:
- push
- pull_request
jobs:
- ruby-versions:
+ ruby-versions-inplace:
uses: ruby/actions/.github/workflows/ruby_versions.yml@master
with:
engine: cruby-jruby
min_version: 2.5
inplace:
- needs: ruby-versions
+ needs: ruby-versions-inplace
name: "Inplace: ${{ matrix.ruby-version }} on ${{ matrix.runs-on }}"
runs-on: ${{ matrix.runs-on }}
strategy:
@@ -20,7 +20,7 @@ jobs:
- ubuntu-latest
- macos-latest
- windows-latest
- ruby-version: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+ ruby-version: ${{ fromJson(needs.ruby-versions-inplace.outputs.versions) }}
exclude:
- {runs-on: macos-latest, ruby-version: 2.5}
# include:
@@ -47,7 +47,14 @@ jobs:
- name: Test
run: bundle exec rake test RUBYOPT="--enable-frozen-string-literal"
+ ruby-versions-gem:
+ uses: ruby/actions/.github/workflows/ruby_versions.yml@master
+ with:
+ engine: cruby-jruby
+ min_version: 3.0
+
gem:
+ needs: ruby-versions-gem
name: "Gem: ${{ matrix.ruby-version }} on ${{ matrix.runs-on }}"
runs-on: ${{ matrix.runs-on }}
strategy:
@@ -57,21 +64,26 @@ jobs:
- ubuntu-latest
- macos-latest
- windows-latest
- ruby-version:
- - "3.0"
- - head
+ ruby-version: ${{ fromJson(needs.ruby-versions-gem.outputs.versions) }}
steps:
- uses: actions/checkout@v4
- uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby-version }}
- name: Install as gem
- env:
- BUNDLE_PATH__SYSTEM: "true"
- BUNDLE_WITHOUT: "benchmark:development"
run: |
rake install
- bundle install
+ - name: Install test dependencies on non-Windows
+ if: matrix.runs-on != 'windows-latest'
+ run: |
+ for gem in $(ruby -e 'puts ARGF.read[/^group :test do(.*)^end/m, 1].scan(/"(.+?)"/)' Gemfile); do
+ gem install ${gem}
+ done
+ - name: Install test dependencies on Windows
+ if: matrix.runs-on == 'windows-latest'
+ run: |
+ gem install test-unit
+ gem install test-unit-ruby-core
- name: Test
run: |
ruby -run -e mkdir -- tmp
diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
index d09237c..da051a7 100644
--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
@@ -7,6 +7,17 @@
module REXML
module Parsers
+ if StringScanner::Version < "3.0.8"
+ module StringScannerCaptures
+ refine StringScanner do
+ def captures
+ values_at(*(1...size))
+ end
+ end
+ end
+ using StringScannerCaptures
+ end
+
# = Using the Pull Parser
# <em>This API is experimental, and subject to change.</em>
# parser = PullParser.new( "<a>text<b att='val'/>txet</a>" )
diff --git a/rexml.gemspec b/rexml.gemspec
index 97eac65..169e49d 100644
--- a/rexml.gemspec
+++ b/rexml.gemspec
@@ -55,5 +55,5 @@ Gem::Specification.new do |spec|
spec.required_ruby_version = '>= 2.5.0'
- spec.add_runtime_dependency("strscan", ">= 3.0.9")
+ spec.add_runtime_dependency("strscan")
end

2
SPECS/rubygem-rexml/rubygem-rexml.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"rexml-3.2.8.tar.gz": "44c1d11af52fba515380867980ff1e30b3a3d303cb90a7ca89659563969f3444"
"rexml-3.3.4.tar.gz": "c6ab9da9502b2a5e824925de5f5774d9222c377d0537393f560fba71e0f868c7"
}
}

6
SPECS/rubygem-rexml/rubygem-rexml.spec
Просмотреть файл

@ -2,7 +2,7 @@
%global gem_name rexml
Summary: REXML is an XML toolkit for Ruby
Name: rubygem-%{gem_name}
Version: 3.2.8
Version: 3.3.4
Release: 1%{?dist}
License: BSD
Vendor: Microsoft Corporation
@ -10,7 +10,6 @@ Distribution: Azure Linux
Group: Development/Languages
URL: https://github.com/ruby/rexml
Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
Patch0: add-support-for-old-strscan.patch
BuildRequires: git
BuildRequires: ruby
Requires: ruby(release)
@ -35,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
%{gemdir}
%changelog
* Fri Aug 9 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 3.3.4-1
- Upgrade to 3.3.4 to resolve CVE-2024-39908
* Wed May 22 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.2.8-1
- Upgrade to v3.2.8 to fix CVE-2024-35176
- Add patch to support old strscan

4
cgmanifest.json
Просмотреть файл

@ -26654,8 +26654,8 @@
"type": "other",
"other": {
"name": "rubygem-rexml",
"version": "3.2.8",
"downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.2.8.tar.gz"
"version": "3.3.4",
"downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.3.4.tar.gz"
}
}
},