Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 942432 (CVE-2024-49761) - <dev-ruby/rexml-3.3.9: ReDos vulnerability
Summary: <dev-ruby/rexml-3.3.9: ReDos vulnerability
Status: CONFIRMED
Alias: CVE-2024-49761
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: B3 [cleanup glsa?]
Keywords:
Depends on: 942433
Blocks:
  Show dependency tree
 
Reported: 2024-10-29 06:33 UTC by Hans de Graaff
Modified: 2024-10-31 15:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-10-29 06:33:18 UTC 
here is a ReDoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-49761. We strongly recommend upgrading the REXML gem.

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.
Details

When parsing an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

Please update REXML gem to version 3.3.9 or later.
Affected versions

    REXML gem 3.3.8 or prior with Ruby 3.1 or prior
Comment 1 Hans de Graaff gentoo-dev Security 2024-10-29 06:34:29 UTC 
Classifying this as a "B" since it only affects ruby 3.1 and that version is no longer the default and won't be present on new installs.