Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 936133 (CVE-2024-39908)

Summary: <dev-ruby/rexml-3.3.2: Denial of Service
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 938711    
Bug Blocks:    

Description Hans de Graaff gentoo-dev Security 2024-07-16 04:10:54 UTC
There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-39908. We strongly recommend upgrading the REXML gem.

Details

When it parses an XML that has many specific characters such as <, 0 and %>. REXML gem may take long time.

Please update REXML gem to version 3.3.2 or later.

Affected versions

    REXML gem 3.3.2 or prior
Comment 1 Larry the Git Cow gentoo-dev 2024-07-16 04:16:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3a5d544965987cbe350279c2a5398308c518610

commit d3a5d544965987cbe350279c2a5398308c518610
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-07-16 04:15:20 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-16 04:15:47 +0000

    dev-ruby/rexml: add 3.3.2
    
    Bug: https://bugs.gentoo.org/936133
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  1 +
 dev-ruby/rexml/rexml-3.3.2.ebuild | 40 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-10-13 06:39:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a016c2eb975bae51ce405dd58aad7ef41242dedc

commit a016c2eb975bae51ce405dd58aad7ef41242dedc
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-10-13 06:38:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-10-13 06:38:22 +0000

    dev-ruby/rexml: drop 3.2.8, 3.3.4, 3.3.5
    
    Bug: https://bugs.gentoo.org/937114
    Bug: https://bugs.gentoo.org/936133
    Bug: https://bugs.gentoo.org/938298
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  3 ---
 dev-ruby/rexml/rexml-3.2.8.ebuild | 40 ---------------------------------------
 dev-ruby/rexml/rexml-3.3.4.ebuild | 40 ---------------------------------------
 dev-ruby/rexml/rexml-3.3.5.ebuild | 40 ---------------------------------------
 4 files changed, 123 deletions(-)