Bug 937114 (CVE-2024-41123, CVE-2024-41946)

Summary:	<dev-ruby/rexml-3.3.4: DoS Vulnerabilities
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	normal	CC:	ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	937266
Bug Blocks:

Description Hans de Graaff gentoo-dev

2024-08-02 05:16:08 UTC

CVE-2024-41946: DoS vulnerability in REXML

There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-41946. We strongly recommend upgrading the REXML gem.
Details

When parsing an XML that has many entity expansions with SAX2 or pull parser API, REXML gem may take long time.

Please update REXML gem to version 3.3.3 or later.



CVE-2024-41123: DoS vulnerabilities in REXML

There are some DoS vulnerabilities in REXML gem. These vulnerabilities have been assigned the CVE identifier CVE-2024-41123. We strongly recommend upgrading the REXML gem.
Details

When parsing an XML document that has many specific characters such as whitespace character, >] and ]>, REXML gem may take long time.

Please update REXML gem to version 3.3.3 or later.

Comment 1 Hans de Graaff gentoo-dev

2024-08-02 05:18:46 UTC

https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/

Comment 2 Larry the Git Cow gentoo-dev

2024-08-31 06:09:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7

commit 5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-08-31 06:09:14 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-31 06:09:30 +0000

    dev-ruby/rexml: drop 3.2.8
    
    Bug: https://bugs.gentoo.org/937114
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  1 -
 dev-ruby/rexml/rexml-3.2.8.ebuild | 40 ---------------------------------------
 2 files changed, 41 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-08-31 06:51:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4074fda8d1d2baab73dca9cf18c2230c2741420c

commit 4074fda8d1d2baab73dca9cf18c2230c2741420c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-08-31 06:50:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-08-31 06:50:46 +0000

    Revert "dev-ruby/rexml: drop 3.2.8"
    
    This reverts commit 5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7.
    
    dev-ruby/vagrant_cloud needs it still.
    
    Bug: https://bugs.gentoo.org/937114
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-ruby/rexml/Manifest           |  1 +
 dev-ruby/rexml/rexml-3.2.8.ebuild | 40 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2024-10-13 06:39:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a016c2eb975bae51ce405dd58aad7ef41242dedc

commit a016c2eb975bae51ce405dd58aad7ef41242dedc
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-10-13 06:38:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-10-13 06:38:22 +0000

    dev-ruby/rexml: drop 3.2.8, 3.3.4, 3.3.5
    
    Bug: https://bugs.gentoo.org/937114
    Bug: https://bugs.gentoo.org/936133
    Bug: https://bugs.gentoo.org/938298
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  3 ---
 dev-ruby/rexml/rexml-3.2.8.ebuild | 40 ---------------------------------------
 dev-ruby/rexml/rexml-3.3.4.ebuild | 40 ---------------------------------------
 dev-ruby/rexml/rexml-3.3.5.ebuild | 40 ---------------------------------------
 4 files changed, 123 deletions(-)