Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 936133 (CVE-2024-39908) - <dev-ruby/rexml-3.3.2: Denial of Service
Summary: <dev-ruby/rexml-3.3.2: Denial of Service
Status: CONFIRMED
Alias: CVE-2024-39908
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 938711
Blocks:
  Show dependency tree
 
Reported: 2024-07-16 04:10 UTC by Hans de Graaff
Modified: 2024-10-13 06:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-07-16 04:10:54 UTC
There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-39908. We strongly recommend upgrading the REXML gem.

Details

When it parses an XML that has many specific characters such as <, 0 and %>. REXML gem may take long time.

Please update REXML gem to version 3.3.2 or later.

Affected versions

    REXML gem 3.3.2 or prior
Comment 1 Larry the Git Cow gentoo-dev 2024-07-16 04:16:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3a5d544965987cbe350279c2a5398308c518610

commit d3a5d544965987cbe350279c2a5398308c518610
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-07-16 04:15:20 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-16 04:15:47 +0000

    dev-ruby/rexml: add 3.3.2
    
    Bug: https://bugs.gentoo.org/936133
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  1 +
 dev-ruby/rexml/rexml-3.3.2.ebuild | 40 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-10-13 06:39:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a016c2eb975bae51ce405dd58aad7ef41242dedc

commit a016c2eb975bae51ce405dd58aad7ef41242dedc
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-10-13 06:38:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-10-13 06:38:22 +0000

    dev-ruby/rexml: drop 3.2.8, 3.3.4, 3.3.5
    
    Bug: https://bugs.gentoo.org/937114
    Bug: https://bugs.gentoo.org/936133
    Bug: https://bugs.gentoo.org/938298
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  3 ---
 dev-ruby/rexml/rexml-3.2.8.ebuild | 40 ---------------------------------------
 dev-ruby/rexml/rexml-3.3.4.ebuild | 40 ---------------------------------------
 dev-ruby/rexml/rexml-3.3.5.ebuild | 40 ---------------------------------------
 4 files changed, 123 deletions(-)