Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 937114 (CVE-2024-41123, CVE-2024-41946) - <dev-ruby/rexml-3.3.4: DoS Vulnerabilities
Summary: <dev-ruby/rexml-3.3.4: DoS Vulnerabilities
Status: CONFIRMED
Alias: CVE-2024-41123, CVE-2024-41946
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa? cleanup]
Keywords:
Depends on: 937266
Blocks:
  Show dependency tree
 
Reported: 2024-08-02 05:16 UTC by Hans de Graaff
Modified: 2024-08-31 06:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-08-02 05:16:08 UTC 
CVE-2024-41946: DoS vulnerability in REXML

There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-41946. We strongly recommend upgrading the REXML gem.
Details

When parsing an XML that has many entity expansions with SAX2 or pull parser API, REXML gem may take long time.

Please update REXML gem to version 3.3.3 or later.



CVE-2024-41123: DoS vulnerabilities in REXML

There are some DoS vulnerabilities in REXML gem. These vulnerabilities have been assigned the CVE identifier CVE-2024-41123. We strongly recommend upgrading the REXML gem.
Details

When parsing an XML document that has many specific characters such as whitespace character, >] and ]>, REXML gem may take long time.

Please update REXML gem to version 3.3.3 or later.
Comment 2 Larry the Git Cow gentoo-dev 2024-08-31 06:09:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7

commit 5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-08-31 06:09:14 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-31 06:09:30 +0000

    dev-ruby/rexml: drop 3.2.8
    
    Bug: https://bugs.gentoo.org/937114
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rexml/Manifest           |  1 -
 dev-ruby/rexml/rexml-3.2.8.ebuild | 40 ---------------------------------------
 2 files changed, 41 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-08-31 06:51:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4074fda8d1d2baab73dca9cf18c2230c2741420c

commit 4074fda8d1d2baab73dca9cf18c2230c2741420c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-08-31 06:50:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-08-31 06:50:46 +0000

    Revert "dev-ruby/rexml: drop 3.2.8"
    
    This reverts commit 5ba87e2b82d1a12a4b17f71ed11ad3a00143b8b7.
    
    dev-ruby/vagrant_cloud needs it still.
    
    Bug: https://bugs.gentoo.org/937114
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-ruby/rexml/Manifest           |  1 +
 dev-ruby/rexml/rexml-3.2.8.ebuild | 40 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)