ruby: fix CVE-2024-35176

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-35176 Upstream-patch: 4325835f92 (From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-01 13:58:04 +00:00 · 2025-11-20 15:07:20 +05:30 · 2025-11-20 15:07:20 +05:30 · f58483837c
commit f58483837c
parent cdc78fd36f
2 changed files with 113 additions and 0 deletions
--- a/meta/recipes-devtools/ruby/ruby/CVE-2024-35176.patch
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-35176.patch
@ -0,0 +1,112 @@
+From 4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Thu, 16 May 2024 11:26:51 +0900
+Subject: [PATCH] Read quoted attributes in chunks (#126)
+
+CVE: CVE-2024-35176
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../lib/rexml/parsers/baseparser.rb           | 20 ++++++-------
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb  | 29 +++++++++++++++----
+ 2 files changed, 34 insertions(+), 15 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index b97beb3..eab942d 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -675,17 +675,17 @@ module REXML
+               message = "Missing attribute equal: <#{name}>"
+               raise REXML::ParseException.new(message, @source)
+             end
+-            unless match = @source.match(/(['"])(.*?)\1\s*/um, true)
+-              if match = @source.match(/(['"])/, true)
+-                message =
+-                  "Missing attribute value end quote: <#{name}>: <#{match[1]}>"
+-                raise REXML::ParseException.new(message, @source)
+-              else
+-                message = "Missing attribute value start quote: <#{name}>"
+-                raise REXML::ParseException.new(message, @source)
+-              end
+            unless match = @source.match(/(['"])/, true)
+              message = "Missing attribute value start quote: <#{name}>"
+              raise REXML::ParseException.new(message, @source)
+            end
+            quote = match[1]
+            value = @source.read_until(quote)
+            unless value.chomp!(quote)
+              message = "Missing attribute value end quote: <#{name}>: <#{quote}>"
+              raise REXML::ParseException.new(message, @source)
+             end
+-            value = match[2]
+            @source.match(/\s*/um, true)
+             if prefix == "xmlns"
+               if local_part == "xml"
+                 if value != "http://www.w3.org/XML/1998/namespace"
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index 4111d1d..7132147 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -65,7 +65,11 @@ module REXML
+       encoding_updated
+     end
+ 
+-    def read
+    def read(term = nil)
+    end
+
+    def read_until(term)
+      @scanner.scan_until(Regexp.union(term)) or @scanner.rest
+     end
+ 
+     def match(pattern, cons=false)
+@@ -151,9 +155,9 @@ module REXML
+       end
+     end
+ 
+-    def read
+    def read(term = nil)
+       begin
+-        @scanner << readline
+        @scanner << readline(term)
+         true
+       rescue Exception, NameError
+         @source = nil
+@@ -161,6 +165,21 @@ module REXML
+       end
+     end
+ 
+    def read_until(term)
+      pattern = Regexp.union(term)
+      data = []
+      begin
+        until str = @scanner.scan_until(pattern)
+          @scanner << readline(term)
+        end
+      rescue EOFError
+        @scanner.rest
+      else
+        read if @scanner.eos? and !@source.eof?
+        str
+      end
+    end
+
+     def match( pattern, cons=false )
+       read if @scanner.eos? && @source
+       while true
+@@ -205,8 +224,8 @@ module REXML
+     end
+ 
+     private
+-    def readline
+-      str = @source.readline(@line_break)
+    def readline(term = nil)
+      str = @source.readline(term || @line_break)
+       if @pending_buffer
+         if str.nil?
+           str = @pending_buffer
+-- 
+2.40.0
+
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@ -53,6 +53,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
           file://CVE-2024-43398-0003.patch \
           file://CVE-2025-27221-0001.patch \
           file://CVE-2025-27221-0002.patch \
+           file://CVE-2024-35176.patch \
           "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"