add patch for ruby CVE-2024-35176 (#9267)

Co-authored-by: minghe <rmhsawyer>
Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com>

Author: rmhsawyer

SPECS/ruby/CVE-2024-35176.patch

@@ -0,0 +1,150 @@
+Patch taken from https://github.com/ruby/rexml/pull/126/files#diff-93b40740603234e79b1d9be5ff2b3af80f3964a146183cbd698f14d7336726e9
+diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+--- a/.bundle/gems/rexml-3.2.5/lib/parsers/baseparser.rb	2021-04-05 04:43:38.000000000 -0700
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb	2024-05-28 18:53:32.656078157 -0700
+@@ -589,60 +589,41 @@
+       def parse_attributes(prefixes, curr_ns)
+         attributes = {}
+         closed = false
+-        match_data = @source.match(/^(.*?)(\/)?>/um, true)
+-        if match_data.nil?
+-          message = "Start tag isn't ended"
+-          raise REXML::ParseException.new(message, @source)
+-        end
+-
+-        raw_attributes = match_data[1]
+-        closed = !match_data[2].nil?
+-        return attributes, closed if raw_attributes.nil?
+-        return attributes, closed if raw_attributes.empty?
+-
+-        scanner = StringScanner.new(raw_attributes)
+-        until scanner.eos?
+-          if scanner.scan(/\s+/)
+-            break if scanner.eos?
+-          end
+-
+-          pos = scanner.pos
+-          loop do
+-            break if scanner.scan(ATTRIBUTE_PATTERN)
+-            unless scanner.scan(QNAME)
+-              message = "Invalid attribute name: <#{scanner.rest}>"
+-              raise REXML::ParseException.new(message, @source)
+-            end
+-            name = scanner[0]
+-            unless scanner.scan(/\s*=\s*/um)
++        while true
++          if @source.match(">", true)
++            return attributes, closed
++          elsif @source.match("/>", true)
++            closed = true
++            return attributes, closed
++          elsif match = @source.match(QNAME, true)
++            name = match[1]
++            prefix = match[2]
++            local_part = match[3]
++            unless @source.match(/\s*=\s*/um, true)
+               message = "Missing attribute equal: <#{name}>"
+               raise REXML::ParseException.new(message, @source)
+             end
+-            quote = scanner.scan(/['"]/)
+-            unless quote
++            unless match = @source.match(/(['"])(.*?)\1\s*/um, true)
++              if match = @source.match(/(['"])/, true)
++                message =
++                  "Missing attribute value end quote: <#{name}>: <#{match[1]}>"
++                raise REXML::ParseException.new(message, @source)
++              else
++                message = "Missing attribute value start quote: <#{name}>"
++                raise REXML::ParseException.new(message, @source)
++              end
++            unless match = @source.match(/(['"])/, true)
+               message = "Missing attribute value start quote: <#{name}>"
+               raise REXML::ParseException.new(message, @source)
+             end
+-            unless scanner.scan(/.*#{Regexp.escape(quote)}/um)
+-              match_data = @source.match(/^(.*?)(\/)?>/um, true)
+-              if match_data
+-                scanner << "/" if closed
+-                scanner << ">"
+-                scanner << match_data[1]
+-                scanner.pos = pos
+-                closed = !match_data[2].nil?
+-                next
+-              end
+-              message =
+-                "Missing attribute value end quote: <#{name}>: <#{quote}>"
++            quote = match[1]
++            value = @source.read_until(quote)
++            unless value.chomp!(quote)
++              message = "Missing attribute value end quote: <#{name}>: <#{quote}>"
+               raise REXML::ParseException.new(message, @source)
+             end
+-          end
+-          name = scanner[1]
+-          prefix = scanner[2]
+-          local_part = scanner[3]
+-          # quote = scanner[4]
+-          value = scanner[5]
++            value = match[2]
++            @source.match(/\s*/um, true)
+           if prefix == "xmlns"
+             if local_part == "xml"
+               if value != "http://www.w3.org/XML/1998/namespace"
+diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb	2021-04-05 04:43:38.000000000 -0700
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb	2024-05-28 17:10:36.356913505 -0700
+@@ -81,7 +81,11 @@
+       rv
+     end
+ 
+-    def read
++    def read(term = nil)
++    end
++
++    def read_until(term)
++      @scanner.scan_until(Regexp.union(term)) or @scanner.rest
+     end
+ 
+     def consume( pattern )
+@@ -204,11 +208,28 @@
+       rv
+     end
+ 
+-    def read
++    def read(term = nil)
+       begin
+-        @buffer << readline
++        @scanner << readline(term)
++        true
+       rescue Exception, NameError
+         @source = nil
++        false
++      end
++    end
++
++    def read_until(term)
++      pattern = Regexp.union(term)
++      data = []
++      begin
++        until str = @scanner.scan_until(pattern)
++          @scanner << readline(term)
++        end
++      rescue EOFError
++        @scanner.rest
++      else
++        read if @scanner.eos? and !@source.eof?
++        str
+       end
+     end
+ 
+@@ -263,8 +284,8 @@
+     end
+ 
+     private
+-    def readline
+-      str = @source.readline(@line_break)
++    def readline(term = nil)
++      str = @source.readline(term || @line_break)
+       if @pending_buffer
+         if str.nil?
+           str = @pending_buffer

SPECS/ruby/ruby.spec

@@ -83,7 +83,7 @@ Name:           ruby
 # provides should be versioned according to the ruby version.
 # More info: https://stdgems.org/
 Version:        3.1.4
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -102,6 +102,8 @@ Patch0:         CVE-2023-36617.patch
 Patch1:         CVE-2024-27280.patch
 Patch2:         CVE-2024-27281.patch
 Patch3:         CVE-2024-27282.patch
+# Patch no longer needed if REXML gem is 3.2.7 or later. Now is 3.2.5
+Patch4:         CVE-2024-35176.patch
 BuildRequires:  openssl-devel
 BuildRequires:  readline
 BuildRequires:  readline-devel
@@ -404,6 +406,9 @@ sudo -u test make test TESTS="-v"
 %{_rpmconfigdir}/rubygems.con
 
 %changelog
+* Thu May 30 2024 Minghe Ren <mingheren@microsoft.com> - 3.1.4-6
+- Patch CVE-2024-35176
+
 * Thu May 16 2024 Jonathan Behrens <jbehrens@microsoft.com> - 3.1.4-5
 - Patch CVE-2024-27282