[AUTO-CHERRYPICK] Add patch for CVE-2024-41946 to ruby and rubygem-rexml - branch main (#10510)

Co-authored-by: Harshit Gupta <harshitgupta1337@gmail.com>

Author: CBL-Mariner-Bot

SPECS/ruby/CVE-2024-41946.patch

@@ -0,0 +1,111 @@
+From c5565ff926fde19da10b7b4b1b9768d5dadb67e1 Mon Sep 17 00:00:00 2001
+From: Harshit Gupta <guptaharshit@microsoft.com>
+Date: Thu, 19 Sep 2024 06:30:45 -0700
+Subject: [PATCH] Apply patch for CVE-2024-41946
+
+---
+ .../lib/rexml/parsers/baseparser.rb           | 19 ++++++++++++++++++-
+ .../lib/rexml/parsers/pullparser.rb           |  4 ++++
+ .../lib/rexml/parsers/sax2parser.rb           |  4 ++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+Based on upstream commit
+https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index ee30e17..30e8d65 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -115,6 +115,7 @@ module REXML
+       def initialize( source )
+         self.stream = source
+         @listeners = []
++        @entity_expansion_count = 0
+       end
+ 
+       def add_listener( listener )
+@@ -122,6 +123,7 @@ module REXML
+       end
+ 
+       attr_reader :source
++      attr_reader :entity_expansion_count
+ 
+       def stream=( source )
+         @source = SourceFactory.create_from( source )
+@@ -438,7 +440,9 @@ module REXML
+       def entity( reference, entities )
+         value = nil
+         value = entities[ reference ] if entities
+-        if not value
++        if value
++          record_entity_expansion
++        else
+           value = DEFAULT_ENTITIES[ reference ]
+           value = value[2] if value
+         end
+@@ -474,12 +478,17 @@ module REXML
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
++          sum = 0
+           matches.each do |entity_reference|
+             unless filter and filter.include?(entity_reference)
+               entity_value = entity( entity_reference, entities )
+               if entity_value
+                 re = /&#{entity_reference};/
+                 rv.gsub!( re, entity_value )
++                sum += rv.bytesize
++                if sum > Security.entity_expansion_text_limit
++                  raise "entity expansion has grown too large"
++                end
+               else
+                 er = DEFAULT_ENTITIES[entity_reference]
+                 rv.gsub!( er[0], er[2] ) if er
+@@ -492,6 +501,14 @@ module REXML
+       end
+ 
+       private
++
++      def record_entity_expansion
++        @entity_expansion_count += 1
++        if @entity_expansion_count > Security.entity_expansion_limit
++          raise "number of entity expansions exceeded, processing aborted."
++        end
++      end
++
+       def need_source_encoding_update?(xml_declaration_encoding)
+         return false if xml_declaration_encoding.nil?
+         return false if /\AUTF-16\z/i =~ xml_declaration_encoding
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
+index f8b232a..36b4595 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
+@@ -47,6 +47,10 @@ module REXML
+         @listeners << listener
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def each
+         while has_next?
+           yield self.pull
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
+index 6a24ce2..01cb469 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
+@@ -22,6 +22,10 @@ module REXML
+         @parser.source
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def add_listener( listener )
+         @parser.add_listener( listener )
+       end
+-- 
+2.34.1
+

SPECS/ruby/ruby.spec

@@ -83,7 +83,7 @@ Name:           ruby
 # provides should be versioned according to the ruby version.
 # More info: https://stdgems.org/
 Version:        3.1.4
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -104,6 +104,8 @@ Patch2:         CVE-2024-27281.patch
 Patch3:         CVE-2024-27282.patch
 # Patch no longer needed if REXML gem is 3.2.7 or later. Now is 3.2.5
 Patch4:         CVE-2024-35176.patch
+# Patch no longer needed if REXML gem is 3.3.3 or later. Now is 3.2.5
+Patch5:         CVE-2024-41946.patch
 BuildRequires:  openssl-devel
 BuildRequires:  readline
 BuildRequires:  readline-devel
@@ -406,6 +408,9 @@ sudo -u test make test TESTS="-v"
 %{_rpmconfigdir}/rubygems.con
 
 %changelog
+* Thu Sep 19 2024 Harshit Gupta <guptaharshit@microsoft.com> - 3.1.4-7
+- Patch CVE-2024-41946
+
 * Thu May 30 2024 Minghe Ren <mingheren@microsoft.com> - 3.1.4-6
 - Patch CVE-2024-35176
 

SPECS/rubygem-rexml/CVE-2024-41946.patch

@@ -0,0 +1,111 @@
+From f91985dc627c487b3d03b0f83b1087515dd92f7c Mon Sep 17 00:00:00 2001
+From: Harshit Gupta <guptaharshit@microsoft.com>
+Date: Thu, 19 Sep 2024 07:30:21 -0700
+Subject: [PATCH] Apply CVE-2024-41946.patch
+
+---
+ lib/rexml/parsers/baseparser.rb | 19 ++++++++++++++++++-
+ lib/rexml/parsers/pullparser.rb |  4 ++++
+ lib/rexml/parsers/sax2parser.rb |  4 ++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+Based on upstream commit
+https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index d09237c..61f6787 100644
+--- a/lib/rexml/parsers/baseparser.rb
++++ b/lib/rexml/parsers/baseparser.rb
+@@ -128,6 +128,7 @@ module REXML
+       def initialize( source )
+         self.stream = source
+         @listeners = []
++        @entity_expansion_count = 0
+       end
+ 
+       def add_listener( listener )
+@@ -135,6 +136,7 @@ module REXML
+       end
+ 
+       attr_reader :source
++      attr_reader :entity_expansion_count
+ 
+       def stream=( source )
+         @source = SourceFactory.create_from( source )
+@@ -446,7 +448,9 @@ module REXML
+       def entity( reference, entities )
+         value = nil
+         value = entities[ reference ] if entities
+-        if not value
++        if value
++          record_entity_expansion
++        else
+           value = DEFAULT_ENTITIES[ reference ]
+           value = value[2] if value
+         end
+@@ -481,12 +485,17 @@ module REXML
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
++          sum = 0
+           matches.each do |entity_reference|
+             unless filter and filter.include?(entity_reference)
+               entity_value = entity( entity_reference, entities )
+               if entity_value
+                 re = /&#{entity_reference};/
+                 rv.gsub!( re, entity_value )
++                sum += rv.bytesize
++                if sum > Security.entity_expansion_text_limit
++                  raise "entity expansion has grown too large"
++                end
+               else
+                 er = DEFAULT_ENTITIES[entity_reference]
+                 rv.gsub!( er[0], er[2] ) if er
+@@ -499,6 +508,14 @@ module REXML
+       end
+ 
+       private
++
++      def record_entity_expansion
++        @entity_expansion_count += 1
++        if @entity_expansion_count > Security.entity_expansion_limit
++          raise "number of entity expansions exceeded, processing aborted."
++        end
++      end
++
+       def need_source_encoding_update?(xml_declaration_encoding)
+         return false if xml_declaration_encoding.nil?
+         return false if /\AUTF-16\z/i =~ xml_declaration_encoding
+diff --git a/lib/rexml/parsers/pullparser.rb b/lib/rexml/parsers/pullparser.rb
+index f8b232a..36b4595 100644
+--- a/lib/rexml/parsers/pullparser.rb
++++ b/lib/rexml/parsers/pullparser.rb
+@@ -47,6 +47,10 @@ module REXML
+         @listeners << listener
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def each
+         while has_next?
+           yield self.pull
+diff --git a/lib/rexml/parsers/sax2parser.rb b/lib/rexml/parsers/sax2parser.rb
+index 6a24ce2..01cb469 100644
+--- a/lib/rexml/parsers/sax2parser.rb
++++ b/lib/rexml/parsers/sax2parser.rb
+@@ -22,6 +22,10 @@ module REXML
+         @parser.source
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def add_listener( listener )
+         @parser.add_listener( listener )
+       end
+-- 
+2.34.1
+

SPECS/rubygem-rexml/rubygem-rexml.spec

@@ -3,13 +3,14 @@
 Summary:        REXML is an XML toolkit for Ruby
 Name:           rubygem-%{gem_name}
 Version:        3.2.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages
 URL:            https://github.com/ruby/rexml
 Source0:        https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
+Patch0:         CVE-2024-41946.patch
 BuildRequires:  git
 BuildRequires:  ruby
 Requires:       ruby(release)
@@ -34,6 +35,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Thu Sep 19 2024 Harshit Gupta <guptaharshit@microsoft.com> - 3.2.7-2
+- Add patch for CVE-2024-41946
+
 * Fri May 31 2024 Minghe Ren <mingheren@microsoft.com> - 3.2.7-1
 - Upgrade to 3.2.7 to resolve CVE-2024-35176
 - Remove CVE-2024-35176.patch as it is no longer needed