Pascal looks to be our Ruby man, so assigning to you (hoping you are still with us).

Assignee: bugsquad => pterjan

CVE-2024-49761 was announced here:
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/

Ubuntu has issued an advisory on November 5:
https://ubuntu.com/security/notices/USN-7091-1

CVE: CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946, CVE-2024-43398 => CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946, CVE-2024-43398, CVE-2024-49761
Summary: ruby new security issues CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946 and CVE-2024-43398 => ruby new security issues CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946, CVE-2024-43398 and CVE-2024-49761

ruby-3.1.5-46.mga9.src.rpm is building

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. (CVE-2024-35176)

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. (CVE-2024-39908)

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. (CVE-2024-41123)

The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. (CVE-2024-41946)

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. (CVE-2024-43398)

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). (CVE-2024-49761)

References:
https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQWXWS2GDTKX4LYWHQOZ2PWXDEICDX2W/
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/
https://ubuntu.com/security/notices/USN-7091-1
========================

Updated packages in core/updates_testing:
========================
lib(64)ruby3.1-3.1.5-46.mga9
ruby-3.1.5-46.mga9
ruby-RubyGems-3.3.26-46.mga9
ruby-bigdecimal-3.1.1-46.mga9
ruby-bundled-gems-3.1.5-46.mga9
ruby-bundler-2.3.27-46.mga9
ruby-devel-3.1.5-46.mga9
ruby-doc-3.1.5-46.mga9
ruby-io-console-0.5.11-46.mga9
ruby-irb-3.1.5-46.mga9
ruby-json-2.6.1-46.mga9
ruby-power_assert-2.0.1-46.mga9
ruby-psych-4.0.4-46.mga9
ruby-rake-13.0.6-46.mga9
ruby-rbs-2.7.0-46.mga9
ruby-rdoc-6.4.1.1-46.mga9
ruby-rexml-3.3.9-46.mga9
ruby-rss-0.2.9-46.mga9
ruby-test-unit-3.5.3-46.mga9
ruby-typeprof-0.21.3-46.mga9

from SRPM:
ruby-3.1.5-46.mga9.src.rpm

Assignee: pterjan => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Source RPM: ruby-3.1.5-45.mga10.src.rpm => ruby-3.1.5-45.mga9.src.rpm
Status comment: Fixed upstream in 3.3.5 => (none)

RH x86_64

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/ruby-*.rpm

installing ruby-3.1.5-46.mga9.x86_64.rpm ruby-devel-3.1.5-46.mga9.x86_64.rpm ruby-doc-3.1.5-46.mga9.noarch.rpm ruby-rss-0.2.9-46.mga9.noarch.rpm ruby-rexml-3.3.9-46.mga9.noarch.rpm ruby-irb-3.1.5-46.mga9.noarch.rpm ruby-bigdecimal-3.1.1-46.mga9.x86_64.rpm ruby-test-unit-3.5.3-46.mga9.noarch.rpm ruby-bundler-2.3.27-46.mga9.noarch.rpm ruby-rdoc-6.4.1.1-46.mga9.noarch.rpm ruby-bundled-gems-3.1.5-46.mga9.x86_64.rpm ruby-RubyGems-3.3.26-46.mga9.noarch.rpm ruby-io-console-0.5.11-46.mga9.x86_64.rpm ruby-rbs-2.7.0-46.mga9.x86_64.rpm ruby-psych-4.0.4-46.mga9.x86_64.rpm ruby-rake-13.0.6-46.mga9.noarch.rpm ruby-json-2.6.1-46.mga9.x86_64.rpm ruby-typeprof-0.21.3-46.mga9.noarch.rpm ruby-power_assert-2.0.1-46.mga9.noarch.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
     1/19: ruby-irb              ##################################################################################################
     2/19: ruby-rdoc             ##################################################################################################
     3/19: ruby-io-console       ##################################################################################################
     4/19: ruby-psych            ##################################################################################################
     5/19: ruby-RubyGems         ##################################################################################################
     6/19: ruby                  ##################################################################################################
     7/19: ruby-json             ##################################################################################################
     8/19: ruby-rbs              ##################################################################################################
     9/19: ruby-typeprof         ##################################################################################################
    10/19: ruby-devel            ##################################################################################################
    11/19: ruby-bigdecimal       ##################################################################################################
    12/19: ruby-test-unit        ##################################################################################################
    13/19: ruby-rake             ##################################################################################################
    14/19: ruby-power_assert     ##################################################################################################
    15/19: ruby-rss              ##################################################################################################
    16/19: ruby-rexml            ##################################################################################################
    17/19: ruby-bundler          ##################################################################################################
    18/19: ruby-bundled-gems     ##################################################################################################
    19/19: ruby-doc              ##################################################################################################

Interesting that the packages not fetch the new lib as part of the install

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64ruby3.1-3.1.5-46.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64ruby3.1          ##################################################################################################
      1/1: removing lib64ruby3.1-3.1.5-45.mga9.x86_64
                                 ##################################################################################################

Trying to run https://bugs.mageia.org/show_bug.cgi?id=33138#c5
ruby ruby.test 
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1
<internal:/usr/share/rubygems/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- webrick (LoadError)
        from <internal:/usr/share/rubygems/rubygems/core_ext/kernel_require.rb>:85:in `require'
        from ruby.test:1:in `<main>'

urpmi ruby-webrick

ruby ruby.test 
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1
/usr/share/gems/gems/webrick-1.7.0/lib/webrick/httprequest.rb:511:in `read_body': request with both transfer-encoding and content-length, possible request smuggling (WEBrick::HTTPStatus::BadRequest)
        from /usr/share/gems/gems/webrick-1.7.0/lib/webrick/httprequest.rb:257:in `body'


gem list
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1

*** LOCAL GEMS ***

abbrev (default: 0.1.0)
base64 (default: 0.1.1)
benchmark (default: 0.2.0)
bigdecimal (3.1.1)

Something not looks good for me CC to Len Lawrence that do the previous test

CC: (none) => tarazed25

In reply to katnatek in comment #5:

Thanks for the alert.  Snowed under at the moment - shall test it later in the day.

Created attachment 14788 [details]
Simple REXML parser script

Created attachment 14789 [details]
Script to exercise a couple of ruby features.

mga9, x64

$ rpm -qa ruby
ruby-3.1.5-45.mga9
$ rpm -qa |grep ruby|grep -i rexml
ruby-rexml-3.2.5-45.mga9

The rest of the packages appear to be in place before the update.
Tried the test script attached and it worked fine for a document containing many "< ... >" pairs, which references the first CVE.

Updated all the packages using qarepo -> drakrpm-update.
$ rpm -qa |grep ruby|grep lib
lib64ruby3.1-3.1.5-46.mga9

Ran the REXML test script.  That worked as before but this time the output was saved.
$ ruby rexml_test.rb > result
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1

I did fiddle about at this point and try to clean up the bigdecimal problem.
$ rpm -qa | grep bigdecimal
ruby-bigdecimal-3.1.1-46.mga9

Suffice to say, the 3.1.8 version can be installed and its extensions built but it does not appear in the local gem list so I think there is a problem around this particular gem which needs its own bug.  Not sure myself how to phrase such a report.
I also do not know if bigdecimal is germane to the operation of REXML.
$ urpmq --requires-recursive ruby-rexml | grep bigdecimal
...
That probably does not mean anything since the requires system in a scripting language will not be searching by package name.
The parsing looks accurate:
$ less result:
<?xml version='1.0' encoding='UTF-8'?>
<playlist version='1' xmlns:vlc='http://www.videolan.org/vlc/playlist/ns/0/' xmlns='http://xspf.org/ns/0/'>
        <title>DVB Playlist</title>
        <creator>w_scan2-1.0.9</creator>
        <info>https://github.com/stefantalpalaru/w_scan2</info>
        <trackList>
                <track>
                        <title>0002. ITV3</title>
                        <location>dvb-t://frequency=498000000</location>
                        <extension application='http://www.videolan.org/vlc/playlist/0'>
                                <vlc:option>dvb-bandwidth=8</vlc:option>
[...]

What I did find is that every ruby application now comes up with the bigdecimal complaint, not usually noticed because most of mine are invoked via an icon so there is no indication how far back this goes but yesterday I was editing and testing an old script without any such issue.

Tried a couple of test scripts.
$ ruby function.rb
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1
56
1
{false=>3, true=>2}

Which translates as three odd and two even.  And the lambda works.
Not terribly useful but the features work.
Interactive ruby:
$ irb
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1
irb(main):001:0> require 'json'
=> true
irb(main):002:0> state = JSON.state.new
irb(main):003:0> state.space = "\0" * 1024
=> "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000...
irb(main):004:0> puts JSON.generate({a: :b}, state)
{"a":"b"}
=> nil
irb(main):005:0> exit

All my everyday scripts continue to work as well.
Reckon this is OK but the bigdecimal warning does need to be investigated.

Got rid of the "Ignoring bigdecimal ....." message by running:
$ sudo gem uninstall -i /usr/share/gems bigdecimal

To understand what is going on when it is reinstalled one may need something more than --verbose to trace the errors.  Any attempt to reinstall picks up version 3.1.8 and shows lots of checks for components or settings necessary for compiling native extensions in C.  And that is successful.

Running into some more problems than Len
$ ruby rexml_test.rb > result
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1
rexml_test.rb:5:in `initialize': No such file or directory @ rb_sysopen - /home/<user>/data/tv/Channels.xspf (Errno::ENOENT)
        from rexml_test.rb:5:in `new'
        from rexml_test.rb:5:in `<main>'
[tester9@mach3 ruby]$ ruby fibonacci.rb 
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1
Using recursion to calculate Fibonacci numbers 11 and 29
89
514229
Do not run anything larger than 39 or you may be here all day!
The Golden Ratio is 1.618033988749895
Term 43 of Fibonacci sequence is 433494437
Any term beyond 70 is difficult to represent exactly.
[tester9@mach3 ruby]$ ruby function.rb 
Ignoring bigdecimal-3.1.1 because its extensions are not built. Try: gem pristine bigdecimal --version 3.1.1
56
1
{false=>3, true=>2}

CC: (none) => herman.viaene

(In reply to Len Lawrence from comment #10)
> Got rid of the "Ignoring bigdecimal ....." message by running:
> $ sudo gem uninstall -i /usr/share/gems bigdecimal
> 
That is not like you urpme the bigdecimel package ?
I not think is a real fix, but you know this better than me

You are correct.  It does not update the package database but does remove the gem.  I was just experimenting to see what happens when the gem is replaced.  Normally one should only use `gem install` for those gems not supported by the distribution, and there are thousands now.  Release packages have to be there for a QA test to make sense.  One would expect all the internal requires to be supported as dependencies as well.

Time for a bug report.  Later.

Apologies to Hermam in reply to Herman in comment 11;
Sorry abou the failure - the script used a local file name instead of requiring an argument.  Too much of a hurry.
For what it is worth the replacemnt works with the XML file given as an argument on the command line.

Created attachment 14794 [details]
General REXML test parser script

The user supplies the name of any old XML file on the command line.
It is worthwhile introducing an error into the test file to demonstrate that REXML can catch it.
$ ruby rexml_test.rb  whatever.xml

Attachment 14788 is obsolete: 0 => 1

Time to move this on, ignoring comment #14.

Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0001.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED