[Medium] Patch rubygem-rexml for CVE-2024-43398 & Upgrade rubygem-rexml to 3.2.9

[akhila-guruju]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch rubygem-rexml for CVE-2024-43398
Upgrade rubygem-rexml to 3.2.9
All existing CVEs still affect this version. I have created a new patch for CVE-2024-39908. Earlier, the patch was applied on version 3.2.7 but now it has to be applied on version 3.2.9. So I have created patch according. Some lines are deleted from CVE-2024-39908.patch as these lines are already present in baseparser.rb file of version 3.2.9.

Change Log

• new file: SPECS/rubygem-rexml/CVE-2024-43398.patch
• modified: SPECS/rubygem-rexml/rubygem-rexml.spec

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2024-43398

Test Methodology

• Local Build
• Patch applied cleanly

[kgodara912]

Buddy build. Patch matches with references in terms of changed lines.

[kgodara912]

Please check the failure in installation, this is not because of your patch but in general failure in package installation saying,

1. nothing provides rubygem(strscan) >= 3.0.9 needed by rubygem-rexml-3.2.7-5.cm2.x86_64
Found 1 problem(s) while resolving
Error(1301) : Solv general runtime error

We need to check which gem provides strscan and do the changes accordingly or bring in new package to satisfy the additional dependency.

[kgodara912]

Buddy build.

[kgodara912]

We have tried a few ways to see if we can make package installation work.

1. Changed the dependency of strscan from 3.0.9 to 3.0.1 in rexml gem spec file using a patch. This installs the module fine but when we try to parse a simple xml file, it errors out, the patch used,

---
 rexml.gemspec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rexml.gemspec b/rexml.gemspec
index 97eac65..5ca57f3 100644
--- a/rexml.gemspec
+++ b/rexml.gemspec
@@ -55,5 +55,5 @@ Gem::Specification.new do |spec|

   spec.required_ruby_version = '>= 2.5.0'

-  spec.add_runtime_dependency("strscan", ">= 3.0.9")
+  spec.add_runtime_dependency("strscan", ">= 3.0.1")
 end
--
2.45.3

This errors out when running a simple xml parsing example as documented in rexml homepage

/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.7/lib/rexml/parsers/treeparser.rb:96:in `rescue in parse': #<NoMethodError: undefined method `drop_parsed_content' for #<REXML::IOSource:0x00007158fba039d8 @source=#<File:mydoc.xml>, @er_source=#<File:mydoc.xml>, @to_utf=false, @pending_buffer="<?x", @orig="<?x", @scanner=#<StringScanner fin>, @encoding="UTF-8", @line_break=">", @line=0, @force_utf8=true> (REXML::ParseException)
...

2. Reverting back to rexml version 3.2.5 does work fine which mean the upgrade to version 3.2.7 caused this issue. The package installation succeeded as well as the parsing of xml works fine with ruby.
3. We have tried a minor version upgrade from 3.2.7 to 3.2.9 which has removed the fixed version dependency to strscan package, and has put unversioned dependency spec.add_runtime_dependency("strscan"), the package installation works fine with this and also parsing succeeds with this.

We will first do a minor version upgrade from 3.2.7 to 3.2.9 and see which CVEs are applicable and will modify PR accordingly.

This will make package installable which user can use.

[akhila-guruju]

All existing CVEs still apply to this version and I have created a new patch for CVE-2024-39908, because earlier the patch was applied for version 3.2.7 but now it has to be applied for version 3.2.9 and It was backported. So I have created new patch accordingly with the same patch reference (link) . Some lines were deleted from CVE-2024-39908.patch as these lines are already present in baseparser.rb file of version 3.2.9.

[kgodara912]

Buddy build

[kgodara912]

Buddy build succeeded. As the package installation was broken previously, this PR has addressed that by version upgrade. Minor modification in one existing patch due to version upgrade. LGTM.