(PA-6507) Patch rexml gem for CVE-2024-35176 #868
Conversation
shubhamshinde360
commented
Jul 10, 2024
•
shubhamshinde360
commented
- Ruby 3.2.4 has rexml as its bundled gem, so the oatch was applied after the install step since bundled gems are available in the build after the install step in the .bundle folder.
- Ruby 2.7.8 has rexml as its default gem, so we can go with the usual way to patch it.
- Note that in the patch files for ruby_32, the file paths are prefixed with .bundle/gems/rexml-3.2.5 because that is where the bundled gem rexml is located with respect to the working directory of patching.
- The upstream fix commit: ruby/rexml@4325835
shubhamshinde360
force-pushed
the
PA-6507-cve-2024-35176
branch
2 times, most recently
from
541b615
to
e4e77d3
Compare
- Ruby 3.2.4 has rexml as its bundled gem, so the oatch was applied after the install step since bundled gems are available in the build after the install step in the .bundle folder. - Ruby 2.7.8 has rexml as its default gem, so we can go with the usual way to patch it. - Note that in the patch files for ruby_32, the file paths are prefixed with .bundle/gems/rexml-3.2.5 because that is where the bundled gem rexml is located with respect to the working directory of patching. - The upstream fix commit: ruby/rexml@4325835
shubhamshinde360
force-pushed
the
PA-6507-cve-2024-35176
branch
from
e4e77d3
to
16d488b
Compare
|
Tested on vanagon generic build agent-runtime-main: |
You'll need to use To make sure you're using the correct platforms, I recommend copying the |
|
Closing and re-opening to rekick checks. |
|
@shubhamshinde360 I noticed the vanagon generic builder jobs only included a subset of platforms, e.g. included osx-14-arm64, but not osx-12-arm64. Because the former is native compiled, but the latter is cross compiled, we don't really know if this will compile on all platforms. Could you run against the full set for 7.x and main? |
|
|
||
| # Conflicts: | ||
| # lib/rexml/parsers/baseparser.rb | ||
| # lib/rexml/source.rb |
There was a problem hiding this comment.
I wouldn't expect conflicts. Did this occur because you cherry-picked the commit into the ruby 2.7 source tree? Is there a different patch we can use that applies cleanly?
There was a problem hiding this comment.
Hi @joshcooper,
Yes, I cherry-picked the commit ruby/rexml@4325835 into tag https://github.com/ruby/rexml/releases/tag/v3.2.5 and it conflicted.
Was not able to find other patches to apply cleanly either.
There was a problem hiding this comment.
We had to resolve conflicts manually, is there any other path we can take in such situations?
|
Superseded by #873 |
