From 1c2d20f9fb30a192248f0c082be1dcbcdc6e4683 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong1@huawei.com>
Date: Tue, 29 Oct 2024 19:25:06 +0800
Subject: [PATCH] fix CVE-2024-49761

---
 backport-CVE-2024-49761.patch | 38 +++++++++++++++++++++++++++++++++++
 ruby.spec                     |  6 +++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-49761.patch

diff --git a/backport-CVE-2024-49761.patch b/backport-CVE-2024-49761.patch
new file mode 100644
index 0000000..434baac
--- /dev/null
+++ b/backport-CVE-2024-49761.patch
@@ -0,0 +1,38 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -150,7 +150,7 @@ module REXML
+         PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+         ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
+         CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
+-        CHARACTER_REFERENCES = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
++        CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
+         DEFAULT_ENTITIES_PATTERNS = {}
+         default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
+         default_entities.each do |term|
+@@ -570,8 +570,12 @@ module REXML
+         return rv if matches.size == 0
+         rv.gsub!( Private::CHARACTER_REFERENCES ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if filter
+-- 
+2.27.0
+
diff --git a/ruby.spec b/ruby.spec
index 1484200..01fc1bc 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -33,7 +33,7 @@
 
 Name:      ruby
 Version:   %{ruby_version}
-Release:   146
+Release:   147
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@@ -102,6 +102,7 @@ Patch6025: backport-CVE-2024-41946.patch
 Patch6026: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.patch
 Patch6027: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch
 Patch6028: backport-CVE-2024-47220.patch
+Patch6029: backport-CVE-2024-49761.patch
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -887,6 +888,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec
 
 %changelog
+* Tue Oct 29 2024 shixuantong <shixuantong1@huawei.com> - 3.2.2-147
+- fix CVE-2024-49761
+
 * Tue Oct 08 2024 shixuantong <shixuantong1@huawei.com> - 3.2.2-146
 - fix CVE-2024-47220
 
-- 
Gitee