Project

General

Profile

Actions

Bug #20516

closed

The version of rexml in ruby 3.3.2 has not been updated since 3.2.6.

Added by naitoh (Jun NAITOH) 6 months ago. Updated 5 months ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22]
[ruby-core:118128]

Description

The version of rexml in ruby 3.3.2 has not been updated since 3.2.6.
This is still a DoS vulnerable version.

https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

$ ruby -v
ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22]
$ gem list rexml

*** LOCAL GEMS ***

rexml (3.2.6)
Actions #1

Updated by k0kubun (Takashi Kokubun) 6 months ago

  • Status changed from Open to Closed
  • Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED

Updated by k0kubun (Takashi Kokubun) 6 months ago

  • Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE

Updated by naitoh (Jun NAITOH) 6 months ago · Edited

Thanks for the merge to Ruby 3.3.

Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE

However, since this is a security fix, I think it should be merged back into 3.2 and 3.1 as well.

https://www.ruby-lang.org/en/downloads/

Stable releases:
Ruby 3.3.1
Ruby 3.2.4

In security maintenance phase (will EOL soon!):
Ruby 3.1.5

Actions #4

Updated by k0kubun (Takashi Kokubun) 6 months ago

  • Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE to 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE

Updated by nagachika (Tomoyuki Chikanaga) 6 months ago

  • Backport changed from 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE to 3.1: REQUIRED, 3.2: DONE, 3.3: DONE

Updated by nagachika (Tomoyuki Chikanaga) 6 months ago

Additionally, I backported 9f708d48f6df37ee9600db9d51b57a156609a13b, 0301473fb523c71d8cdc4966971f31f502001185 and 7f0e26b7f99bf76408569892ce20318501f74729 into ruby_3_2 branch.
However the failure in test-bundled-gems persists. I think we should backport additional changesets related to bundled gems tests. I will continue to investigate. Any suggestions are welcome.

Actions #7

Updated by nagachika (Tomoyuki Chikanaga) 6 months ago

  • Backport changed from 3.1: REQUIRED, 3.2: DONE, 3.3: DONE to 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE

Updated by naitoh (Jun NAITOH) 6 months ago

However the failure in test-bundled-gems persists. I think we should backport additional changesets related to bundled gems tests. I will continue to investigate. Any suggestions are welcome.

The version of strscan required has changed, which may be the cause.

Updated by nagachika (Tomoyuki Chikanaga) 6 months ago

The version of strscan required has changed,

Right, I think 7f0e26b7f99bf76408569892ce20318501f74729 was the follow-up for the dependency change, and the backporting it (with some preceding changesets) cure the failures on the test of rexml(partially) and rss.
However the test of rexml on ruby core repo still failed. https://github.com/ruby/ruby/actions/runs/9334302271/job/25692373287#step:16:182

Updated by kou (Kouhei Sutou) 6 months ago

https://github.com/ruby/ruby/actions/runs/9334302271/job/25692373287#step:16:185

 Error: test_require_home_runner_work_ruby_ruby_src_gems_src_rexml_test_test_document_rb(RequireFailedErrors): LoadError: failed to load </home/runner/work/ruby/ruby/src/gems/src/rexml/test/test_document.rb>: cannot load such file -- core_assertions

We need test-unit-ruby-core gem for it.

Other failures may be related to StringScanner version. We'll release a new REXML version with https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420 in a few weeks. Could you try it after we release it?

Updated by nagachika (Tomoyuki Chikanaga) 6 months ago

@kou (Kouhei Sutou) Thank you for your investigation! I will revert previous backports on ruby_3_2 for a while to keep CI green.

Updated by hsbt (Hiroshi SHIBATA) 6 months ago

Thanks all. The current make test-bundled-gems is not working with C ext dependencies like strscan. I removed them at https://github.com/ruby/ruby/blob/master/tool/lib/bundled_gem.rb#L67 if dependencies are the default gems. We can use them via ruby source tree.

The above workaround is only working with resolving with correct version like strscan >= 3.0.9 manually. The version of strscan with ruby_3_2 is 3.0.5. Because https://bugs.ruby-lang.org/issues/20516#note-10 is failed maybe.

We have the following solution:

  • Wait to release rexml-3.2.9.
  • Upgrade strscan-3.0.9+ on ruby_3_1 and ruby_3_2 and rexml-3.2.8.

Updated by kou (Kouhei Sutou) 6 months ago

Could you try REXML 3.2.9?

Updated by nagachika (Tomoyuki Chikanaga) 5 months ago

  • Backport changed from 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE to 3.1: REQUIRED, 3.2: DONE, 3.3: DONE
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0