Bug #20516
closedThe version of rexml in ruby 3.3.2 has not been updated since 3.2.6.
Description
The version of rexml in ruby 3.3.2 has not been updated since 3.2.6.
This is still a DoS vulnerable version.
https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
$ ruby -v
ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22]
$ gem list rexml
*** LOCAL GEMS ***
rexml (3.2.6)
Updated by k0kubun (Takashi Kokubun) 5 months ago
- Status changed from Open to Closed
- Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED
Updated by k0kubun (Takashi Kokubun) 5 months ago
- Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE
ruby_3_3 c9bec74b21f0e6cf05d9b200a1636bdb8069de8c merged revision(s) 70ad58cb62b195ba86a5ef07a565b22b02a040ea.
Updated by naitoh (Jun NAITOH) 5 months ago · Edited
Thanks for the merge to Ruby 3.3.
Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: REQUIRED to 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE
However, since this is a security fix, I think it should be merged back into 3.2 and 3.1 as well.
https://www.ruby-lang.org/en/downloads/
Stable releases:
Ruby 3.3.1
Ruby 3.2.4
In security maintenance phase (will EOL soon!):
Ruby 3.1.5
Updated by k0kubun (Takashi Kokubun) 5 months ago
- Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: DONE to 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
- Backport changed from 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE to 3.1: REQUIRED, 3.2: DONE, 3.3: DONE
ruby_3_2 519ac9c5fd7bfa75655231188ac1da9589563618 merged revision(s) 70ad58cb62b195ba86a5ef07a565b22b02a040ea.
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
Additionally, I backported 9f708d48f6df37ee9600db9d51b57a156609a13b, 0301473fb523c71d8cdc4966971f31f502001185 and 7f0e26b7f99bf76408569892ce20318501f74729 into ruby_3_2 branch.
However the failure in test-bundled-gems persists. I think we should backport additional changesets related to bundled gems tests. I will continue to investigate. Any suggestions are welcome.
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
- Backport changed from 3.1: REQUIRED, 3.2: DONE, 3.3: DONE to 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE
Updated by naitoh (Jun NAITOH) 5 months ago
However the failure in test-bundled-gems persists. I think we should backport additional changesets related to bundled gems tests. I will continue to investigate. Any suggestions are welcome.
-
https://rubygems.org/gems/rexml/versions/3.2.6
- Development依存関係 (3):
- bundler >= 0
- rake >= 0
- test-unit >= 0
- Development依存関係 (3):
-
https://rubygems.org/gems/rexml/versions/3.2.8
- Runtime依存関係 (1):
- strscan >= 3.0.9
- Runtime依存関係 (1):
The version of strscan required has changed, which may be the cause.
Updated by kou (Kouhei Sutou) 5 months ago
https://github.com/ruby/ruby/pull/10806 may be related.
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
The version of strscan required has changed,
Right, I think 7f0e26b7f99bf76408569892ce20318501f74729 was the follow-up for the dependency change, and the backporting it (with some preceding changesets) cure the failures on the test of rexml(partially) and rss.
However the test of rexml on ruby core repo still failed. https://github.com/ruby/ruby/actions/runs/9334302271/job/25692373287#step:16:182
Updated by kou (Kouhei Sutou) 5 months ago
https://github.com/ruby/ruby/actions/runs/9334302271/job/25692373287#step:16:185
Error: test_require_home_runner_work_ruby_ruby_src_gems_src_rexml_test_test_document_rb(RequireFailedErrors): LoadError: failed to load </home/runner/work/ruby/ruby/src/gems/src/rexml/test/test_document.rb>: cannot load such file -- core_assertions
We need test-unit-ruby-core
gem for it.
Other failures may be related to StringScanner version. We'll release a new REXML version with https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420 in a few weeks. Could you try it after we release it?
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
@kou (Kouhei Sutou) Thank you for your investigation! I will revert previous backports on ruby_3_2 for a while to keep CI green.
Updated by hsbt (Hiroshi SHIBATA) 5 months ago
Thanks all. The current make test-bundled-gems
is not working with C ext dependencies like strscan. I removed them at https://github.com/ruby/ruby/blob/master/tool/lib/bundled_gem.rb#L67 if dependencies are the default gems. We can use them via ruby source tree.
The above workaround is only working with resolving with correct version like strscan >= 3.0.9
manually. The version of strscan with ruby_3_2
is 3.0.5
. Because https://bugs.ruby-lang.org/issues/20516#note-10 is failed maybe.
We have the following solution:
- Wait to release rexml-3.2.9.
- Upgrade strscan-3.0.9+ on
ruby_3_1
andruby_3_2
and rexml-3.2.8.
Updated by kou (Kouhei Sutou) 5 months ago
Could you try REXML 3.2.9?
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
- Backport changed from 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE to 3.1: REQUIRED, 3.2: DONE, 3.3: DONE
Thanks to the advice from hsbt-san, I backported a series of changesets around "gems/lib/" directory to fix test-bundled-gems failures with rexml-3.2.9.
Thank you all!
8e7d5adb4a481e9b4050505ea88cdf64278cacb7
56c311aa0b20dee13ab43309ae3386f57f8cb797
9542ef2798c6f555df5115da6881a5d50ed7034b
5a70a323904368987b79c59140bd2aca009da7a0
963bb96e29204f351fa58a205a6eec075c0194ff
fa042a0f10f70347c1717c068d96e43e19f2171b
8e68752a5e48c5baf07114952d256efa360e3f4b