Fix REXML denial of service.

Upgrade to rexml gem 3.4.4. https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/ Resolves: CVE-2025-58767
2025-10-23 18:03:49 +01:00 · 2025-10-23 18:03:49 +01:00 · 9dc850b911
commit 9dc850b911
parent 6b81f1b80f
3 changed files with 21 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,6 @@
 /*/
 /ruby-*.tar.xz
+/rexml-*.gem
 /*.rpm

 !/plans/
--- a/ruby.spec
+++ b/ruby.spec
@ -135,7 +135,7 @@
 %global rbs_version 3.8.0
 %global repl_type_completor_version 0.1.9
 %global resolv_replace_version 0.1.1
-%global rexml_version 3.4.0
+%global rexml_version 3.4.4
 %global rinda_version 0.2.0
 %global rss_version 0.3.1
 %global syslog_version 0.2.0
@ -240,6 +240,8 @@ Source19: test_rubygems_con.rb
 # default RDoc gem as shipped in Ruby tarball. This should not be needed for
 # Ruby 3.5+.
 Source20: https://github.com/ruby/rdoc/blob/master/lib/rubygems_plugin.rb
+# rexml gem
+Source21: https://rubygems.org/gems/rexml-%{rexml_version}.gem

 # The load directive is supported since RPM 4.12, i.e. F21+. The build process
 # fails on older Fedoras.
@ -780,6 +782,10 @@ analysis result in RBS format, a standard type description format for Ruby
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .

+rm -rf .bundle/gems/rexml-3.4.0
+rm .bundle/specifications/rexml-3.4.0.gemspec
+rm gems/rexml-3.4.0.gem
+
 %build
 autoconf

@ -819,6 +825,16 @@ popd
 %install
 rm -rf %{buildroot}

+cp -p %{SOURCE21} gems/
+
+make -C %{_vpath_builddir} runruby \
+  TESTRUN_SCRIPT="%{_builddir}/%{buildsubdir}/bin/gem unpack %{SOURCE21} --target='%{_builddir}/%{buildsubdir}/.bundle/gems'"
+make --silent -C %{_vpath_builddir} runruby \
+  TESTRUN_SCRIPT="%{_builddir}/%{buildsubdir}/bin/gem spec '%{SOURCE21}' --ruby" \
+  > .bundle/specifications/rexml-%{rexml_version}.gemspec
+
+sed -i -e '/^rexml/ s/3.4.0/3.4.4/' gems/bundled_gems
+
 %make_install -C %{_vpath_builddir}

 # TODO: Regenerate RBS parser in lib/rbs/parser.rb
@ -1886,6 +1902,8 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
  Resolves: rhbz#2402422
 - Fix URI Credential Leakage Bypass previous fixes.
  Resolves: CVE-2025-61594
+- Fix REXML denial of service.
+  Resolves: CVE-2025-58767

 * Mon Aug 18 2025 Jarek Prokop <jprokop@redhat.com> - 3.4.5-27
 - Upgrade to Ruby 3.4.5.
--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (ruby-3.4.7.tar.xz) = a6b99a2f1d0115d5e7efa710da440b9066c524c335928367c80852630f8db5da36c0a82d6e7ace90e8c40cb20c6097cbdca15a51c343254cadf5f0adf60f8505
+SHA512 (rexml-3.4.4.gem) = 1d4e718504db4aa4481217f85068e79cf58a04cb46827b3baa88a55c3fd3804eafb98f8d295c62035ee05006818b49bc208fab98884e5caf262b66ae6f6dca8f