From 9dc850b91128d67a61e23a32db9395ce78615af5 Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Thu, 23 Oct 2025 18:03:49 +0100
Subject: [PATCH] Fix REXML denial of service.

Upgrade to rexml gem 3.4.4.
https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/

Resolves: CVE-2025-58767
---
 .gitignore |  1 +
 ruby.spec  | 20 +++++++++++++++++++-
 sources    |  1 +
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 4ed5a91..d2399ca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 /*/
 /ruby-*.tar.xz
+/rexml-*.gem
 /*.rpm
 
 !/plans/
diff --git a/ruby.spec b/ruby.spec
index 665a230..046bdab 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -135,7 +135,7 @@
 %global rbs_version 3.8.0
 %global repl_type_completor_version 0.1.9
 %global resolv_replace_version 0.1.1
-%global rexml_version 3.4.0
+%global rexml_version 3.4.4
 %global rinda_version 0.2.0
 %global rss_version 0.3.1
 %global syslog_version 0.2.0
@@ -240,6 +240,8 @@ Source19: test_rubygems_con.rb
 # default RDoc gem as shipped in Ruby tarball. This should not be needed for
 # Ruby 3.5+.
 Source20: https://github.com/ruby/rdoc/blob/master/lib/rubygems_plugin.rb
+# rexml gem
+Source21: https://rubygems.org/gems/rexml-%{rexml_version}.gem
 
 # The load directive is supported since RPM 4.12, i.e. F21+. The build process
 # fails on older Fedoras.
@@ -780,6 +782,10 @@ analysis result in RBS format, a standard type description format for Ruby
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
 
+rm -rf .bundle/gems/rexml-3.4.0
+rm .bundle/specifications/rexml-3.4.0.gemspec
+rm gems/rexml-3.4.0.gem
+
 %build
 autoconf
 
@@ -819,6 +825,16 @@ popd
 %install
 rm -rf %{buildroot}
 
+cp -p %{SOURCE21} gems/
+
+make -C %{_vpath_builddir} runruby \
+  TESTRUN_SCRIPT="%{_builddir}/%{buildsubdir}/bin/gem unpack %{SOURCE21} --target='%{_builddir}/%{buildsubdir}/.bundle/gems'"
+make --silent -C %{_vpath_builddir} runruby \
+  TESTRUN_SCRIPT="%{_builddir}/%{buildsubdir}/bin/gem spec '%{SOURCE21}' --ruby" \
+  > .bundle/specifications/rexml-%{rexml_version}.gemspec
+
+sed -i -e '/^rexml/ s/3.4.0/3.4.4/' gems/bundled_gems
+
 %make_install -C %{_vpath_builddir}
 
 # TODO: Regenerate RBS parser in lib/rbs/parser.rb
@@ -1886,6 +1902,8 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
   Resolves: rhbz#2402422
 - Fix URI Credential Leakage Bypass previous fixes.
   Resolves: CVE-2025-61594
+- Fix REXML denial of service.
+  Resolves: CVE-2025-58767
 
 * Mon Aug 18 2025 Jarek Prokop <jprokop@redhat.com> - 3.4.5-27
 - Upgrade to Ruby 3.4.5.
diff --git a/sources b/sources
index da78c8c..02d1cf8 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (ruby-3.4.7.tar.xz) = a6b99a2f1d0115d5e7efa710da440b9066c524c335928367c80852630f8db5da36c0a82d6e7ace90e8c40cb20c6097cbdca15a51c343254cadf5f0adf60f8505
+SHA512 (rexml-3.4.4.gem) = 1d4e718504db4aa4481217f85068e79cf58a04cb46827b3baa88a55c3fd3804eafb98f8d295c62035ee05006818b49bc208fab98884e5caf262b66ae6f6dca8f