From 0bbee328ec9ecb577dc938fbc0f9c5eff0e01fe7 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong1@huawei.com>
Date: Tue, 29 Oct 2024 19:39:08 +0800
Subject: [PATCH] fix CVE-2024-49761

---
 backport-CVE-2024-49761.patch | 38 +++++++++++++++++++++++++++++++++++
 ruby.spec                     |  6 +++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-49761.patch

diff --git a/backport-CVE-2024-49761.patch b/backport-CVE-2024-49761.patch
new file mode 100644
index 0000000..cef3ad0
--- /dev/null
+++ b/backport-CVE-2024-49761.patch
@@ -0,0 +1,38 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character
+ reference
+
+
+diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
+index 7bd8adf..b4547ba 100644
+--- a/lib/rexml/parsers/baseparser.rb
++++ b/lib/rexml/parsers/baseparser.rb
+@@ -150,7 +150,7 @@ module REXML
+         PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+         ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
+         CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
+-        CHARACTER_REFERENCES = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
++        CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
+         DEFAULT_ENTITIES_PATTERNS = {}
+         default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
+         default_entities.each do |term|
+@@ -570,8 +570,12 @@ module REXML
+         return rv if matches.size == 0
+         rv.gsub!( Private::CHARACTER_REFERENCES ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if filter
+-- 
+2.27.0
+
diff --git a/ruby.spec b/ruby.spec
index 8e2772c..d9c8a58 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.8
-Release:   130
+Release:   131
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/
@@ -73,6 +73,7 @@ Patch6029: backport-CVE-2024-41946.patch
 Patch6030: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.patch
 Patch6031: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch
 Patch6032: backport-CVE-2024-47220.patch
+Patch6033: backport-CVE-2024-49761.patch
 
 Patch9000: add-require_relative-helper-to-uninitialized-constan.patch
  
@@ -612,6 +613,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
 
 %changelog
+* Tue Oct 29 2024 shixuantong <shixuantong1@huawei.com> - 2.5.8-131
+- fix CVE-2024-49761
+
 * Tue Oct 08 2024 shixuantong <shixuantong1@huawei.com> - 2.5.8-130
 - fix CVE-2024-47220