mbox series

[kirkstone,0/1] ruby: correct fix for CVE-2024-43398

Message ID 20250712231424.1840000-1-rob.woolley@windriver.com
Headers show
Series ruby: correct fix for CVE-2024-43398 | expand

Message

Rob Woolley July 12, 2025, 11:13 p.m. UTC
After upgrading to the latest kirkstone release, I saw a build failure in the
sdformat recipe.  This recipe uses ruby as a native tool to parse XML files
with the REXML library.

----
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb:442:in `rescue in pull_event': #<NameError: undefined local variable or method `prefix' for #<REXML::Parsers::BaseParser:0x00007f595bb7ef10 @source=#<REXML::IOSource:0x00007f595bb7ebf0 @source=#<File:TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/git/sdf/1.5/world.sdf>, @er_source=#<File:TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/git/sdf/1.5/world.sdf>, @to_utf=false, @pending_buffer=nil, @orig="<el", @scanner=#<StringScanner fin>, @encoding="UTF-8", @line_break=">", @line=0, @force_utf8=false>, @closed=nil, @document_status=:in_element, @tags=[], @stack=[], @entities=[], @nsstack=[#<Set: {}>], @listeners=[], @entity_expansion_count=0, @attributes_scanner=#<StringScanner fin>> (REXML::ParseException)

unless prefix == "xmlns"
       ^^^^^^

Did you mean?  prefixes>
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb:645:in `parse_attributes'
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb:416:in `pull_event'
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb:206:in `pull'
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/treeparser.rb:23:in `parse'
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/document.rb:448:in `build'
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/document.rb:101:in `initialize'
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/git/tools/xmlschema.rb:288:in `new'
TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/git/tools/xmlschema.rb:288:in `<main>'
Exception parsing
Line: 1
Position: 35
Last 80 unconsumed characters:
        from TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb:366:in `pull_event'
        from TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb:206:in `pull'
        from TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/treeparser.rb:23:in `parse'
        from TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/document.rb:448:in `build'
        from TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/recipe-sysroot-native/usr/lib/ruby/gems/3.1.0/gems/rexml-3.2.5/lib/rexml/document.rb:101:in `initialize'
        from TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/git/tools/xmlschema.rb:288:in `new'
        from TOPDIR/tmp-glibc/work/cortexa76-oe-linux/sdformat/12.8.0-r0/git/tools/xmlschema.rb:288:in `<main>'
----

I tracked the exception back to the previous fix for CVE-2024-43398. There
were missing changes needed by the fixes that were missed in the backport.
This was the cause of the exception thrown by ruby when interpreting the
parser code.

Reference: https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/ruby?h=kirkstone&id=f23d1bfca0ea57150c397bc2e495191fb61423d0

I tested this 3 ways:
  (1) using ruby to successfully build sdformat,
  (2) by running the ptest-runner for ruby on-target (which did not seem to
      cover REXML),
  (3) by manually running a script that used REXML to parse an XML file with
      REXML::Document.new and print the object to standard output.

If there are any additional tests you would like me to run, please let me know.

Regards,
Rob

Rob Woolley (1):
  ruby: correct fix for CVE-2024-43398

 .../ruby/ruby/CVE-2024-43398-0001.patch       | 210 ++++++++++++++++++
 .../ruby/ruby/CVE-2024-43398-0002.patch       | 128 +++++++++++
 ...-43398.patch => CVE-2024-43398-0003.patch} |  23 +-
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   4 +-
 4 files changed, 351 insertions(+), 14 deletions(-)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398-0001.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398-0002.patch
 rename meta/recipes-devtools/ruby/ruby/{CVE-2024-43398.patch => CVE-2024-43398-0003.patch} (87%)