new file mode 100644
@@ -0,0 +1,46 @@
+From f1df7d13b3e57a5e059273d2f0870163c08d7420 Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Mon, 20 May 2024 12:17:27 +0900
+Subject: [PATCH] Add support for old strscan
+
+Fix GH-132
+
+If we support old strscan, users can also use strscan installed as a
+default gem.
+
+Reported by Adam. Thanks!!!
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index eab942d..8ea8b43 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -7,6 +7,17 @@ require "strscan"
+
+ module REXML
+ module Parsers
++ if StringScanner::Version < "3.0.8"
++ module StringScannerCaptures
++ refine StringScanner do
++ def captures
++ values_at(*(1...size))
++ end
++ end
++ end
++ using StringScannerCaptures
++ end
++
+ # = Using the Pull Parser
+ # <em>This API is experimental, and subject to change.</em>
+ # parser = PullParser.new( "<a>text<b att='val'/>txet</a>" )
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,130 @@
+From d146162e9a61574499d10428bc0065754cd26601 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Mon, 4 Mar 2024 05:24:53 +0900
+Subject: [PATCH] Remove `Source#string=` method (#117)
+
+We want to just change scan pointer.
+
+https://github.com/ruby/rexml/pull/114#discussion_r1501773803
+> I want to just change scan pointer (`StringScanner#pos=`) instead of
+changing `@scanner.string`.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/d146162e9a61574499d10428bc0065754cd26601]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../lib/rexml/parsers/baseparser.rb | 19 +++++++++++--------
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 8 ++++++--
+ 2 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 8ea8b43..81415a8 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -231,8 +231,9 @@ module REXML
+ #STDERR.puts @source.encoding
+ #STDERR.puts "BUFFER = #{@source.buffer.inspect}"
+ if @document_status == nil
++ start_position = @source.position
+ if @source.match("<?", true)
+- return process_instruction
++ return process_instruction(start_position)
+ elsif @source.match("<!", true)
+ if @source.match("--", true)
+ return [ :comment, @source.match(/(.*?)-->/um, true)[1] ]
+@@ -244,7 +245,7 @@ module REXML
+ else
+ message = "#{base_error_message}: invalid name"
+ end
+- @source.string = "<!DOCTYPE" + @source.buffer
++ @source.position = start_position
+ raise REXML::ParseException.new(message, @source)
+ end
+ name = parse_name(base_error_message)
+@@ -285,6 +286,7 @@ module REXML
+ end
+ if @document_status == :in_doctype
+ @source.match(/\s*/um, true) # skip spaces
++ start_position = @source.position
+ if @source.match("<!", true)
+ if @source.match("ELEMENT", true)
+ md = @source.match(/(.*?)>/um, true)
+@@ -344,7 +346,7 @@ module REXML
+ else
+ message = "#{base_error_message}: invalid name"
+ end
+- @source.string = " <!NOTATION" + @source.buffer
++ @source.position = start_position
+ raise REXML::ParseException.new(message, @source)
+ end
+ name = parse_name(base_error_message)
+@@ -374,6 +376,7 @@ module REXML
+ @source.match(/\s*/um, true)
+ end
+ begin
++ start_position = @source.position
+ if @source.match("<", true)
+ if @source.match("/", true)
+ @namespaces_restore_stack.pop
+@@ -386,7 +389,7 @@ module REXML
+ if md.nil? or last_tag != md[1]
+ message = "Missing end tag for '#{last_tag}'"
+ message += " (got '#{md[1]}')" if md
+- @source.string = "</" + @source.buffer if md.nil?
++ @source.position = start_position if md.nil?
+ raise REXML::ParseException.new(message, @source)
+ end
+ return [ :end_element, last_tag ]
+@@ -410,12 +413,12 @@ module REXML
+ raise REXML::ParseException.new( "Declarations can only occur "+
+ "in the doctype declaration.", @source)
+ elsif @source.match("?", true)
+- return process_instruction
++ return process_instruction(start_position)
+ else
+ # Get the next tag
+ md = @source.match(TAG_PATTERN, true)
+ unless md
+- @source.string = "<" + @source.buffer
++ @source.position = start_position
+ raise REXML::ParseException.new("malformed XML: missing tag start", @source)
+ end
+ tag = md[1]
+@@ -641,11 +644,11 @@ module REXML
+ end
+ end
+
+- def process_instruction
++ def process_instruction(start_position)
+ match_data = @source.match(INSTRUCTION_END, true)
+ unless match_data
+ message = "Invalid processing instruction node"
+- @source.string = "<?" + @source.buffer
++ @source.position = start_position
+ raise REXML::ParseException.new(message, @source)
+ end
+ if @document_status.nil? and match_data[1] == "xml"
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index 7132147..b20cc4f 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -80,8 +80,12 @@ module REXML
+ end
+ end
+
+- def string=(string)
+- @scanner.string = string
++ def position
++ @scanner.pos
++ end
++
++ def position=(pos)
++ @scanner.pos = pos
+ end
+
+ # @return true if the Source is exhausted
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,46 @@
+From b5bf109a599ea733663150e99c09eb44046b41dd Mon Sep 17 00:00:00 2001
+From: Hiroya Fujinami <make.just.on@gmail.com>
+Date: Thu, 13 Jun 2024 15:12:32 +0900
+Subject: [PATCH] Add a "malformed comment" check for top-level comments (#145)
+
+This check was missing. Therefore, `REXML::Document.new("<!--")` raised
+the ``undefined method `[]' for nil`` error, for example.
+
+This PR also adds tests for "malformed comment" checks.
+
+---------
+
+Co-authored-by: Sutou Kouhei <kou@cozmixng.org>
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/b5bf109a599ea733663150e99c09eb44046b41dd]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 81415a8..49c313c 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -236,7 +236,14 @@ module REXML
+ return process_instruction(start_position)
+ elsif @source.match("<!", true)
+ if @source.match("--", true)
+- return [ :comment, @source.match(/(.*?)-->/um, true)[1] ]
++ md = @source.match(/(.*?)-->/um, true)
++ if md.nil?
++ raise REXML::ParseException.new("Unclosed comment", @source)
++ end
++ if /--|-\z/.match?(md[1])
++ raise REXML::ParseException.new("Malformed comment", @source)
++ end
++ return [ :comment, md[1] ]
+ elsif @source.match("DOCTYPE", true)
+ base_error_message = "Malformed DOCTYPE"
+ unless @source.match(/\s+/um, true)
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,76 @@
+From b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 10:48:53 +0900
+Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
+ inside `<?xml` (#170)
+
+A `<` is treated as a string delimiter.
+In certain cases, if `<` is used in succession, read and match are
+repeated, which slows down the process. Therefore, the following is used
+to read ahead to a specific part of the string in advance.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 6 +++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 49c313c..767e134 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -125,6 +125,7 @@ module REXML
+
+ module Private
+ INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
++ INSTRUCTION_TERM = "?>"
+ TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
+ CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
+ ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
+@@ -652,7 +653,7 @@ module REXML
+ end
+
+ def process_instruction(start_position)
+- match_data = @source.match(INSTRUCTION_END, true)
++ match_data = @source.match(Private::INSTRUCTION_END, true, term: Private::INSTRUCTION_TERM)
+ unless match_data
+ message = "Invalid processing instruction node"
+ @source.position = start_position
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index b20cc4f..08a035c 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -72,7 +72,7 @@ module REXML
+ @scanner.scan_until(Regexp.union(term)) or @scanner.rest
+ end
+
+- def match(pattern, cons=false)
++ def match(pattern, cons=false, term: nil)
+ if cons
+ @scanner.scan(pattern).nil? ? nil : @scanner
+ else
+@@ -184,7 +184,7 @@ module REXML
+ end
+ end
+
+- def match( pattern, cons=false )
++ def match( pattern, cons=false, term: nil )
+ read if @scanner.eos? && @source
+ while true
+ if cons
+@@ -195,7 +195,7 @@ module REXML
+ break if md
+ return nil if pattern.is_a?(String) && pattern.bytesize <= @scanner.rest_size
+ return nil if @source.nil?
+- return nil unless read
++ return nil unless read(term)
+ end
+
+ md.nil? ? nil : @scanner
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,87 @@
+From 0af55fa49d4c9369f90f239a9571edab800ed36e Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 10:57:39 +0900
+Subject: [PATCH] Fix ReDoS caused by very large character references using
+ repeated 0s (#169)
+
+This patch will fix the ReDoS that is caused by large string of 0s on a
+character reference (like `�...`).
+
+This is occurred in Ruby 3.1 or earlier.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/text.rb | 48 +++++++++++++++-------
+ 1 file changed, 34 insertions(+), 14 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb
+index 050b09c..0957d70 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/text.rb
+@@ -151,25 +151,45 @@ module REXML
+ end
+ end
+
+- # context sensitive
+- string.scan(pattern) do
+- if $1[-1] != ?;
+- raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
+- elsif $1[0] == ?&
+- if $5 and $5[0] == ?#
+- case ($5[1] == ?x ? $5[2..-1].to_i(16) : $5[1..-1].to_i)
+- when *VALID_CHAR
++ pos = 0
++ while (index = string.index(/<|&/, pos))
++ if string[index] == "<"
++ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
++ end
++
++ unless (end_index = string.index(/[^\s];/, index + 1))
++ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
++ end
++
++ value = string[(index + 1)..end_index]
++ if /\s/.match?(value)
++ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
++ end
++
++ if value[0] == "#"
++ character_reference = value[1..-1]
++
++ unless (/\A(\d+|x[0-9a-fA-F]+)\z/.match?(character_reference))
++ if character_reference[0] == "x" || character_reference[-1] == "x"
++ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
+ else
+- raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
++ raise "Illegal character #{string.inspect} in raw string #{string.inspect}"
+ end
+- # FIXME: below can't work but this needs API change.
+- # elsif @parent and $3 and !SUBSTITUTES.include?($1)
+- # if !doctype or !doctype.entities.has_key?($3)
+- # raise "Undeclared entity '#{$1}' in raw string \"#{string}\""
+- # end
+ end
++
++ case (character_reference[0] == "x" ? character_reference[1..-1].to_i(16) : character_reference[0..-1].to_i)
++ when *VALID_CHAR
++ else
++ raise "Illegal character #{string.inspect} in raw string #{string.inspect}"
++ end
++ elsif !(/\A#{Entity::NAME}\z/um.match?(value))
++ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
+ end
++
++ pos = end_index + 1
+ end
++
++ string
+ end
+
+ def node_type
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,44 @@
+From c1b64c174ec2e8ca2174c51332670e3be30c865f Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 10:57:50 +0900
+Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
+ inside comments (#171)
+
+A `<` is treated as a string delimiter.
+In certain cases, if `<` is used in succession, read and match are
+repeated, which slows down the process. Therefore, the following is used
+to read ahead to a specific part of the string in advance.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 767e134..81753ad 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -126,6 +126,7 @@ module REXML
+ module Private
+ INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
+ INSTRUCTION_TERM = "?>"
++ COMMENT_TERM = "-->"
+ TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
+ CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
+ ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
+@@ -237,7 +238,7 @@ module REXML
+ return process_instruction(start_position)
+ elsif @source.match("<!", true)
+ if @source.match("--", true)
+- md = @source.match(/(.*?)-->/um, true)
++ md = @source.match(/(.*?)-->/um, true, term: Private::COMMENT_TERM)
+ if md.nil?
+ raise REXML::ParseException.new("Unclosed comment", @source)
+ end
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,44 @@
+From 9f1415a2616c77cad44a176eee90e8457b4774b6 Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 11:04:40 +0900
+Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
+ inside `CDATA [ PAYLOAD ]` (#172)
+
+A `<` is treated as a string delimiter.
+In certain cases, if `<` is used in succession, read and match are
+repeated, which slows down the process. Therefore, the following is used
+to read ahead to a specific part of the string in advance.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 81753ad..c907f8c 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -127,6 +127,7 @@ module REXML
+ INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
+ INSTRUCTION_TERM = "?>"
+ COMMENT_TERM = "-->"
++ CDATA_TERM = "]]>"
+ TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
+ CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
+ ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
+@@ -416,7 +417,7 @@ module REXML
+
+ return [ :comment, md[1] ] if md
+ else
+- md = @source.match(/\[CDATA\[(.*?)\]\]>/um, true)
++ md = @source.match(/\[CDATA\[(.*?)\]\]>/um, true, term: Private::CDATA_TERM)
+ return [ :cdata, md[1] ] if md
+ end
+ raise REXML::ParseException.new( "Declarations can only occur "+
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,44 @@
+From c33ea498102be65082940e8b7d6d31cb2c6e6ee2 Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 11:11:17 +0900
+Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
+ after ` <!DOCTYPE name` (#173)
+
+A `<` is treated as a string delimiter.
+In certain cases, if `<` is used in succession, read and match are
+repeated, which slows down the process. Therefore, the following is used
+to read ahead to a specific part of the string in advance.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index c907f8c..5391e0a 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -128,6 +128,7 @@ module REXML
+ INSTRUCTION_TERM = "?>"
+ COMMENT_TERM = "-->"
+ CDATA_TERM = "]]>"
++ DOCTYPE_TERM = "]>"
+ TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
+ CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
+ ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
+@@ -375,7 +376,7 @@ module REXML
+ end
+ return [ :comment, md[1] ] if md
+ end
+- elsif match = @source.match(/(%.*?;)\s*/um, true)
++ elsif match = @source.match(/(%.*?;)\s*/um, true, term: Private::DOCTYPE_TERM)
+ return [ :externalentity, match[1] ]
+ elsif @source.match(/\]\s*>/um, true)
+ @document_status = :after_doctype
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,36 @@
+From a79ac8b4b42a9efabe33a0be31bd82d33fd50347 Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 11:18:11 +0900
+Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
+ inside `<!DOCTYPE root [<!-- PAYLOAD -->]>` (#174)
+
+A `<` is treated as a string delimiter.
+In certain cases, if `<` is used in succession, read and match are
+repeated, which slows down the process. Therefore, the following is used
+to read ahead to a specific part of the string in advance.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 5391e0a..c22b632 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -369,7 +369,7 @@ module REXML
+ raise REXML::ParseException.new(message, @source)
+ end
+ return [:notationdecl, name, *id]
+- elsif md = @source.match(/--(.*?)-->/um, true)
++ elsif md = @source.match(/--(.*?)-->/um, true, term: Private::COMMENT_TERM)
+ case md[1]
+ when /--/, /-\z/
+ raise REXML::ParseException.new("Malformed comment", @source)
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,53 @@
+From 67efb5951ed09dbb575c375b130a1e469f437d1f Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 11:26:57 +0900
+Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
+ inside `<!DOCTYPE name [<!ENTITY>]>` (#175)
+
+A `<` is treated as a string delimiter.
+In certain cases, if `<` is used in succession, read and match are
+repeated, which slows down the process. Therefore, the following is used
+to read ahead to a specific part of the string in advance.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index c22b632..c4de254 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -124,11 +124,15 @@ module REXML
+ }
+
+ module Private
+- INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
++ # Terminal requires two or more letters.
+ INSTRUCTION_TERM = "?>"
+ COMMENT_TERM = "-->"
+ CDATA_TERM = "]]>"
+ DOCTYPE_TERM = "]>"
++ # Read to the end of DOCTYPE because there is no proper ENTITY termination
++ ENTITY_TERM = DOCTYPE_TERM
++
++ INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
+ TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
+ CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
+ ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
+@@ -304,7 +308,7 @@ module REXML
+ raise REXML::ParseException.new( "Bad ELEMENT declaration!", @source ) if md.nil?
+ return [ :elementdecl, "<!ELEMENT" + md[1] ]
+ elsif @source.match("ENTITY", true)
+- match = [:entitydecl, *@source.match(ENTITYDECL_PATTERN, true).captures.compact]
++ match = [:entitydecl, *@source.match(Private::ENTITYDECL_PATTERN, true, term: Private::ENTITY_TERM).captures.compact]
+ ref = false
+ if match[1] == '%'
+ ref = true
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,35 @@
+From 1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2 Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 11:35:41 +0900
+Subject: [PATCH] Fix ReDoS by using repeated space characters inside
+ `<!DOCTYPE name [<!ATTLIST>]>` (#176)
+
+Fix performance by removing unnecessary spaces.
+
+This is occurred in Ruby 3.1 or earlier.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index c4de254..a9b1b44 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -340,7 +340,7 @@ module REXML
+ contents = md[0]
+
+ pairs = {}
+- values = md[0].scan( ATTDEF_RE )
++ values = md[0].strip.scan( ATTDEF_RE )
+ values.each do |attdef|
+ unless attdef[3] == "#IMPLIED"
+ attdef.compact!
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,36 @@
+From 910e5a2b487cb5a30989884a39f9cad2cc499cfc Mon Sep 17 00:00:00 2001
+From: Watson <watson1978@gmail.com>
+Date: Tue, 16 Jul 2024 11:36:05 +0900
+Subject: [PATCH] Fix performance issue caused by using repeated `>` characters
+ inside `<xml><!-- --></xml>` (#177)
+
+A `<` is treated as a string delimiter.
+In certain cases, if `<` is used in succession, read and match are
+repeated, which slows down the process. Therefore, the following is used
+to read ahead to a specific part of the string in advance.
+
+CVE: CVE-2024-39908
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index a9b1b44..4864ba1 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -413,7 +413,7 @@ module REXML
+ #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}"
+ raise REXML::ParseException.new("Malformed node", @source) unless md
+ if md[0][0] == ?-
+- md = @source.match(/--(.*?)-->/um, true)
++ md = @source.match(/--(.*?)-->/um, true, term: Private::COMMENT_TERM)
+
+ case md[1]
+ when /--/, /-\z/
+--
+2.40.0
+
@@ -54,6 +54,18 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://CVE-2025-27221-0001.patch \
file://CVE-2025-27221-0002.patch \
file://CVE-2024-35176.patch \
+ file://CVE-2024-39908-0001.patch \
+ file://CVE-2024-39908-0002.patch \
+ file://CVE-2024-39908-0003.patch \
+ file://CVE-2024-39908-0004.patch \
+ file://CVE-2024-39908-0005.patch \
+ file://CVE-2024-39908-0006.patch \
+ file://CVE-2024-39908-0007.patch \
+ file://CVE-2024-39908-0008.patch \
+ file://CVE-2024-39908-0009.patch \
+ file://CVE-2024-39908-0010.patch \
+ file://CVE-2024-39908-0011.patch \
+ file://CVE-2024-39908-0012.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"