Skip to content
This repository has been archived by the owner on Jan 15, 2025. It is now read-only.

(PA-6507)(PA-6736) Gem install rexml to 3.3.2 for CVE-2024-35176 and CVE-2024-… #878

Conversation

shubhamshinde360
Copy link
Contributor

…39908

  • The CVEs were fixed from rexml version 3.2.7 (CVE-2024-35176) and 3.3.2 (CVE-2024-39908).
  • Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.3.2 in the rexml component file.
  • Added the change to _shared-agent-components since the CVEs impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3)
  • For solaris-10-sparc and solaris-11-sparc, we ignore dependency when installing rexml since the ruby in these platforms tries to install strscan (rexml's dependency) but fails while building native extensions. We can ignore installing str scan since it is shipped with ruby 2.7.8 as its default gem.
  • rexml is a bundled gem in ruby 3.
  • When we gem install rexml version 3.3.2 to resolve CVEs, we end up having two versions of rexml -- rexml 3.2.5 which is shipped with ruby as its bundled gem and rexml 3.3.2 which we manually installed.
  • This causes 'Gem::Specification.reset:rexml' warning to go to stderr each time puppet runs.
  • Run 'gem cleanup rexml' so that it removes the 3.2.5 version for both agent-runtimes and pe-bolt-server-runtime-main, the impacted projects requiring the rexml component.

@shubhamshinde360 shubhamshinde360 requested review from a team as code owners July 22, 2024 14:15
@shubhamshinde360 shubhamshinde360 changed the title (PA-6507) Gem install rexml to 3.3.2 for CVE-2024-35176 and CVE-2024-… (PA-6507)(PA-6736) Gem install rexml to 3.3.2 for CVE-2024-35176 and CVE-2024-… Jul 22, 2024
@shubhamshinde360 shubhamshinde360 force-pushed the PA-6507-gem-cleanup-rexml branch from 8d0533a to 5b0e5b6 Compare July 22, 2024 14:20
…VE-2024-39908

 - The CVEs were fixed from rexml version 3.2.7 (CVE-2024-35176) and 3.3.2 (CVE-2024-39908).
 - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.3.2 in the rexml component file.
 - Added the change to _shared-agent-components since the CVEs impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3)
 - For solaris-10-sparc and solaris-11-sparc, we ignore dependency when installing rexml since the ruby in these platforms tries to install strscan (rexml's dependency) but fails while building native extensions. We can ignore installing str
    scan since it is shipped with ruby 2.7.8 as its default gem.
 - rexml is a bundled gem in ruby 3.
 - When we gem install rexml version 3.3.2 to resolve CVEs, we end up having two versions of rexml -- rexml 3.2.5 which is shipped with ruby as its bundled gem and rexml 3.3.2 which we manually installed.
 - This causes 'Gem::Specification.reset:rexml' warning to go to stderr each time puppet runs.
 - Run 'gem cleanup rexml' so that it removes the 3.2.5 version for both agent-runtimes and pe-bolt-server-runtime-main, the impacted projects requiring the rexml component.
@shubhamshinde360 shubhamshinde360 force-pushed the PA-6507-gem-cleanup-rexml branch from 5b0e5b6 to 2b010af Compare July 23, 2024 06:10
# So, we run gem cleanup so that it deletes the older version 3.2.5.
# Note: We won't need to cleanup and install rexml once we upgrade to ruby >= 3.3.3
if name == 'rexml' && settings[:ruby_version].to_i == 3
steps << "#{settings[:gem_cleanup]} #{name}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont think this specialized logic belongs in the generalized base rubygems code.

@@ -62,6 +62,10 @@
proj.component 'rubygem-fast_gettext'
proj.component 'rubygem-ffi'

# Note: We won't need to explicitly add 'rubygem-rexml' to agent-runtimes once ruby is upgraded to 3.3.3 or higher (CVE-2024-35176 and CVE-2024-39908).
# This is because the bundled rexml gem version shipped with ruby itself will be free from these CVEs.
proj.component 'rubygem-rexml'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want this in both streams?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, sorry i see that in the commit message. So for ruby 2.7 we want to override the default rexml version.

@@ -68,6 +68,7 @@
proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local --bindir=#{proj.bindir}")
end

proj.setting(:gem_cleanup, "#{proj.host_gem} cleanup")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont understand this change. Also, it seems like we are missing this for installer runtime.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally, i think this is related to my point here #878 (comment) I think this is a very specialized case. I would suggest the rexml component just encapsulate everything needed for this so that it is clear why we are doing it and when we eventually get to ruby version with the patched version it will be easier to drop.

@shubhamshinde360
Copy link
Contributor Author

Superseded by: #882

We have ruby-3.2.5 released with takes care of the CVE for main, so we only need to apply this gem update step for 7.x.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants