-
Notifications
You must be signed in to change notification settings - Fork 87
(PA-6507)(PA-6736) Gem install rexml to 3.3.2 for CVE-2024-35176 and CVE-2024-… #878
(PA-6507)(PA-6736) Gem install rexml to 3.3.2 for CVE-2024-35176 and CVE-2024-… #878
Conversation
Tested all platforms applicable for the impacted projects: pe-bolt-server-runtime-main: agent-runtime-7.x: agent-runtime-main: Note that the solaris-sparc failures are unrelated to this change, caused by the updation of package xz upstream. |
8d0533a
to
5b0e5b6
Compare
…VE-2024-39908 - The CVEs were fixed from rexml version 3.2.7 (CVE-2024-35176) and 3.3.2 (CVE-2024-39908). - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.3.2 in the rexml component file. - Added the change to _shared-agent-components since the CVEs impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3) - For solaris-10-sparc and solaris-11-sparc, we ignore dependency when installing rexml since the ruby in these platforms tries to install strscan (rexml's dependency) but fails while building native extensions. We can ignore installing str scan since it is shipped with ruby 2.7.8 as its default gem. - rexml is a bundled gem in ruby 3. - When we gem install rexml version 3.3.2 to resolve CVEs, we end up having two versions of rexml -- rexml 3.2.5 which is shipped with ruby as its bundled gem and rexml 3.3.2 which we manually installed. - This causes 'Gem::Specification.reset:rexml' warning to go to stderr each time puppet runs. - Run 'gem cleanup rexml' so that it removes the 3.2.5 version for both agent-runtimes and pe-bolt-server-runtime-main, the impacted projects requiring the rexml component.
5b0e5b6
to
2b010af
Compare
# So, we run gem cleanup so that it deletes the older version 3.2.5. | ||
# Note: We won't need to cleanup and install rexml once we upgrade to ruby >= 3.3.3 | ||
if name == 'rexml' && settings[:ruby_version].to_i == 3 | ||
steps << "#{settings[:gem_cleanup]} #{name}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dont think this specialized logic belongs in the generalized base rubygems code.
@@ -62,6 +62,10 @@ | |||
proj.component 'rubygem-fast_gettext' | |||
proj.component 'rubygem-ffi' | |||
|
|||
# Note: We won't need to explicitly add 'rubygem-rexml' to agent-runtimes once ruby is upgraded to 3.3.3 or higher (CVE-2024-35176 and CVE-2024-39908). | |||
# This is because the bundled rexml gem version shipped with ruby itself will be free from these CVEs. | |||
proj.component 'rubygem-rexml' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want this in both streams?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, sorry i see that in the commit message. So for ruby 2.7 we want to override the default rexml version.
@@ -68,6 +68,7 @@ | |||
proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local --bindir=#{proj.bindir}") | |||
end | |||
|
|||
proj.setting(:gem_cleanup, "#{proj.host_gem} cleanup") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dont understand this change. Also, it seems like we are missing this for installer runtime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally, i think this is related to my point here #878 (comment) I think this is a very specialized case. I would suggest the rexml component just encapsulate everything needed for this so that it is clear why we are doing it and when we eventually get to ruby version with the patched version it will be easier to drop.
Superseded by: #882 We have ruby-3.2.5 released with takes care of the CVE for main, so we only need to apply this gem update step for 7.x. |
…39908