diff --git a/configs/components/_base-rubygem.rb b/configs/components/_base-rubygem.rb index a5614b81b..aecc1ea0f 100644 --- a/configs/components/_base-rubygem.rb +++ b/configs/components/_base-rubygem.rb @@ -40,13 +40,22 @@ # If a gem needs more command line options to install set the :gem_install_options # in its component file rubygem-, before the instance_eval of this file. gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym] -if gem_install_options.nil? - pkg.install do - "#{settings[:gem_install]} #{name}-#{version}.gem" +pkg.install do + steps = [] + if gem_install_options.nil? + steps << "#{settings[:gem_install]} #{name}-#{version}.gem" + else + steps << "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}" end -else - pkg.install do - "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}" + + # We gem installed rexml to 3.3.2 in ruby 3 for CVE-2024-35176 and CVE-2024-39908. Since rexml is a bundled gem in ruby 3, we end up having + # two versions of rexml -- 1) the bundled version shipped with ruby 3 (3.2.5) and 2) the one we manually installed with + # the above gem install command. + # So, we run gem cleanup so that it deletes the older version 3.2.5. + # Note: We won't need to cleanup and install rexml once we upgrade to ruby >= 3.3.3 + if name == 'rexml' && settings[:ruby_version].to_i == 3 + steps << "#{settings[:gem_cleanup]} #{name}" end + steps end diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb index e983157aa..ce5f4a30a 100644 --- a/configs/components/rubygem-rexml.rb +++ b/configs/components/rubygem-rexml.rb @@ -1,6 +1,14 @@ component 'rubygem-rexml' do |pkg, settings, platform| - pkg.version '3.2.6' - pkg.md5sum 'a57288ae5afed07dd08c9f1302da7b25' + pkg.version '3.3.2' + pkg.md5sum '55d213401f5e6a7a83ff3d2cd64a23fe' + # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml + # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets + # confused when installing rexml. It tries to install rexml's dependency 'strscan' by building native extensions + # but fails. We can ignore insalling that since strscan is already shipped with ruby 2 as its default gem. + if platform.name =~ /solaris-(10|11)-sparc/ && settings[:ruby_version].to_i < 3 + settings["#{pkg.get_name}_gem_install_options".to_sym] = "--ignore-dependencies" + end + instance_eval File.read('configs/components/_base-rubygem.rb') end diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb index 6e722cc46..e846ca6cc 100644 --- a/configs/projects/_shared-agent-components.rb +++ b/configs/projects/_shared-agent-components.rb @@ -62,6 +62,10 @@ proj.component 'rubygem-fast_gettext' proj.component 'rubygem-ffi' +# Note: We won't need to explicitly add 'rubygem-rexml' to agent-runtimes once ruby is upgraded to 3.3.3 or higher (CVE-2024-35176 and CVE-2024-39908). +# This is because the bundled rexml gem version shipped with ruby itself will be free from these CVEs. +proj.component 'rubygem-rexml' + if platform.is_windows? || platform.is_solaris? || platform.is_aix? proj.component 'rubygem-minitar' end diff --git a/configs/projects/_shared-pe-bolt-server_with_ruby.rb b/configs/projects/_shared-pe-bolt-server_with_ruby.rb index 06740fccd..8ecae30e3 100644 --- a/configs/projects/_shared-pe-bolt-server_with_ruby.rb +++ b/configs/projects/_shared-pe-bolt-server_with_ruby.rb @@ -68,6 +68,7 @@ proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local --bindir=#{proj.bindir}") end +proj.setting(:gem_cleanup, "#{proj.host_gem} cleanup") proj.setting(:datadir, File.join(proj.prefix, "share")) proj.setting(:mandir, File.join(proj.datadir, "man")) diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb index e7bdce75a..15577ab0e 100644 --- a/configs/projects/agent-runtime-main.rb +++ b/configs/projects/agent-runtime-main.rb @@ -43,6 +43,8 @@ # platforms that use older rubies. proj.setting(:gem_install, "#{proj.host_gem} install --no-document --local") + proj.setting(:gem_cleanup, "#{proj.host_gem} cleanup") + ######## # Load shared agent components ########