CVE-2024-41123

Name	CVE-2024-41123
Description	REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4018-1
Debian Bugs	1083190, 1083191

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby2.7 (PTS)	bullseye	2.7.4-1+deb11u1	vulnerable
	bullseye (security)	2.7.4-1+deb11u3	fixed
ruby3.1 (PTS)	bookworm, bookworm (security)	3.1.2-7+deb12u1	vulnerable
	sid, trixie	3.1.2-8.5	vulnerable
ruby3.2 (PTS)	sid	3.2.3-1	vulnerable
ruby3.3 (PTS)	sid, trixie	3.3.6-1.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
ruby2.7	source	bullseye	2.7.4-1+deb11u3	DLA-4018-1
ruby2.7	source	(unstable)	(unfixed)
ruby3.1	source	(unstable)	(unfixed)		1083190
ruby3.2	source	(unstable)	(unfixed)		1083191
ruby3.3	source	(unstable)	3.3.5-1

Notes

[bookworm] - ruby3.1 <no-dsa> (Minor issue)
https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
Fixed by commit [1/2] https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960 (v3.3.3)
Fixed by commit [2/2] https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6 (v3.3.3)