(PA-6881) Adding rexml gem to agent-runtime-main for CVE-2024-41123 and

CVE-2024-41946
puppetlabs · Aug 28, 2024 · 3e9c307 · 3e9c307
1 parent 38fc20b
commit 3e9c307
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 14 deletions.
diff --git a/configs/components/_base-rubygem.rb b/configs/components/_base-rubygem.rb
@@ -40,13 +40,13 @@
 # If a gem needs more command line options to install set the :gem_install_options
 # in its component file rubygem-<compoment>, before the instance_eval of this file.
 gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym]
-if gem_install_options.nil?
-  pkg.install do
-    "#{settings[:gem_install]} #{name}-#{version}.gem"
-  end
-else
-  pkg.install do
-    "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
-  end
+remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym]
+pkg.install do
+  steps = []
+  steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions
+  steps << if gem_install_options.nil?
+             "#{settings[:gem_install]} #{name}-#{version}.gem"
+           else
+             "#{settings[:gem_install]} #{name}-#{version}.gem #{gem_install_options}"
+           end
 end
-
diff --git a/configs/components/rubygem-rexml.rb b/configs/components/rubygem-rexml.rb
@@ -2,6 +2,8 @@
   pkg.version '3.3.4'
   pkg.md5sum 'b7411377f3c1a9cbe65e862f74067f91'
 
+  settings["#{pkg.get_name}_remove_older_versions".to_sym] = true
+
   # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml
   # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets
   # confused when installing rexml. It tries to install rexml's dependency 'strscan' by building native extensions

diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb
@@ -62,6 +62,12 @@
 proj.component 'rubygem-fast_gettext'
 proj.component 'rubygem-ffi'
 
+# We add rexml explicitly in here because even though ruby 3 ships with rexml as its default gem, the version
+# of rexml it ships with contains CVE-2024-41946, CVE-2024-41123, CVE-2024-35176 and CVE-2024-39908.
+# So, we add it here to update to a higher version
+# free from the CVEs.
+proj.component 'rubygem-rexml'
+
 if platform.is_windows? || platform.is_solaris? || platform.is_aix?
   proj.component 'rubygem-minitar'
 end

diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb
@@ -131,6 +131,7 @@
 end
 
 proj.setting(:gem_install, "#{proj.host_gem} install --no-rdoc --no-ri --local ")
+proj.setting(:gem_uninstall, "#{proj.host_gem} uninstall --all --ignore-dependencies ")
 
 # For AIX, we use the triple to install a better rbconfig
 if platform.is_aix?

diff --git a/configs/projects/agent-runtime-7.x.rb b/configs/projects/agent-runtime-7.x.rb
@@ -61,11 +61,6 @@
   proj.component 'rubygem-thor'
   proj.component 'rubygem-scanf'
 
-  # We add rexml explicitly in here because even though ruby 2 ships with rexml as its default gem, the version
-  # of rexml it ships with contains CVE-2024-35176 and CVE-2024-39908. So, we add it here to update to a higher version
-  # free from the CVEs.
-  proj.component 'rubygem-rexml'
-
   if platform.is_linux?
     proj.component "virt-what"
     proj.component "dmidecode" unless platform.architecture =~ /ppc64/