From 2e6c9b7dc83e797572cb5143af205830172ab1a3 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Fri, 26 Jan 2024 10:40:54 +0800 Subject: [PATCH] Fix CVE-2023-28756 --- CVE-2023-28756.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++ jruby.spec | 6 ++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-28756.patch diff --git a/CVE-2023-28756.patch b/CVE-2023-28756.patch new file mode 100644 index 0000000..e93bc06 --- /dev/null +++ b/CVE-2023-28756.patch @@ -0,0 +1,61 @@ +From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Wed, 29 Mar 2023 13:28:25 +0900 +Subject: Merge Time-0.2.2 + +Origin: https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e + +--- + lib/ruby/1.8/time.rb | 4 ++-- + lib/ruby/1.9/time.rb | 4 ++-- + lib/ruby/2.0/time.rb | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/ruby/1.8/time.rb b/lib/ruby/1.8/time.rb +index a37a067..a9ef487 100644 +--- a/lib/ruby/1.8/time.rb ++++ b/lib/ruby/1.8/time.rb +@@ -265,8 +265,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +diff --git a/lib/ruby/1.9/time.rb b/lib/ruby/1.9/time.rb +index 40b28d9..4379be2 100644 +--- a/lib/ruby/1.9/time.rb ++++ b/lib/ruby/1.9/time.rb +@@ -320,8 +320,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +diff --git a/lib/ruby/2.0/time.rb b/lib/ruby/2.0/time.rb +index 12c2b30..3430410 100644 +--- a/lib/ruby/2.0/time.rb ++++ b/lib/ruby/2.0/time.rb +@@ -429,8 +429,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +-- +2.33.0 + diff --git a/jruby.spec b/jruby.spec index 66e45ac..ff578f3 100644 --- a/jruby.spec +++ b/jruby.spec @@ -3,7 +3,7 @@ %global rubygems_dir %{_datadir}/rubygems Name: jruby Version: 1.7.22 -Release: 3 +Release: 4 Summary: Pure Java implementation of the Ruby interpreter License: (CPL or GPLv2+ or LGPLv2+) and BSD and (GPLv2 or Ruby) and (BSD or Ruby) URL: http://jruby.org @@ -13,6 +13,7 @@ Patch1: jruby-include-unbundled-jansi.patch Patch2: jruby-remove-rubygems-dirs-definition.patch Patch3: jruby-snakeyaml-1.16.patch Patch4: jruby-snakeyaml-1.20.patch +Patch5: CVE-2023-28756.patch BuildRequires: maven-local mvn(bsf:bsf) mvn(com.github.jnr:jffi) BuildRequires: mvn(com.github.jnr:jffi::native:) mvn(com.github.jnr:jnr-constants) BuildRequires: mvn(com.github.jnr:jnr-enxio) mvn(com.github.jnr:jnr-ffi) @@ -138,6 +139,9 @@ EOF %doc COPYING LICENSE.RUBY LEGAL %changelog +* Fri Jan 26 2024 wangkai <13474090681@163.com> - 1.7.22-4 +- Fix CVE-2023-28756 + * Fri Aug 18 2023 Ge Wang - 1.7.22-3 - Fix build failure due to buildnumber-maven-plugin updated