packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!169 [sync] PR-168: 修复CVE-2024-35221

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu
This commit is contained in:
openeuler-ci-bot 2024-06-07 01:13:38 +00:00 committed by Gitee
commit 536d5a0b40
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
backport-CVE-2024-35221.patch Normal file
View File

@ -0,0 +1,59 @@
From 3926ad578c312ddd2ff5221b96ef077b9e24e612 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Thu, 9 Mar 2023 15:42:07 +0900
Subject: [PATCH] [rubygems/rubygems] Drop to support Psych 3.0 bundled at Ruby
2.5
Reference:https://github.com/ruby/ruby/commit/3926ad578c312ddd2ff5221b96ef077b9e24e612
---
lib/rubygems/safe_yaml.rb | 33 +++++----------------------------
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
index 5a98505..1208d77 100644
--- a/lib/rubygems/safe_yaml.rb
+++ b/lib/rubygems/safe_yaml.rb
@@ -23,35 +23,12 @@ module Gem
development
runtime
].freeze
+ def self.safe_load(input)
+ ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
+ end
- if ::Psych.respond_to? :safe_load
- def self.safe_load(input)
- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1")
- ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
- else
- ::Psych.safe_load(input, PERMITTED_CLASSES, PERMITTED_SYMBOLS, true)
- end
- end
-
- def self.load(input)
- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1")
- ::Psych.safe_load(input, permitted_classes: [::Symbol])
- else
- ::Psych.safe_load(input, [::Symbol])
- end
- end
- else
- unless Gem::Deprecate.skip
- warn "Psych safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
- end
-
- def self.safe_load(input, *args)
- ::Psych.load input
- end
-
- def self.load(input)
- ::Psych.load input
- end
+ def self.load(input)
+ ::Psych.safe_load(input, permitted_classes: [::Symbol])
end
end
end
--
2.27.0

6
ruby.spec
View File

@ -33,7 +33,7 @@
Name: ruby Name: ruby
Version: %{ruby_version} Version: %{ruby_version}
Release: 140 Release: 141
Summary: Object-oriented scripting language interpreter Summary: Object-oriented scripting language interpreter
License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
URL: https://www.ruby-lang.org/en/ URL: https://www.ruby-lang.org/en/
@ -91,6 +91,7 @@ Patch6007: backport-CVE-2019-16163.patch
Patch6015: backport-CVE-2023-36617.patch Patch6015: backport-CVE-2023-36617.patch
Patch6016: backport-CVE-2024-27281.patch Patch6016: backport-CVE-2024-27281.patch
Patch6017: backport-CVE-2024-27282.patch Patch6017: backport-CVE-2024-27282.patch
Patch6018: backport-CVE-2024-35221.patch
Provides: %{name}-libs = %{version}-%{release} Provides: %{name}-libs = %{version}-%{release}
Obsoletes: %{name}-libs < %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release}
@ -876,6 +877,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
%{gem_dir}/specifications/matrix-%{matrix_version}.gemspec %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec
%changelog %changelog
* Thu May 30 2024 baiguo <baiguo@kylinos.cn> - 3.2.2-141
- fix CVE-2024-35221
* Mon May 6 2024 zhoupengcheng <zhoupengcheng11@huawei.com> - 3.2.2-140 * Mon May 6 2024 zhoupengcheng <zhoupengcheng11@huawei.com> - 3.2.2-140
- fix CVE-2024-27282 - fix CVE-2024-27282