revert fix CVE-2024-35221

(cherry picked from commit 3f41f3b84a2289a1e84daea0aaef4fff8d50d393)
2024-06-21 09:14:58 +08:00 · 2024-06-21 09:14:58 +08:00 · ba75a6155d
commit ba75a6155d
parent 536d5a0b40
2 changed files with 1 additions and 64 deletions
--- a/backport-CVE-2024-35221.patch
+++ b/backport-CVE-2024-35221.patch
@ -1,59 +0,0 @@
 From 3926ad578c312ddd2ff5221b96ef077b9e24e612 Mon Sep 17 00:00:00 2001
 From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
 Date: Thu, 9 Mar 2023 15:42:07 +0900
 Subject: [PATCH] [rubygems/rubygems] Drop to support Psych 3.0 bundled at Ruby
 2.5
 Reference:https://github.com/ruby/ruby/commit/3926ad578c312ddd2ff5221b96ef077b9e24e612
 ---
 lib/rubygems/safe_yaml.rb | 33 +++++----------------------------
 1 file changed, 5 insertions(+), 28 deletions(-)
 diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
 index 5a98505..1208d77 100644
 --- a/lib/rubygems/safe_yaml.rb
 +++ b/lib/rubygems/safe_yaml.rb
@@ -23,35 +23,12 @@ module Gem
       development
       runtime
     ].freeze
 +    def self.safe_load(input)
 +      ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
 +    end
 -    if ::Psych.respond_to? :safe_load
 -      def self.safe_load(input)
 -        if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1")
 -          ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
 -        else
 -          ::Psych.safe_load(input, PERMITTED_CLASSES, PERMITTED_SYMBOLS, true)
 -        end
 -      end
 -
 -      def self.load(input)
 -        if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1")
 -          ::Psych.safe_load(input, permitted_classes: [::Symbol])
 -        else
 -          ::Psych.safe_load(input, [::Symbol])
 -        end
 -      end
 -    else
 -      unless Gem::Deprecate.skip
 -        warn "Psych safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
 -      end
 -
 -      def self.safe_load(input, *args)
 -        ::Psych.load input
 -      end
 -
 -      def self.load(input)
 -        ::Psych.load input
 -      end
 +    def self.load(input)
 +      ::Psych.safe_load(input, permitted_classes: [::Symbol])
     end
   end
 end
 -- 
 2.27.0
--- a/ruby.spec
+++ b/ruby.spec
@ -33,7 +33,7 @@
 Name:      ruby
 Version:   %{ruby_version}
-Release:   141
+Release:   140
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@ -91,7 +91,6 @@ Patch6007: backport-CVE-2019-16163.patch
 Patch6015: backport-CVE-2023-36617.patch
 Patch6016: backport-CVE-2024-27281.patch
 Patch6017: backport-CVE-2024-27282.patch
 Patch6018: backport-CVE-2024-35221.patch
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -877,9 +876,6 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec
 %changelog
 * Thu May 30 2024 baiguo <baiguo@kylinos.cn> - 3.2.2-141
 - fix CVE-2024-35221
 * Mon May 6 2024 zhoupengcheng <zhoupengcheng11@huawei.com> - 3.2.2-140
 - fix CVE-2024-27282