packages/rubygem-activesupport
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-22796

Browse Source 
(cherry picked from commit 11418227277583724958213d86a5a449507151ab)
This commit is contained in:
wszlight 2023-02-21 12:32:01 +00:00 committed by openeuler-sync-bot
parent 932cb50b93
commit 7c8dcb7fef
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
CVE-2023-22796.patch Normal file
View File

@ -0,0 +1,26 @@
From 2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 11 Jan 2023 10:14:55 -0800
Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
---
activesupport/lib/active_support/inflector/methods.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/activesupport/lib/active_support/inflector/methods.rb b/activesupport/lib/active_support/inflector/methods.rb
index 68a00d73f2..43abb9c4e1 100644
--- a/activesupport/lib/active_support/inflector/methods.rb
+++ b/activesupport/lib/active_support/inflector/methods.rb
@@ -97,7 +97,7 @@ def underscore(camel_cased_word)
return camel_cased_word.to_s unless /[A-Z-]|::/.match?(camel_cased_word)
word = camel_cased_word.to_s.gsub("::", "/")
word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
- word.gsub!(/([A-Z]+)(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
+ word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
word.tr!("-", "_")
word.downcase!
word
--
2.35.1

7
rubygem-activesupport.spec
View File

@ -2,7 +2,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 7.0.4 Version: 7.0.4
Release: 1 Release: 2
Summary: A support libraries and Ruby core extensions extracted from the Rails framework Summary: A support libraries and Ruby core extensions extracted from the Rails framework
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -23,6 +23,7 @@ Patch1: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_calle
Patch2: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with-test.patch Patch2: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with-test.patch
# https://github.com/rails/rails/pull/45370 # https://github.com/rails/rails/pull/45370
Patch3: rubygem-activesupport-7.0.2.3-Fix-tests-for-minitest-5.16.patch Patch3: rubygem-activesupport-7.0.2.3-Fix-tests-for-minitest-5.16.patch
Patch4: CVE-2023-22796.patch
Requires: rubygem(bigdecimal) rubygem(json) Requires: rubygem(bigdecimal) rubygem(json)
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
@ -46,6 +47,7 @@ Documentation for %{name}.
%setup -q -n %{gem_name}-%{version} -b1 -b2 %setup -q -n %{gem_name}-%{version} -b1 -b2
%patch1 -p2 %patch1 -p2
%patch3 -p2 %patch3 -p2
%patch4 -p2
pushd %{_builddir} pushd %{_builddir}
%patch2 -p2 %patch2 -p2
@ -95,6 +97,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:7.0.4-2
- fix CVE-2023-22796
* Thu Jan 19 2023 yanxiaobing <yanxiaobing@huawei.com> - 1:7.0.4-1 * Thu Jan 19 2023 yanxiaobing <yanxiaobing@huawei.com> - 1:7.0.4-1
- Upgrade to version 7.0.4 - Upgrade to version 7.0.4