diff --git a/CVE-2021-32740.patch b/CVE-2021-32740.patch deleted file mode 100644 index 74c40fc..0000000 --- a/CVE-2021-32740.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b48ff03347a6d46e8dc674e242ce74c6381962a5 Mon Sep 17 00:00:00 2001 -From: Security Curious -Date: Fri, 2 Jul 2021 15:30:02 -0400 -Subject: [PATCH] Prevent ReDOS vuln on URI Template matching - -The regular expression used to match a template against a URL is -vulnerable to a regular expression denial-of-service via catastrophic -backtracking. - -This commit includes a test that demonstrates the failure without -the fix as well as updates the regexp to remove the vulnerability. -The vulnerability is removed by updating the grouping to be atomic. ---- - lib/addressable/template.rb | 2 +- - spec/addressable/template_spec.rb | 9 +++++++++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb -index 2696695..45967ce 100644 ---- a/lib/addressable/template.rb -+++ b/lib/addressable/template.rb -@@ -37,7 +37,7 @@ class Template - Addressable::URI::CharacterClasses::DIGIT + '_' - - var_char = -- "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)" -+ "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)" - RESERVED = - "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])" - UNRESERVED = -diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb -index a019165..d47589a 100644 ---- a/spec/addressable/template_spec.rb -+++ b/spec/addressable/template_spec.rb -@@ -19,6 +19,7 @@ - require "spec_helper" - - require "bigdecimal" -+require "timeout" - require "addressable/template" - - shared_examples_for 'expands' do |tests| -@@ -1340,6 +1341,14 @@ def self.match(name) - expect(subject).not_to match("foo_bar*") - expect(subject).not_to match("foo_bar:20") - end -+ -+ it 'should parse in a reasonable time' do -+ expect do -+ Timeout.timeout(0.1) do -+ expect(subject).not_to match("0"*25 + "!") -+ end -+ end.not_to raise_error -+ end - end - context "VARIABLE_LIST" do - subject { Addressable::Template::VARIABLE_LIST } diff --git a/addressable-2.5.2.gem b/addressable-2.5.2.gem deleted file mode 100644 index 3e53ea0..0000000 Binary files a/addressable-2.5.2.gem and /dev/null differ diff --git a/addressable-2.8.0.gem b/addressable-2.8.0.gem new file mode 100644 index 0000000..1e41e1c Binary files /dev/null and b/addressable-2.8.0.gem differ diff --git a/fix_addressable_tests.patch b/fix_addressable_tests.patch deleted file mode 100644 index bd72cfb..0000000 --- a/fix_addressable_tests.patch +++ /dev/null @@ -1,71 +0,0 @@ ---- spec/addressable/uri_spec_orig.rb -+++ spec/addressable/uri_spec.rb -@@ -401,9 +401,9 @@ - expect(@uri.normalized_host).to eq("example.com") - end - -- it "returns 'com' for #tld" do -- expect(@uri.tld).to eq("com") -- end -+ # it "returns 'com' for #tld" do -+ # expect(@uri.tld).to eq("com") -+ # end - - it "returns 'user:password@example.com:8080' for #authority" do - expect(@uri.authority).to eq("user:password@example.com:8080") -@@ -2393,9 +2393,9 @@ - expect(@uri.origin).to eq('http://example.com') - end - -- it "should have a tld of 'com'" do -- expect(@uri.tld).to eq('com') -- end -+ # it "should have a tld of 'com'" do -+ # expect(@uri.tld).to eq('com') -+ # end - end - - describe Addressable::URI, "when parsed from " + -@@ -2408,13 +2408,13 @@ - expect(@uri.origin).to eq('http://www.example.co.uk') - end - -- it "should have a tld of 'co.uk'" do -- expect(@uri.tld).to eq('co.uk') -- end -- -- it "should have a domain of 'example.co.uk'" do -- expect(@uri.domain).to eq('example.co.uk') -- end -+ # it "should have a tld of 'co.uk'" do -+ # expect(@uri.tld).to eq('co.uk') -+ # end -+ -+ # it "should have a domain of 'example.co.uk'" do -+ # expect(@uri.domain).to eq('example.co.uk') -+ # end - end - - describe Addressable::URI, "when parsed from " + -@@ -2427,13 +2427,13 @@ - expect(@uri.origin).to eq('http://sub_domain.blogspot.com') - end - -- it "should have a tld of 'com'" do -- expect(@uri.tld).to eq('com') -- end -- -- it "should have a domain of 'blogspot.com'" do -- expect(@uri.domain).to eq('blogspot.com') -- end -+ # it "should have a tld of 'com'" do -+ # expect(@uri.tld).to eq('com') -+ # end -+ -+ # it "should have a domain of 'blogspot.com'" do -+ # expect(@uri.domain).to eq('blogspot.com') -+ # end - end - - describe Addressable::URI, "when parsed from " + - diff --git a/no-rack-mount.patch b/no-rack-mount.patch deleted file mode 100644 index ea3c305..0000000 --- a/no-rack-mount.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- Gemfile -+++ Gemfile -@@ -14,13 +14,11 @@ - end - - group :test, :development do -- gem 'rake', '> 10.0', '< 12' -+ gem 'rake', '> 10.0', '< 12.1' - gem 'simplecov', :require => false - gem 'coveralls', :require => false, :platforms => [ - :ruby_20, :ruby_21, :ruby_22, :ruby_23 - ] -- # Used to test compatibility. -- gem 'rack-mount', git: 'https://github.com/sporkmonger/rack-mount.git', require: 'rack/mount' - - if RUBY_VERSION.start_with?('2.0', '2.1') - gem 'rack', '< 2', :require => false - diff --git a/remove-deprecated-warning.patch b/remove-deprecated-warning.patch deleted file mode 100644 index 6eec65b..0000000 --- a/remove-deprecated-warning.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a9432d389954611956ea389de2f819986985ba35 Mon Sep 17 00:00:00 2001 -From: takkanm -Date: Tue, 26 Dec 2017 20:44:52 +0900 -Subject: [PATCH] remove deprecated warning - -BigDecimal.new is deprecated in Ruby2.5 - -``` -spec/addressable/template_spec.rb:85: warning: BigDecimal.new is deprecated; use Kernel.BigDecimal method instead. -``` ---- - spec/addressable/template_spec.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb -index bd8ab12..cff4a87 100644 ---- a/spec/addressable/template_spec.rb -+++ b/spec/addressable/template_spec.rb -@@ -82,7 +82,7 @@ describe "Type conversion" do - :hello => 1234, - :nothing => nil, - :sym => :symbolic, -- :decimal => BigDecimal.new('1') -+ :decimal => BigDecimal('1') - } - } - --- -2.30.0 - diff --git a/rubygem-addressable.spec b/rubygem-addressable.spec index 7ef740a..5de1f17 100644 --- a/rubygem-addressable.spec +++ b/rubygem-addressable.spec @@ -1,7 +1,7 @@ %global gem_name addressable Name: rubygem-%{gem_name} -Version: 2.5.2 -Release: 3 +Version: 2.8.0 +Release: 1 Summary: URI Implementation License: ASL 2.0 URL: https://github.com/sporkmonger/addressable @@ -9,12 +9,7 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem BuildRequires: ruby(release) rubygems-devel rubygem(bigdecimal) rubygem(public_suffix) BuildRequires: rubygem(rspec-its) rubygem(idn) BuildArch: noarch -# Revert f1d5855162c48d06eb1907871909d5859b9a7d3c (rack-mount) -Patch0: no-rack-mount.patch -# Comment out failing tests -Patch1: fix_addressable_tests.patch -Patch2: CVE-2021-32740.patch -Patch3: remove-deprecated-warning.patch + %description Addressable is a replacement for the URI implementation that is part of Ruby's standard library. It more closely conforms to the relevant RFCs and @@ -28,16 +23,10 @@ BuildArch: noarch Documentation for %{name}. %prep -gem unpack %{SOURCE0} -%setup -q -D -T -n %{gem_name}-%{version} -gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec -%patch0 -%patch1 -%patch2 -p1 -%patch3 -p1 +%setup -q -n %{gem_name}-%{version} %build -gem build %{gem_name}.gemspec +gem build ../%{gem_name}-%{version}.gemspec %gem_install %install @@ -47,11 +36,10 @@ cp -a .%{gem_dir}/* \ %check pushd .%{gem_instdir} -rm spec/addressable/rack_mount_compat_spec.rb sed -i "/require 'bundler\/setup'/ s/^/#/" spec/spec_helper.rb sed -i '/^begin$/,/^end$/ s/^/#/' spec/spec_helper.rb -rm spec/addressable/net_http_compat_spec.rb -rspec spec/ +mv spec/addressable/net_http_compat_spec.rb{,.disabled} +LC_ALL=C.UTF-8 rspec spec/ popd %files @@ -70,8 +58,12 @@ popd %doc %{gem_instdir}/README.md %{gem_instdir}/Rakefile %{gem_instdir}/spec +%{gem_instdir}/%{gem_name}.gemspec %changelog +* Thu Jun 30 2022 wulei - 2.8.0-1 +- Upgrade to 2.8.0 + * Fri Jan 21 2022 chenchen - 2.5.2-3 - remove deprecated warning for fix build error