packages/rubygem-mini_magick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!17 update to 4.12.0

Browse Source 
From: @lyn1001 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-11-20 01:24:23 +00:00 committed by Gitee
commit c9114dab5c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
10 changed files with 12 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
CVE-2019-13574-1.patch
View File

@ -1,47 +0,0 @@
From 4cd5081e58810d3394d27a67219e8e4e0445d851 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
Date: Sun, 26 May 2019 17:30:14 +0200
Subject: [PATCH] Don't allow remote shell execution
Kernel#open accepts a string of format "| <shell command>" which
executes the specified shell command and otherwise presumably acts as
IO.popen. The open-uri standard library overrides Kernel#open to also
accept URLs.
However, the overridden Kernel#open just delegates to URI#open, so we
switch to using that directly and avoid the remote shell execution
vulnerability. For files we just use File.open, which should have the
same behaviour as Kernel#open.
---
lib/mini_magick/image.rb | 14 ++++++--------
spec/lib/mini_magick/image_spec.rb | 8 ++++++++
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb
index a1f47c6..0ac4780 100644
--- a/lib/mini_magick/image.rb
+++ b/lib/mini_magick/image.rb
@@ -82,17 +82,15 @@ def self.import_pixels(blob, columns, rows, depth, map, format = 'png')
def self.open(path_or_url, ext = nil, options = {})
options, ext = ext, nil if ext.is_a?(Hash)
- ext ||=
- if File.exist?(path_or_url)
- File.extname(path_or_url)
- else
- File.extname(URI(path_or_url).path)
- end
+ uri = URI(path_or_url.to_s)
+ ext ||= File.extname(uri.path)
ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon
- Kernel.open(path_or_url, "rb", options) do |file|
- read(file, ext)
+ if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP)
+ uri.open(options) { |file| read(file, ext) }
+ else
+ File.open(uri.to_s, "rb", options) { |file| read(file, ext) }
end
end

66
CVE-2019-13574-2.patch
View File

@ -1,66 +0,0 @@
From 4cd5081e58810d3394d27a67219e8e4e0445d851 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
Date: Sun, 26 May 2019 17:30:14 +0200
Subject: [PATCH] Don't allow remote shell execution
Kernel#open accepts a string of format "| <shell command>" which
executes the specified shell command and otherwise presumably acts as
IO.popen. The open-uri standard library overrides Kernel#open to also
accept URLs.
However, the overridden Kernel#open just delegates to URI#open, so we
switch to using that directly and avoid the remote shell execution
vulnerability. For files we just use File.open, which should have the
same behaviour as Kernel#open.
---
lib/mini_magick/image.rb | 14 ++++++--------
spec/lib/mini_magick/image_spec.rb | 8 ++++++++
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb
index a1f47c6..0ac4780 100644
--- a/lib/mini_magick/image.rb
+++ b/lib/mini_magick/image.rb
@@ -82,17 +82,15 @@ def self.import_pixels(blob, columns, rows, depth, map, format = 'png')
def self.open(path_or_url, ext = nil, options = {})
options, ext = ext, nil if ext.is_a?(Hash)
- ext ||=
- if File.exist?(path_or_url)
- File.extname(path_or_url)
- else
- File.extname(URI(path_or_url).path)
- end
+ uri = URI(path_or_url.to_s)
+ ext ||= File.extname(uri.path)
ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon
- Kernel.open(path_or_url, "rb", options) do |file|
- read(file, ext)
+ if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP)
+ uri.open(options) { |file| read(file, ext) }
+ else
+ File.open(uri.to_s, "rb", options) { |file| read(file, ext) }
end
end
diff --git a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb
index 192d834..00f9cb0 100644
--- a/spec/lib/mini_magick/image_spec.rb
+++ b/spec/lib/mini_magick/image_spec.rb
@@ -76,6 +76,14 @@
expect(File.extname(image.path)).to eq ".jpg"
end
+ it "doesn't allow remote shell execution" do
+ expect {
+ described_class.open("| touch file.txt") # Kernel#open accepts this
+ }.to raise_error(URI::InvalidURIError)
+
+ expect(File.exist?("file.txt")).to eq(false)
+ end
+
it "accepts open-uri options" do
stub_request(:get, "http://example.com/image.jpg")
.with(headers: {"Foo" => "Bar"})

66
Replace-deprecated-File.exists-with-File.exist.patch
View File

@ -1,66 +0,0 @@
From 47eae0ac7be216b2f09a8cf68ba9863751c805d3 Mon Sep 17 00:00:00 2001
From: chen-jan <chen_aka_jan@163.com>
Date: Wed, 2 Aug 2023 11:04:02 +0800
Subject: [PATCH] Replace deprecated File.exists? with File.exist?
---
spec/lib/mini_magick/image_spec.rb | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb
index 74203b1..449956d 100644
--- a/spec/lib/mini_magick/image_spec.rb
+++ b/spec/lib/mini_magick/image_spec.rb
@@ -119,7 +119,7 @@ require "webmock/rspec"
it "creates an image" do
image = create
- expect(File.exists?(image.path)).to eq true
+ expect(File.exist?(image.path)).to eq true
end
it "validates the image if validation is set" do
@@ -245,12 +245,12 @@ require "webmock/rspec"
cache_path = image.path.sub(/mpc$/, "cache")
image.format("png")
- expect(File.exists?(cache_path)).to eq false
+ expect(File.exist?(cache_path)).to eq false
end
it "doesn't delete itself when formatted to the same format" do
subject.format(subject.type.downcase)
- expect(File.exists?(subject.path)).to eq true
+ expect(File.exist?(subject.path)).to eq true
end
it "reformats multi-image formats to multiple images" do
@@ -693,14 +693,14 @@ require "webmock/rspec"
image = described_class.open(image_path)
image.destroy!
- expect(File.exists?(image.path)).to eq false
+ expect(File.exist?(image.path)).to eq false
end
it "doesn't delete when there is no tempfile" do
image = described_class.new(image_path)
image.destroy!
- expect(File.exists?(image.path)).to eq true
+ expect(File.exist?(image.path)).to eq true
end
it "deletes .cache files generated by handling .mpc files" do
@@ -708,7 +708,7 @@ require "webmock/rspec"
image.format("mpc")
image.destroy!
- expect(File.exists?(image.path.sub(/mpc$/, "cache"))).to eq false
+ expect(File.exist?(image.path.sub(/mpc$/, "cache"))).to eq false
end
end
--
2.41.0

12
fix-URI-InvalidURIError-no-such-file-directory.patch
View File

@ -1,12 +0,0 @@
diff -Nur a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb
--- a/spec/lib/mini_magick/image_spec.rb 2022-02-25 09:21:57.370368608 +0800
+++ b/spec/lib/mini_magick/image_spec.rb 2022-02-25 09:24:14.804683516 +0800
@@ -79,7 +79,7 @@
it "doesn't allow remote shell execution" do
expect {
described_class.open("| touch file.txt") # Kernel#open accepts this
- }.to raise_error(URI::InvalidURIError)
+ }.to raise_error(Errno::ENOENT)
expect(File.exist?("file.txt")).to eq(false)
end

39
fix-no-implicit-conversion-of-hash-into-integer.patch
View File

@ -1,39 +0,0 @@
diff -Nur a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb
--- a/lib/mini_magick/image.rb 2022-02-24 19:57:09.378499137 +0800
+++ b/lib/mini_magick/image.rb 2022-02-24 20:01:25.738826593 +0800
@@ -82,15 +82,30 @@
def self.open(path_or_url, ext = nil, options = {})
options, ext = ext, nil if ext.is_a?(Hash)
- uri = URI(path_or_url.to_s)
+ # Don't use Kernel#open, but reuse its logic
+ openable =
+ if path_or_url.respond_to?(:open)
+ path_or_url
+ elsif path_or_url.respond_to?(:to_str) &&
+ %r{\A[A-Za-z][A-Za-z0-9+\-\.]*://} =~ path_or_url &&
+ (uri = URI.parse(path_or_url)).respond_to?(:open)
+ uri
+ else
+ options = { binmode: true }.merge(options)
+ Pathname(path_or_url)
+ end
- ext ||= File.extname(uri.path)
+ if openable.is_a?(URI::Generic)
+ ext ||= File.extname(openable.path)
+ else
+ ext ||= File.extname(openable.to_s)
+ end
ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon
- if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP)
- uri.open(options) { |file| read(file, ext) }
+ if openable.is_a?(URI::Generic)
+ openable.open(options) { |file| read(file, ext) }
else
- File.open(uri.to_s, "rb", options) { |file| read(file, ext) }
+ openable.open(**options) { |file| read(file, ext) }
end
end

BIN
mini_magick-4.12.0.gem Normal file
View File

Binary file not shown.

BIN
mini_magick-4.8.0.gem
View File

Binary file not shown.

28
rubygem-mini_magick.spec
View File

@ -1,17 +1,12 @@
%global gem_name mini_magick %global gem_name mini_magick
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 4.8.0 Version: 4.12.0
Release: 5 Release: 1
Summary: Manipulate images with minimal use of memory via ImageMagick Summary: Manipulate images with minimal use of memory via ImageMagick
License: MIT License: MIT
URL: https://github.com/minimagick/minimagick URL: https://github.com/minimagick/minimagick
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/minimagick/minimagick/archive/v%{version}.tar.gz Source1: https://github.com/minimagick/minimagick/archive/v%{version}.tar.gz
Patch2: CVE-2019-13574-1.patch
Patch3: CVE-2019-13574-2.patch
Patch4: fix-URI-InvalidURIError-no-such-file-directory.patch
Patch5: fix-no-implicit-conversion-of-hash-into-integer.patch
Patch6: Replace-deprecated-File.exists-with-File.exist.patch
Requires: ImageMagick Requires: ImageMagick
BuildRequires: ruby(release) rubygems-devel ruby rubygem(rspec) rubygem(webmock) ImageMagick rubygem(rexml) BuildRequires: ruby(release) rubygems-devel ruby rubygem(rspec) rubygem(webmock) ImageMagick rubygem(rexml)
BuildArch: noarch BuildArch: noarch
@ -30,8 +25,6 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} %setup -q -n %{gem_name}-%{version}
%patch2 -p1
%patch5 -p1
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -46,13 +39,6 @@ cp -a .%{gem_dir}/* \
pushd .%{gem_instdir} pushd .%{gem_instdir}
tar xzvf %{SOURCE1} tar xzvf %{SOURCE1}
cd minimagick-%{version} cd minimagick-%{version}
cat %{PATCH3} | patch -p1
cat %{PATCH4} | patch -p1
cat %{PATCH5} | patch -p1
cat %{PATCH6} | patch -p1
sed -i 's/"red"/"Red"/g' spec/lib/mini_magick/image_spec.rb
sed -i '/"date:create"/d' spec/lib/mini_magick/image_spec.rb
sed -i '/Clipping path/d' spec/lib/mini_magick/image_spec.rb
sed -i -e '/require "pry"/ s/^/#/g' \ sed -i -e '/require "pry"/ s/^/#/g' \
-e '/require "bundler/ s/^/#/g' \ -e '/require "bundler/ s/^/#/g' \
spec/spec_helper.rb spec/spec_helper.rb
@ -63,6 +49,13 @@ sed -i '/^ it "identifies when gm exists" do$/,/ end/ s/^/#/g' \
spec/lib/mini_magick/utilities_spec.rb spec/lib/mini_magick/utilities_spec.rb
sed -i "/^ it \"returns GraphicsMagick's version\" do$/,/ end/ s/^/#/g" \ sed -i "/^ it \"returns GraphicsMagick's version\" do$/,/ end/ s/^/#/g" \
spec/lib/mini_magick_spec.rb spec/lib/mini_magick_spec.rb
sed -i -e 's|, "GraphicsMagick"||' \
spec/lib/mini_magick/image_spec.rb
sed -i "/ have_key(\"date:create\")/ s/^/#/" \
spec/lib/mini_magick/image_spec.rb
sed -i "/^\s*it \"does not hang when parsing verbose data\" do$/ a \ skip" \
spec/lib/mini_magick/image_spec.rb
rspec spec rspec spec
popd popd
@ -78,6 +71,9 @@ popd
%{gem_instdir}/Rakefile %{gem_instdir}/Rakefile
%changelog %changelog
* Fri Nov 17 2023 liyanan <liyanan32@huawei.com> - 4.12.0-1
- Update to 4.12.0
* Wed Aug 02 2023 chenchen <chen_aka_jan@163.com> - 4.8.0-5 * Wed Aug 02 2023 chenchen <chen_aka_jan@163.com> - 4.8.0-5
- Replacei deprecated File.exists with File.exist due to ruby upgrade to 3.2.2 - Replacei deprecated File.exists with File.exist due to ruby upgrade to 3.2.2

BIN
v4.12.0.tar.gz Normal file
View File

Binary file not shown.

BIN
v4.8.0.tar.gz
View File

Binary file not shown.