diff --git a/CVE-2019-13574-1.patch b/CVE-2019-13574-1.patch deleted file mode 100644 index 7efc847..0000000 --- a/CVE-2019-13574-1.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4cd5081e58810d3394d27a67219e8e4e0445d851 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Janko=20Marohni=C4=87?= -Date: Sun, 26 May 2019 17:30:14 +0200 -Subject: [PATCH] Don't allow remote shell execution - -Kernel#open accepts a string of format "| " which -executes the specified shell command and otherwise presumably acts as -IO.popen. The open-uri standard library overrides Kernel#open to also -accept URLs. - -However, the overridden Kernel#open just delegates to URI#open, so we -switch to using that directly and avoid the remote shell execution -vulnerability. For files we just use File.open, which should have the -same behaviour as Kernel#open. ---- - lib/mini_magick/image.rb | 14 ++++++-------- - spec/lib/mini_magick/image_spec.rb | 8 ++++++++ - 2 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb -index a1f47c6..0ac4780 100644 ---- a/lib/mini_magick/image.rb -+++ b/lib/mini_magick/image.rb -@@ -82,17 +82,15 @@ def self.import_pixels(blob, columns, rows, depth, map, format = 'png') - def self.open(path_or_url, ext = nil, options = {}) - options, ext = ext, nil if ext.is_a?(Hash) - -- ext ||= -- if File.exist?(path_or_url) -- File.extname(path_or_url) -- else -- File.extname(URI(path_or_url).path) -- end -+ uri = URI(path_or_url.to_s) - -+ ext ||= File.extname(uri.path) - ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon - -- Kernel.open(path_or_url, "rb", options) do |file| -- read(file, ext) -+ if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP) -+ uri.open(options) { |file| read(file, ext) } -+ else -+ File.open(uri.to_s, "rb", options) { |file| read(file, ext) } - end - end - diff --git a/CVE-2019-13574-2.patch b/CVE-2019-13574-2.patch deleted file mode 100644 index 4ba4df9..0000000 --- a/CVE-2019-13574-2.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 4cd5081e58810d3394d27a67219e8e4e0445d851 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Janko=20Marohni=C4=87?= -Date: Sun, 26 May 2019 17:30:14 +0200 -Subject: [PATCH] Don't allow remote shell execution - -Kernel#open accepts a string of format "| " which -executes the specified shell command and otherwise presumably acts as -IO.popen. The open-uri standard library overrides Kernel#open to also -accept URLs. - -However, the overridden Kernel#open just delegates to URI#open, so we -switch to using that directly and avoid the remote shell execution -vulnerability. For files we just use File.open, which should have the -same behaviour as Kernel#open. ---- - lib/mini_magick/image.rb | 14 ++++++-------- - spec/lib/mini_magick/image_spec.rb | 8 ++++++++ - 2 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb -index a1f47c6..0ac4780 100644 ---- a/lib/mini_magick/image.rb -+++ b/lib/mini_magick/image.rb -@@ -82,17 +82,15 @@ def self.import_pixels(blob, columns, rows, depth, map, format = 'png') - def self.open(path_or_url, ext = nil, options = {}) - options, ext = ext, nil if ext.is_a?(Hash) - -- ext ||= -- if File.exist?(path_or_url) -- File.extname(path_or_url) -- else -- File.extname(URI(path_or_url).path) -- end -+ uri = URI(path_or_url.to_s) - -+ ext ||= File.extname(uri.path) - ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon - -- Kernel.open(path_or_url, "rb", options) do |file| -- read(file, ext) -+ if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP) -+ uri.open(options) { |file| read(file, ext) } -+ else -+ File.open(uri.to_s, "rb", options) { |file| read(file, ext) } - end - end - -diff --git a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb -index 192d834..00f9cb0 100644 ---- a/spec/lib/mini_magick/image_spec.rb -+++ b/spec/lib/mini_magick/image_spec.rb -@@ -76,6 +76,14 @@ - expect(File.extname(image.path)).to eq ".jpg" - end - -+ it "doesn't allow remote shell execution" do -+ expect { -+ described_class.open("| touch file.txt") # Kernel#open accepts this -+ }.to raise_error(URI::InvalidURIError) -+ -+ expect(File.exist?("file.txt")).to eq(false) -+ end -+ - it "accepts open-uri options" do - stub_request(:get, "http://example.com/image.jpg") - .with(headers: {"Foo" => "Bar"}) diff --git a/Replace-deprecated-File.exists-with-File.exist.patch b/Replace-deprecated-File.exists-with-File.exist.patch deleted file mode 100644 index 7045ab2..0000000 --- a/Replace-deprecated-File.exists-with-File.exist.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 47eae0ac7be216b2f09a8cf68ba9863751c805d3 Mon Sep 17 00:00:00 2001 -From: chen-jan -Date: Wed, 2 Aug 2023 11:04:02 +0800 -Subject: [PATCH] Replace deprecated File.exists? with File.exist? - ---- - spec/lib/mini_magick/image_spec.rb | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb -index 74203b1..449956d 100644 ---- a/spec/lib/mini_magick/image_spec.rb -+++ b/spec/lib/mini_magick/image_spec.rb -@@ -119,7 +119,7 @@ require "webmock/rspec" - - it "creates an image" do - image = create -- expect(File.exists?(image.path)).to eq true -+ expect(File.exist?(image.path)).to eq true - end - - it "validates the image if validation is set" do -@@ -245,12 +245,12 @@ require "webmock/rspec" - cache_path = image.path.sub(/mpc$/, "cache") - image.format("png") - -- expect(File.exists?(cache_path)).to eq false -+ expect(File.exist?(cache_path)).to eq false - end - - it "doesn't delete itself when formatted to the same format" do - subject.format(subject.type.downcase) -- expect(File.exists?(subject.path)).to eq true -+ expect(File.exist?(subject.path)).to eq true - end - - it "reformats multi-image formats to multiple images" do -@@ -693,14 +693,14 @@ require "webmock/rspec" - image = described_class.open(image_path) - image.destroy! - -- expect(File.exists?(image.path)).to eq false -+ expect(File.exist?(image.path)).to eq false - end - - it "doesn't delete when there is no tempfile" do - image = described_class.new(image_path) - image.destroy! - -- expect(File.exists?(image.path)).to eq true -+ expect(File.exist?(image.path)).to eq true - end - - it "deletes .cache files generated by handling .mpc files" do -@@ -708,7 +708,7 @@ require "webmock/rspec" - image.format("mpc") - image.destroy! - -- expect(File.exists?(image.path.sub(/mpc$/, "cache"))).to eq false -+ expect(File.exist?(image.path.sub(/mpc$/, "cache"))).to eq false - end - end - --- -2.41.0 - diff --git a/fix-URI-InvalidURIError-no-such-file-directory.patch b/fix-URI-InvalidURIError-no-such-file-directory.patch deleted file mode 100644 index 3aa5933..0000000 --- a/fix-URI-InvalidURIError-no-such-file-directory.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nur a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb ---- a/spec/lib/mini_magick/image_spec.rb 2022-02-25 09:21:57.370368608 +0800 -+++ b/spec/lib/mini_magick/image_spec.rb 2022-02-25 09:24:14.804683516 +0800 -@@ -79,7 +79,7 @@ - it "doesn't allow remote shell execution" do - expect { - described_class.open("| touch file.txt") # Kernel#open accepts this -- }.to raise_error(URI::InvalidURIError) -+ }.to raise_error(Errno::ENOENT) - - expect(File.exist?("file.txt")).to eq(false) - end diff --git a/fix-no-implicit-conversion-of-hash-into-integer.patch b/fix-no-implicit-conversion-of-hash-into-integer.patch deleted file mode 100644 index c42b91e..0000000 --- a/fix-no-implicit-conversion-of-hash-into-integer.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -Nur a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb ---- a/lib/mini_magick/image.rb 2022-02-24 19:57:09.378499137 +0800 -+++ b/lib/mini_magick/image.rb 2022-02-24 20:01:25.738826593 +0800 -@@ -82,15 +82,30 @@ - def self.open(path_or_url, ext = nil, options = {}) - options, ext = ext, nil if ext.is_a?(Hash) - -- uri = URI(path_or_url.to_s) -+ # Don't use Kernel#open, but reuse its logic -+ openable = -+ if path_or_url.respond_to?(:open) -+ path_or_url -+ elsif path_or_url.respond_to?(:to_str) && -+ %r{\A[A-Za-z][A-Za-z0-9+\-\.]*://} =~ path_or_url && -+ (uri = URI.parse(path_or_url)).respond_to?(:open) -+ uri -+ else -+ options = { binmode: true }.merge(options) -+ Pathname(path_or_url) -+ end - -- ext ||= File.extname(uri.path) -+ if openable.is_a?(URI::Generic) -+ ext ||= File.extname(openable.path) -+ else -+ ext ||= File.extname(openable.to_s) -+ end - ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon - -- if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP) -- uri.open(options) { |file| read(file, ext) } -+ if openable.is_a?(URI::Generic) -+ openable.open(options) { |file| read(file, ext) } - else -- File.open(uri.to_s, "rb", options) { |file| read(file, ext) } -+ openable.open(**options) { |file| read(file, ext) } - end - end - diff --git a/mini_magick-4.12.0.gem b/mini_magick-4.12.0.gem new file mode 100644 index 0000000..f4eefc7 Binary files /dev/null and b/mini_magick-4.12.0.gem differ diff --git a/mini_magick-4.8.0.gem b/mini_magick-4.8.0.gem deleted file mode 100644 index befaf3a..0000000 Binary files a/mini_magick-4.8.0.gem and /dev/null differ diff --git a/rubygem-mini_magick.spec b/rubygem-mini_magick.spec index b0d75b6..7e31b4c 100644 --- a/rubygem-mini_magick.spec +++ b/rubygem-mini_magick.spec @@ -1,17 +1,12 @@ %global gem_name mini_magick Name: rubygem-%{gem_name} -Version: 4.8.0 -Release: 5 +Version: 4.12.0 +Release: 1 Summary: Manipulate images with minimal use of memory via ImageMagick License: MIT URL: https://github.com/minimagick/minimagick Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source1: https://github.com/minimagick/minimagick/archive/v%{version}.tar.gz -Patch2: CVE-2019-13574-1.patch -Patch3: CVE-2019-13574-2.patch -Patch4: fix-URI-InvalidURIError-no-such-file-directory.patch -Patch5: fix-no-implicit-conversion-of-hash-into-integer.patch -Patch6: Replace-deprecated-File.exists-with-File.exist.patch Requires: ImageMagick BuildRequires: ruby(release) rubygems-devel ruby rubygem(rspec) rubygem(webmock) ImageMagick rubygem(rexml) BuildArch: noarch @@ -30,8 +25,6 @@ Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version} -%patch2 -p1 -%patch5 -p1 %build gem build ../%{gem_name}-%{version}.gemspec @@ -46,13 +39,6 @@ cp -a .%{gem_dir}/* \ pushd .%{gem_instdir} tar xzvf %{SOURCE1} cd minimagick-%{version} -cat %{PATCH3} | patch -p1 -cat %{PATCH4} | patch -p1 -cat %{PATCH5} | patch -p1 -cat %{PATCH6} | patch -p1 -sed -i 's/"red"/"Red"/g' spec/lib/mini_magick/image_spec.rb -sed -i '/"date:create"/d' spec/lib/mini_magick/image_spec.rb -sed -i '/Clipping path/d' spec/lib/mini_magick/image_spec.rb sed -i -e '/require "pry"/ s/^/#/g' \ -e '/require "bundler/ s/^/#/g' \ spec/spec_helper.rb @@ -63,6 +49,13 @@ sed -i '/^ it "identifies when gm exists" do$/,/ end/ s/^/#/g' \ spec/lib/mini_magick/utilities_spec.rb sed -i "/^ it \"returns GraphicsMagick's version\" do$/,/ end/ s/^/#/g" \ spec/lib/mini_magick_spec.rb +sed -i -e 's|, "GraphicsMagick"||' \ + spec/lib/mini_magick/image_spec.rb +sed -i "/ have_key(\"date:create\")/ s/^/#/" \ + spec/lib/mini_magick/image_spec.rb +sed -i "/^\s*it \"does not hang when parsing verbose data\" do$/ a \ skip" \ + spec/lib/mini_magick/image_spec.rb + rspec spec popd @@ -78,6 +71,9 @@ popd %{gem_instdir}/Rakefile %changelog +* Fri Nov 17 2023 liyanan - 4.12.0-1 +- Update to 4.12.0 + * Wed Aug 02 2023 chenchen - 4.8.0-5 - Replacei deprecated File.exists with File.exist due to ruby upgrade to 3.2.2 diff --git a/v4.12.0.tar.gz b/v4.12.0.tar.gz new file mode 100644 index 0000000..454892c Binary files /dev/null and b/v4.12.0.tar.gz differ diff --git a/v4.8.0.tar.gz b/v4.8.0.tar.gz deleted file mode 100644 index 98ec6cc..0000000 Binary files a/v4.8.0.tar.gz and /dev/null differ