Fix CVE-2024-27285

2024-02-29 10:37:42 +08:00 · 2024-02-29 10:37:42 +08:00 · 3ba85b2ab0
commit 3ba85b2ab0
parent 39d219c004
2 changed files with 34 additions and 1 deletions
--- a/CVE-2024-27285.patch
+++ b/CVE-2024-27285.patch
@ -0,0 +1,27 @@
+From d78fc393d603c4fc35975969296ed381146a29d4 Mon Sep 17 00:00:00 2001
+From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+Date: Wed, 28 Feb 2024 12:57:39 -0500
+Subject: [PATCH] Update frames.erb
+
+---
+ templates/default/fulldoc/html/frames.erb | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/templates/default/fulldoc/html/frames.erb b/templates/default/fulldoc/html/frames.erb
+index e803bcd6c..994aee97e 100644
+--- a/templates/default/fulldoc/html/frames.erb
+++ b/templates/default/fulldoc/html/frames.erb
+@@ -5,10 +5,10 @@
+ 	<title><%= options.title %></title>
+ </head>
+ <script type="text/javascript">
+-  var match = unescape(window.location.hash).match(/^#!(.+)/);
+  var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
+   var name = match ? match[1] : '<%= url_for_main %>';
+-  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
+-  window.top.location = name;
+  name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
+  window.top.location.replace(name)
+ </script>
+ <noscript>
+   <h1>Oops!</h1>
--- a/rubygem-yard.spec
+++ b/rubygem-yard.spec
@ -1,7 +1,7 @@
 %global gem_name yard
 Name:                rubygem-%{gem_name}
 Version:             0.9.34
-Release:             1
+Release:             2
 Summary:             Documentation tool for consistent and usable documentation in Ruby
 License:             MIT and (BSD or Ruby)
 URL:                 http://yardoc.org
@ -9,6 +9,8 @@ Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 # git clone http://github.com/lsegal/yard
 # cd yard && git archive -v -o yard-0.9.34-spec.txz v0.9.34 spec/
 Source1:             %{gem_name}-%{version}-spec.txz
+# https://github.com/lsegal/yard/commit/d78fc393d603c4fc35975969296ed381146a29d4
+Patch0:              CVE-2024-27285.patch

 BuildRequires:       ruby(release) rubygems-devel ruby rubygem(RedCloth) rubygem(asciidoctor) rubygem(bundler)
 BuildRequires:       rubygem(rspec) rubygem(redcarpet) rubygem(rack) rubygem(webrick)
@ -28,6 +30,7 @@ Documentation for %{name}.

 %prep
 %setup -q -n  %{gem_name}-%{version} -b1
+%patch0 -p1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -74,6 +77,9 @@ popd
 %doc %{gem_instdir}/docs

 %changelog
+* Thu Feb 29 2024 yaoxin <yao_xin001@hoperun.com> - 0.9.34-2
+- Fix CVE-2024-27285
+
 * Tue Aug 1 2023 liyanan <thistleslyn@163.com> - 0.9.34-1
 - Update to 0.9.34