import ruby-2.5.9-109.module+el8.5.0+14275+d9c243ca

2022-02-21 03:12:52 +00:00 · 2022-02-21 03:12:52 +00:00 · 60470a2576
parent c96efc2011
commit 60470a2576
2 changed files with 42 additions and 1 deletions
--- a/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch
+++ b/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch
@ -26,6 +26,43 @@ index ca2c1abefd..46aace7839 100644
            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
          })
     end
+--- a/lib/rdoc/encoding.rb	2022-02-16 16:51:28.080178281 +0100
+++ b/lib/rdoc/encoding.rb	2022-02-16 16:51:37.108160840 +0100
+@@ -18,7 +18,7 @@
+   # unknown character in the target encoding will be replaced with '?'
+ 
+   def self.read_file filename, encoding, force_transcode = false
+-    content = open filename, "rb" do |f| f.read end
+    content = File.open filename, "rb" do |f| f.read end
+     content.gsub!("\r\n", "\n") if RUBY_PLATFORM =~ /mswin|mingw/
+ 
+     utf8 = content.sub!(/\A\xef\xbb\xbf/, '')
+--- a/lib/rdoc/parser.rb	2021-04-05 13:46:35.000000000 +0200
+++ b/lib/rdoc/parser.rb	2022-02-16 15:37:17.904822389 +0100
+@@ -74,7 +74,12 @@
+   def self.binary?(file)
+     return false if file =~ /\.(rdoc|txt)$/
+ 
+-    s = File.read(file, 1024) or return false
+    begin
+      open_file = File.open(file)
+      s = open_file.read(1024) or return false
+    ensure
+      open_file.close if open_file
+    end
+ 
+     return true if s[0, 2] == Marshal.dump('')[0, 2] or s.index("\x00")
+ 
+@@ -92,7 +97,8 @@
+   # http://www.garykessler.net/library/file_sigs.html
+ 
+   def self.zip? file
+-    zip_signature = File.read file, 4
+    zip_signature = ''
+    File.open(file) { |f| zip_signature = f.read(4) }
+ 
+     zip_signature == "PK\x03\x04" or
+       zip_signature == "PK\x05\x06" or
 diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
 index 3bce54b243..123b1a4f87 100644
 --- a/test/rdoc/test_rdoc_rdoc.rb
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@ -21,7 +21,7 @@
 %endif


-%global release 108
+%global release 109

 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

@ -1142,6 +1142,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec

 %changelog
+* Wed Feb 16 2022 Jarek Prokop <jprokop@redhat.com> - 2.5.9-109
+- Properly fix command injection vulnerability in Rdoc.
+  Related: CVE-2021-31799
+
 * Wed Feb 09 2022 Jarek Prokop <jprokop@redhat.com> - 2.5.9-108
 - Fix command injection vulnerability in RDoc.
  Resolves: CVE-2021-31799