rpms/ruby
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import ruby-2.5.9-109.module+el8.5.0+14275+d9c243ca

Browse Source
This commit is contained in:
CentOS Sources 2022-02-21 03:12:52 +00:00 committed by Stepan Oksanichenko
parent c96efc2011
commit 60470a2576
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch
View File

@ -26,6 +26,43 @@ index ca2c1abefd..46aace7839 100644
io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
}) })
end end
--- a/lib/rdoc/encoding.rb 2022-02-16 16:51:28.080178281 +0100
+++ b/lib/rdoc/encoding.rb 2022-02-16 16:51:37.108160840 +0100
@@ -18,7 +18,7 @@
# unknown character in the target encoding will be replaced with '?'
def self.read_file filename, encoding, force_transcode = false
- content = open filename, "rb" do |f| f.read end
+ content = File.open filename, "rb" do |f| f.read end
content.gsub!("\r\n", "\n") if RUBY_PLATFORM =~ /mswin|mingw/
utf8 = content.sub!(/\A\xef\xbb\xbf/, '')
--- a/lib/rdoc/parser.rb 2021-04-05 13:46:35.000000000 +0200
+++ b/lib/rdoc/parser.rb 2022-02-16 15:37:17.904822389 +0100
@@ -74,7 +74,12 @@
def self.binary?(file)
return false if file =~ /\.(rdoc|txt)$/
- s = File.read(file, 1024) or return false
+ begin
+ open_file = File.open(file)
+ s = open_file.read(1024) or return false
+ ensure
+ open_file.close if open_file
+ end
return true if s[0, 2] == Marshal.dump('')[0, 2] or s.index("\x00")
@@ -92,7 +97,8 @@
# http://www.garykessler.net/library/file_sigs.html
def self.zip? file
- zip_signature = File.read file, 4
+ zip_signature = ''
+ File.open(file) { |f| zip_signature = f.read(4) }
zip_signature == "PK\x03\x04" or
zip_signature == "PK\x05\x06" or
diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
index 3bce54b243..123b1a4f87 100644 index 3bce54b243..123b1a4f87 100644
--- a/test/rdoc/test_rdoc_rdoc.rb --- a/test/rdoc/test_rdoc_rdoc.rb

6
SPECS/ruby.spec
View File

@ -21,7 +21,7 @@
%endif %endif
%global release 108 %global release 109
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
@ -1142,6 +1142,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
%{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
%changelog %changelog
* Wed Feb 16 2022 Jarek Prokop <jprokop@redhat.com> - 2.5.9-109
- Properly fix command injection vulnerability in Rdoc.
Related: CVE-2021-31799
* Wed Feb 09 2022 Jarek Prokop <jprokop@redhat.com> - 2.5.9-108 * Wed Feb 09 2022 Jarek Prokop <jprokop@redhat.com> - 2.5.9-108
- Fix command injection vulnerability in RDoc. - Fix command injection vulnerability in RDoc.
Resolves: CVE-2021-31799 Resolves: CVE-2021-31799