Fix CVE-2023-28756

2024-01-26 10:46:14 +08:00 · 2024-01-26 10:46:14 +08:00 · f1a6f42267
commit f1a6f42267
parent 8c91455848
2 changed files with 66 additions and 1 deletions
--- a/CVE-2023-28756.patch
+++ b/CVE-2023-28756.patch
@ -0,0 +1,61 @@
+From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Wed, 29 Mar 2023 13:28:25 +0900
+Subject: Merge Time-0.2.2
+
+Origin: https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e
+
+---
+ lib/ruby/1.8/time.rb | 4 ++--
+ lib/ruby/1.9/time.rb | 4 ++--
+ lib/ruby/2.0/time.rb | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ruby/1.8/time.rb b/lib/ruby/1.8/time.rb
+index a37a067..a9ef487 100644
+--- a/lib/ruby/1.8/time.rb
+++ b/lib/ruby/1.8/time.rb
+@@ -265,8 +265,8 @@ class Time
+           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+           (\d{2,})\s+
+           (\d{2})\s*
+-          :\s*(\d{2})\s*
+-          (?::\s*(\d{2}))?\s+
+          :\s*(\d{2})
+          (?:\s*:\s*(\d\d))?\s+
+           ([+-]\d{4}|
+            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+         # Since RFC 2822 permit comments, the regexp has no right anchor.
+diff --git a/lib/ruby/1.9/time.rb b/lib/ruby/1.9/time.rb
+index 40b28d9..4379be2 100644
+--- a/lib/ruby/1.9/time.rb
+++ b/lib/ruby/1.9/time.rb
+@@ -320,8 +320,8 @@ class Time
+           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+           (\d{2,})\s+
+           (\d{2})\s*
+-          :\s*(\d{2})\s*
+-          (?::\s*(\d{2}))?\s+
+          :\s*(\d{2})
+          (?:\s*:\s*(\d\d))?\s+
+           ([+-]\d{4}|
+            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+         # Since RFC 2822 permit comments, the regexp has no right anchor.
+diff --git a/lib/ruby/2.0/time.rb b/lib/ruby/2.0/time.rb
+index 12c2b30..3430410 100644
+--- a/lib/ruby/2.0/time.rb
+++ b/lib/ruby/2.0/time.rb
+@@ -429,8 +429,8 @@ class Time
+           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+           (\d{2,})\s+
+           (\d{2})\s*
+-          :\s*(\d{2})\s*
+-          (?::\s*(\d{2}))?\s+
+          :\s*(\d{2})
+          (?:\s*:\s*(\d\d))?\s+
+           ([+-]\d{4}|
+            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+         # Since RFC 2822 permit comments, the regexp has no right anchor.
+-- 
+2.33.0
+
--- a/jruby.spec
+++ b/jruby.spec
@ -3,7 +3,7 @@
 %global rubygems_dir %{_datadir}/rubygems
 Name:                jruby
 Version:             1.7.22
-Release:             3
+Release:             4
 Summary:             Pure Java implementation of the Ruby interpreter
 License:             (CPL or GPLv2+ or LGPLv2+) and BSD and (GPLv2 or Ruby) and (BSD or Ruby)
 URL:                 http://jruby.org
@ -13,6 +13,7 @@ Patch1:              jruby-include-unbundled-jansi.patch
 Patch2:              jruby-remove-rubygems-dirs-definition.patch
 Patch3:              jruby-snakeyaml-1.16.patch
 Patch4:              jruby-snakeyaml-1.20.patch
+Patch5:              CVE-2023-28756.patch
 BuildRequires:       maven-local mvn(bsf:bsf) mvn(com.github.jnr:jffi)
 BuildRequires:       mvn(com.github.jnr:jffi::native:) mvn(com.github.jnr:jnr-constants)
 BuildRequires:       mvn(com.github.jnr:jnr-enxio) mvn(com.github.jnr:jnr-ffi)
@ -136,6 +137,9 @@ EOF
 %doc COPYING LICENSE.RUBY LEGAL

 %changelog
+* Fri Jan 26 2024 wangkai <13474090681@163.com> - 1.7.22-4
+- Fix CVE-2023-28756
+
 * Fri May 19 2023 Ge Wang <wang__ge@126.com> - 1.7.22-3
 - Add install dependency base64coder