fix CVE-2022-23633

(cherry picked from commit 9e09c795ebdadc2b818065718741a9f50b112758)
2024-06-12 10:50:48 +08:00 · 2024-06-12 10:50:48 +08:00 · 2cb9c1c115
commit 2cb9c1c115
parent 24b4b7755e
2 changed files with 96 additions and 5 deletions
--- a/CVE-2022-23633.patch
+++ b/CVE-2022-23633.patch
@ -0,0 +1,79 @@
+From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Fri, 11 Feb 2022 11:23:01 -0800
+Subject: [PATCH] Fix reloader to work with new Executor signature
+
+This is a follow up to [CVE-2022-23633].
+---
+ lib/active_support/reloader.rb | 2 +-
+ lib/active_support/execution_wrapper.rb   | 29 ++++++++++---------
+ 2 file changed, 11 insertion(+), 10 deletion(-)
+
+diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb
+index 2f81cd4..e751866 100644
+--- a/lib/active_support/reloader.rb
+++ b/lib/active_support/reloader.rb
+@@ -58,7 +58,7 @@ module ActiveSupport
+       prepare!
+     end
+ 
+-    def self.run! # :nodoc:
+    def self.run!(reset: false) # :nodoc:
+       if check!
+         super
+       else
+
+diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb
+index ca810db584..07c4f435db 100644
+--- a/lib/active_support/execution_wrapper.rb
+++ b/lib/active_support/execution_wrapper.rb
+@@ -63,18 +63,21 @@ def self.register_hook(hook, outer: false)
+     # after the work has been performed.
+     #
+     # Where possible, prefer +wrap+.
+-    def self.run!
+-      if active?
+-        Null
+    def self.run!(reset: false)
+      if reset
+        lost_instance = active.delete(Thread.current)
+        lost_instance&.complete!
+       else
+-        new.tap do |instance|
+-          success = nil
+-          begin
+-            instance.run!
+-            success = true
+-          ensure
+-            instance.complete! unless success
+-          end
+        return Null if active?
+      end
+
+      new.tap do |instance|
+        success = nil
+        begin
+          instance.run!
+          success = true
+        ensure
+          instance.complete! unless success
+         end
+       end
+     end
+@@ -103,11 +106,11 @@ def self.inherited(other) # :nodoc:
+     self.active = Concurrent::Hash.new
+ 
+     def self.active? # :nodoc:
+-      @active[Thread.current]
+      @active.key?(Thread.current)
+     end
+ 
+     def run! # :nodoc:
+-      self.class.active[Thread.current] = true
+      self.class.active[Thread.current] = self
+       run_callbacks(:run)
+     end
+ 
+-- 
+2.43.0
+
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -2,7 +2,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             6.1.4.1
-Release:             5
+Release:             7
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@ -13,6 +13,9 @@ Patch0:              Add-support-dalli-3.2.2.patch
 Patch1:              CVE-2023-22796.patch
 Patch2:              CVE-2023-38037.patch
 Patch3:              CVE-2023-38037-test.patch
+# https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb
+# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
+Patch3000:           CVE-2022-23633.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -39,7 +42,7 @@ pushd %{_builddir}/test
 popd
 %patch1 -p2
 %patch2 -p2
-
+%patch3000 -p1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -87,11 +90,20 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
-* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-5
+* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7
+- Type:CVES
+- ID:CVE-2022-23633
+- SUG:NA
+- DESC:fix CVE-2022-23633
+
+* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-6
 - Fix CVE-2023-38037

-* Thu Mar 30 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-4
- Fix the self-compilation problem and start memcached as the root user
+* Fri Mar 10 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-5
+- Rectify the failure to start memcached as the root user
+
+* Thu Mar 9 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-4
+- Fix the self-compilation problem

 * Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:6.1.4.1-3
 - fix CVE-2023-22796