!15 [sync] PR-14: CVE-2023-22796

From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2023-02-21 06:55:39 +00:00 · 2023-02-21 06:55:39 +00:00 · ecbd2800e8
commit ecbd2800e8
parent ca3c471ce4 e9f7425123
2 changed files with 34 additions and 1 deletions
--- a/CVE-2023-22796.patch
+++ b/CVE-2023-22796.patch
@ -0,0 +1,27 @@
+From a7cda7e6aa5334ab41b1f4b0f671be931be946ef Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Wed, 11 Jan 2023 10:14:55 -0800
+Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
+
+[CVE-2023-22796]
+---
+ activesupport/lib/active_support/inflector/methods.rb | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
+index ad136532bf..acb86fe1a4 100644
+--- a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
+++ b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
+@@ -93,8 +93,7 @@ def underscore(camel_cased_word)
+       return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
+       word = camel_cased_word.to_s.gsub("::", "/")
+       word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
+-      word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2')
+-      word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
+      word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
+       word.tr!("-", "_")
+       word.downcase!
+       word
+-- 
+2.35.1
+
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -2,7 +2,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             6.1.4.1
-Release:             2
+Release:             3
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@ -10,6 +10,7 @@ Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             %{gem_name}-%{version}-tests.txz
 Source2:             rails-%{version}-tools.txz
 Patch0:              Add-support-dalli-3.2.2.patch
+Patch1:	  	     CVE-2023-22796.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -33,6 +34,8 @@ Documentation for %{name}.
 pushd %{_builddir}/test
 %patch0 -p1
 popd
+%patch1 -p2
+

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -76,6 +79,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:6.1.4.1-3
+- fix CVE-2023-22796 
+
 * Tue Jul 05 2022 liyanan <liyanan32@h-partners.com> - 6.1.4.1-2
 - Add support dalli 3.2.2