!176 fix CVE-2024-35221

From: @tong_1001 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu

backport-0001-CVE-2024-35221.patch

@@ -0,0 +1,36 @@
+From c2812fb616a9a0f31bbc3906a8ec9bad9faec498 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Wed, 7 Feb 2024 12:26:31 -0800
+Subject: [PATCH] [rubygems/rubygems] Control whether YAML aliases are enabled
+ in Gem::SafeYAML.safe_load via a constant
+
+https://github.com/rubygems/rubygems/commit/6bedb1cb79
+
+Reference:https://github.com/ruby/ruby/commit/c2812fb616a9a0f31bbc3906a8ec9bad9faec498
+Conflict:Slightly different context
+---
+ lib/rubygems/safe_yaml.rb | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+index 789bb5e..5ad256e 100644
+--- a/lib/rubygems/safe_yaml.rb
++++ b/lib/rubygems/safe_yaml.rb
+@@ -26,9 +26,12 @@ module Gem
+       runtime
+     )
+ 
++    ALIASES = true # :nodoc:
++    private_constant :ALIASES
++
+     if ::YAML.respond_to? :safe_load
+       def self.safe_load input
+-        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
++        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, ALIASES)
+       end
+ 
+       def self.load input
+-- 
+2.33.0
+
+

backport-0002-CVE-2024-35221.patch

@@ -0,0 +1,40 @@
+From 5dcc7a03267216feaa587017ef5d6d075b62f75b Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Fri, 9 Feb 2024 10:15:40 -0800
+Subject: [PATCH] [rubygems/rubygems] Use a writer method on the module instead
+ of a constant
+
+https://github.com/rubygems/rubygems/commit/240d84eea3
+
+Reference:https://github.com/ruby/ruby/commit/5dcc7a03267216feaa587017ef5d6d075b62f75b
+Conflict:Slightly different context
+---
+ lib/rubygems/safe_yaml.rb | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+index 5ad256e..32c5309 100644
+--- a/lib/rubygems/safe_yaml.rb
++++ b/lib/rubygems/safe_yaml.rb
+@@ -26,12 +26,14 @@ module Gem
+       runtime
+     )
+ 
+-    ALIASES = true # :nodoc:
+-    private_constant :ALIASES
++    @aliases_enabled = true
++    def self.aliases_enabled=(value)
++      @aliases_enabled = !!value
++    end
+ 
+     if ::YAML.respond_to? :safe_load
+       def self.safe_load input
+-        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, ALIASES)
++        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, @aliases_enabled)
+       end
+ 
+       def self.load input
+-- 
+2.33.0
+
+

backport-0003-CVE-2024-35221.patch

@@ -0,0 +1,50 @@
+From 466ed0e1ace6ebf069d444d666f0db3f9224a4b9 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Sat, 10 Feb 2024 19:52:13 -0800
+Subject: [PATCH] [rubygems/rubygems] Add a test for safe yaml
+
+https://github.com/rubygems/rubygems/commit/148deade0a
+
+Reference:https://github.com/ruby/ruby/commit/466ed0e1ace6ebf069d444d666f0db3f9224a4b9
+Conflict:use assert_raises not assert_raise and requires diffs.
+---
+ test/rubygems/test_gem_safe_yaml.rb | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+ create mode 100644 test/rubygems/test_gem_safe_yaml.rb
+
+diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb
+new file mode 100644
+index 0000000..cfe1342
+--- /dev/null
++++ b/test/rubygems/test_gem_safe_yaml.rb
+@@ -0,0 +1,26 @@
++# frozen_string_literal: true
++
++require 'yaml'
++require 'rubygems/test_case'
++require 'rubygems/safe_yaml'
++require 'test/unit'
++
++Gem.load_yaml
++
++class TestGemSafeYAML < Gem::TestCase
++  def test_aliases_enabled_by_default
++    assert_predicate Gem::SafeYAML, :aliases_enabled?
++    assert_equal({ "a" => "a", "b" => "a" }, Gem::SafeYAML.safe_load("a: &a a\nb: *a\n"))
++  end
++
++  def test_aliases_disabled
++    aliases_enabled = Gem::SafeYAML.aliases_enabled?
++    Gem::SafeYAML.aliases_enabled = false
++    refute_predicate Gem::SafeYAML, :aliases_enabled?
++    assert_raises Psych::AliasesNotEnabled do
++      Gem::SafeYAML.safe_load("a: &a\nb: *a\n")
++    end
++  ensure
++    Gem::SafeYAML.aliases_enabled = aliases_enabled
++  end
++end
+-- 
+2.33.0
+
+

backport-0004-CVE-2024-35221.patch

@@ -0,0 +1,37 @@
+From 997470b7b697d267109571d81081453acc73a2f9 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Wed, 14 Feb 2024 00:50:52 -0800
+Subject: [PATCH] [rubygems/rubygems] Commit missing new method
+
+https://github.com/rubygems/rubygems/commit/5265b4ce3d
+
+Reference:https://github.com/ruby/ruby/commit/997470b7b697d267109571d81081453acc73a2f9
+Conflict:Slightly different context
+---
+ lib/rubygems/safe_yaml.rb | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+index 32c5309..336abba 100644
+--- a/lib/rubygems/safe_yaml.rb
++++ b/lib/rubygems/safe_yaml.rb
+@@ -27,10 +27,14 @@ module Gem
+     )
+ 
+     @aliases_enabled = true
+-    def self.aliases_enabled=(value)
++    def self.aliases_enabled=(value) # :nodoc:
+       @aliases_enabled = !!value
+     end
+ 
++    def self.aliases_enabled? # :nodoc:
++      @aliases_enabled
++    end
++
+     if ::YAML.respond_to? :safe_load
+       def self.safe_load input
+         ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, @aliases_enabled)
+-- 
+2.33.0
+
+

backport-0005-CVE-2024-35221.patch

@@ -0,0 +1,32 @@
+From 8bc51a393acfb5af4e446799e51f73e61b0cfc8e Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Tue, 20 Feb 2024 11:03:28 -0800
+Subject: [PATCH] [rubygems/rubygems] Check for correct exception on older
+ psych versions
+
+https://github.com/rubygems/rubygems/commit/52de6eccf5
+
+Reference:https://github.com/ruby/ruby/commit/8bc51a393acfb5af4e446799e51f73e61b0cfc8e
+Conflict:use assert_raises not assert_raise
+---
+ test/rubygems/test_gem_safe_yaml.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb
+index 4f7e400132..02df9f97da 100644
+--- a/test/rubygems/test_gem_safe_yaml.rb
++++ b/test/rubygems/test_gem_safe_yaml.rb
+@@ -14,7 +14,8 @@ def test_aliases_disabled
+     aliases_enabled = Gem::SafeYAML.aliases_enabled?
+     Gem::SafeYAML.aliases_enabled = false
+     refute_predicate Gem::SafeYAML, :aliases_enabled?
+-    assert_raises Psych::AliasesNotEnabled do
++    expected_error = defined?(Psych::AliasesNotEnabled) ? Psych::AliasesNotEnabled : Psych::BadAlias
++    assert_raises expected_error do
+       Gem::SafeYAML.safe_load("a: &a\nb: *a\n")
+     end
+   ensure
+-- 
+2.33.0
+
+

ruby.spec

@@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.8
-Release:   124
+Release:   125
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/
@@ -62,6 +62,11 @@ Patch6018: backport-CVE-2024-27281-Use-safe_load-for-.rdoc_options.patch
 Patch6019: backport-CVE-2024-27281-Fix-NoMethodError-for-start_with.patch
 Patch6020: backport-Use-File.open-instead-of-Kernel-open.patch
 Patch6021: backport-CVE-2024-27282.patch
+Patch6022: backport-0001-CVE-2024-35221.patch
+Patch6023: backport-0002-CVE-2024-35221.patch
+Patch6024: backport-0003-CVE-2024-35221.patch
+Patch6025: backport-0004-CVE-2024-35221.patch
+Patch6026: backport-0005-CVE-2024-35221.patch
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -599,6 +604,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
 
 %changelog
+* Tue Jun 18 2024 shixuantong <shixuantong1@huawei.com> - 2.5.8-125
+- fix CVE-2024-35221
+
 * Mon May 6 2024 zhoupengcheng11 <zhoupengcheng11@huawei.com> - 2.5.8-124
 - fix CVE-2024-27282