Fix CVE-2023-28120

2024-06-26 14:51:51 +08:00 · 2024-06-26 14:51:51 +08:00 · 201c049519
commit 201c049519
parent ee9a2d631a
2 changed files with 31 additions and 1 deletions
--- a/CVE-2023-28120.patch
+++ b/CVE-2023-28120.patch
@ -0,0 +1,24 @@
+From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
+From: Akira Matsuda <ronnie@dio.jp>
+Date: Thu, 5 Jan 2023 05:25:37 +0900
+Subject: [PATCH] Implement SafeBuffer#bytesplice
+
+---
+ .../core_ext/string/output_safety.rb          |  4 +++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 8a06ccdd8e385..a627540a353db 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -216,6 +216,10 @@ def concat(value)
+     end
+     alias << concat
+ 
+    def bytesplice(*args, value)
+      super(*args, implicit_html_escape_interpolated_argument(value))
+    end
+
+     def prepend(value)
+       super(html_escape_interpolated_argument(value))
+     end
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -3,7 +3,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               2
 Version:             5.2.4.4
-Release:             4
+Release:             5
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@ -15,6 +15,8 @@ Patch1:              CVE-2023-38037.patch
 # https://github.com/rails/rails/commit/676ad96fa5d9d0213babc32c9bad8190597a00d1
 # https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
 Patch3000:           CVE-2022-23633.patch
+# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
+Patch3001:           CVE-2023-28120.patch

 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
@ -39,6 +41,7 @@ Documentation for %{name}.
 %patch0 -p2
 %patch1 -p1
 %patch3000 -p1
+%patch3001 -p2

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -82,6 +85,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Wed Jun 26 2024 wangkai <13474090681@163.com> - 2:5.2.4.4-5
+- Fix CVE-2023-28120
+
 * Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 2:5.2.4.4-4
 - Type:CVES
 - ID:CVE-2022-23633