packages/rubygem-activesupport
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-28120

Browse Source
This commit is contained in:
wk333 2024-06-26 14:51:51 +08:00
parent ee9a2d631a
commit 201c049519
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
CVE-2023-28120.patch Normal file
View File

@ -0,0 +1,24 @@
From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
From: Akira Matsuda <ronnie@dio.jp>
Date: Thu, 5 Jan 2023 05:25:37 +0900
Subject: [PATCH] Implement SafeBuffer#bytesplice
---
.../core_ext/string/output_safety.rb | 4 +++
1 files changed, 4 insertions(+)
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 8a06ccdd8e385..a627540a353db 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -216,6 +216,10 @@ def concat(value)
end
alias << concat
+ def bytesplice(*args, value)
+ super(*args, implicit_html_escape_interpolated_argument(value))
+ end
+
def prepend(value)
super(html_escape_interpolated_argument(value))
end

8
rubygem-activesupport.spec
View File

@ -3,7 +3,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 2 Epoch: 2
Version: 5.2.4.4 Version: 5.2.4.4
Release: 4 Release: 5
Summary: A support libraries and Ruby core extensions extracted from the Rails framework Summary: A support libraries and Ruby core extensions extracted from the Rails framework
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -15,6 +15,8 @@ Patch1: CVE-2023-38037.patch
# https://github.com/rails/rails/commit/676ad96fa5d9d0213babc32c9bad8190597a00d1 # https://github.com/rails/rails/commit/676ad96fa5d9d0213babc32c9bad8190597a00d1
# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545 # https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
Patch3000: CVE-2022-23633.patch Patch3000: CVE-2022-23633.patch
# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
Patch3001: CVE-2023-28120.patch
Requires: rubygem(bigdecimal) rubygem(json) Requires: rubygem(bigdecimal) rubygem(json)
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
@ -39,6 +41,7 @@ Documentation for %{name}.
%patch0 -p2 %patch0 -p2
%patch1 -p1 %patch1 -p1
%patch3000 -p1 %patch3000 -p1
%patch3001 -p2
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -82,6 +85,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Wed Jun 26 2024 wangkai <13474090681@163.com> - 2:5.2.4.4-5
- Fix CVE-2023-28120
* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 2:5.2.4.4-4 * Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 2:5.2.4.4-4
- Type:CVES - Type:CVES
- ID:CVE-2022-23633 - ID:CVE-2022-23633