!17 FIX CVE-2023-22796

From: @wszlight Reviewed-by: @small_leek Signed-off-by: @small_leek
2023-02-22 02:13:17 +00:00 · 2023-02-22 02:13:17 +00:00 · 67976979cc
commit 67976979cc
parent edf356934a 7e09cf61f4
2 changed files with 36 additions and 1 deletions
--- a/CVE-2023-22796.patch
+++ b/CVE-2023-22796.patch
@ -0,0 +1,30 @@
+From a7cda7e6aa5334ab41b1f4b0f671be931be946ef Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Wed, 11 Jan 2023 10:14:55 -0800
+Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
+
+[CVE-2023-22796]
+---
+ activesupport/lib/active_support/inflector/methods.rb | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/activesupport-5.2.4.4/lib/active_support/inflector/methods.rb b/activesupport-5.2.4.4/lib/active_support/inflector/methods.rb
+index ad136532bf..acb86fe1a4 100644
+--- a/activesupport-5.2.4.4/lib/active_support/inflector/methods.rb
+++ b/activesupport-5.2.4.4/lib/active_support/inflector/methods.rb
+@@ -93,8 +93,7 @@ def underscore(camel_cased_word)
+       return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
+-      word = camel_cased_word.to_s.gsub("::".freeze, "/".freeze)
+-      word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_'.freeze }#{$2.downcase}" }
+      word = camel_cased_word.to_s.gsub("::", "/")   
+      word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" } 
+-      word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2'.freeze)
+-      word.gsub!(/([a-z\d])([A-Z])/, '\1_\2'.freeze)
+      word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
+-      word.tr!("-".freeze, "_".freeze)
+      word.tr!("-", "_")
+       word.downcase!
+       word
+-- 
+2.35.1
+
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -3,12 +3,13 @@
 Name:                rubygem-%{gem_name}
 Epoch:               2
 Version:             5.2.4.4
-Release:             1
+Release:             2
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/activesupport-5.2.4.4.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
+Patch0:              CVE-2023-22796.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -29,6 +30,7 @@ Documentation for %{name}.

 %prep
 %setup -q -n %{gem_name}-%{version}
+%patch0 -p2

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -72,6 +74,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 2:5.2.4.4-2
+- fix CVE-2023-22796 
+
 * Mon Feb  8 2021 sunguoshuai <sunguoshuai@huawei.com> - 5.2.4.4-1
 - Upgrade to 5.2.4.4