fix CVE-2022-23633

CVE-2022-23633.patch

@@ -0,0 +1,79 @@
+From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Fri, 11 Feb 2022 11:23:01 -0800
+Subject: [PATCH] Fix reloader to work with new Executor signature
+
+This is a follow up to [CVE-2022-23633].
+---
+ lib/active_support/reloader.rb | 2 +-
+ lib/active_support/execution_wrapper.rb   | 29 ++++++++++---------
+ 2 file changed, 11 insertion(+), 10 deletion(-)
+
+diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb
+index 2f81cd4..e751866 100644
+--- a/lib/active_support/reloader.rb
++++ b/lib/active_support/reloader.rb
+@@ -58,7 +58,7 @@ module ActiveSupport
+       prepare!
+     end
+ 
+-    def self.run! # :nodoc:
++    def self.run!(reset: false) # :nodoc:
+       if check!
+         super
+       else
+
+diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb
+index ca810db584..07c4f435db 100644
+--- a/lib/active_support/execution_wrapper.rb
++++ b/lib/active_support/execution_wrapper.rb
+@@ -62,18 +62,21 @@ def self.register_hook(hook, outer: false)
+     # after the work has been performed.
+     #
+     # Where possible, prefer +wrap+.
+-    def self.run!
+-      if active?
+-        Null
++    def self.run!(reset: false)
++      if reset
++        lost_instance = active.delete(Thread.current)
++        lost_instance&.complete!
+       else
+-        new.tap do |instance|
+-          success = nil
+-          begin
+-            instance.run!
+-            success = true
+-          ensure
+-            instance.complete! unless success
+-          end
++        return Null if active?
++      end
++
++      new.tap do |instance|
++        success = nil
++        begin
++          instance.run!
++          success = true
++        ensure
++          instance.complete! unless success
+         end
+       end
+     end
+@@ -102,11 +105,11 @@ def self.inherited(other) # :nodoc:
+     self.active = Concurrent::Hash.new
+ 
+     def self.active? # :nodoc:
+-      @active[Thread.current]
++      @active.key?(Thread.current)
+     end
+ 
+     def run! # :nodoc:
+-      self.class.active[Thread.current] = true
++      self.class.active[Thread.current] = self
+       run_callbacks(:run)
+     end
+ 
+-- 
+2.43.0
+

rubygem-activesupport.spec

@@ -3,7 +3,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               2
 Version:             5.2.4.4
-Release:             3
+Release:             4
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@@ -11,6 +11,11 @@ Source0:             https://rubygems.org/gems/activesupport-5.2.4.4.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
 Patch0:              CVE-2023-22796.patch
 Patch1:              CVE-2023-38037.patch
+
+# https://github.com/rails/rails/commit/676ad96fa5d9d0213babc32c9bad8190597a00d1
+# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
+Patch3000:           CVE-2022-23633.patch
+
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@@ -33,6 +38,7 @@ Documentation for %{name}.
 %setup -q -n %{gem_name}-%{version}
 %patch0 -p2
 %patch1 -p1
+%patch3000 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -76,6 +82,12 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 2:5.2.4.4-4
+- Type:CVES
+- ID:CVE-2022-23633
+- SUG:NA
+- DESC:fix CVE-2022-23633
+
 * Mon Sep 11 2023 wangkai <13474090681@163.com> - 2:5.2.4.4-3
 - Fix CVE-2023-38037