!15 [sync] PR-14: Fix build error

From: @openeuler-sync-bot 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek

CVE-2019-13574-1.patch

@@ -0,0 +1,47 @@
+From 4cd5081e58810d3394d27a67219e8e4e0445d851 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
+Date: Sun, 26 May 2019 17:30:14 +0200
+Subject: [PATCH] Don't allow remote shell execution
+
+Kernel#open accepts a string of format "| <shell command>" which
+executes the specified shell command and otherwise presumably acts as
+IO.popen. The open-uri standard library overrides Kernel#open to also
+accept URLs.
+
+However, the overridden Kernel#open just delegates to URI#open, so we
+switch to using that directly and avoid the remote shell execution
+vulnerability. For files we just use File.open, which should have the
+same behaviour as Kernel#open.
+---
+ lib/mini_magick/image.rb           | 14 ++++++--------
+ spec/lib/mini_magick/image_spec.rb |  8 ++++++++
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb
+index a1f47c6..0ac4780 100644
+--- a/lib/mini_magick/image.rb
++++ b/lib/mini_magick/image.rb
+@@ -82,17 +82,15 @@ def self.import_pixels(blob, columns, rows, depth, map, format = 'png')
+     def self.open(path_or_url, ext = nil, options = {})
+       options, ext = ext, nil if ext.is_a?(Hash)
+ 
+-      ext ||=
+-        if File.exist?(path_or_url)
+-          File.extname(path_or_url)
+-        else
+-          File.extname(URI(path_or_url).path)
+-        end
++      uri = URI(path_or_url.to_s)
+ 
++      ext ||= File.extname(uri.path)
+       ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon
+ 
+-      Kernel.open(path_or_url, "rb", options) do |file|
+-        read(file, ext)
++      if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP)
++        uri.open(options) { |file| read(file, ext) }
++      else
++        File.open(uri.to_s, "rb", options) { |file| read(file, ext) }
+       end
+     end
+ 

CVE-2019-13574-2.patch

@@ -0,0 +1,66 @@
+From 4cd5081e58810d3394d27a67219e8e4e0445d851 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
+Date: Sun, 26 May 2019 17:30:14 +0200
+Subject: [PATCH] Don't allow remote shell execution
+
+Kernel#open accepts a string of format "| <shell command>" which
+executes the specified shell command and otherwise presumably acts as
+IO.popen. The open-uri standard library overrides Kernel#open to also
+accept URLs.
+
+However, the overridden Kernel#open just delegates to URI#open, so we
+switch to using that directly and avoid the remote shell execution
+vulnerability. For files we just use File.open, which should have the
+same behaviour as Kernel#open.
+---
+ lib/mini_magick/image.rb           | 14 ++++++--------
+ spec/lib/mini_magick/image_spec.rb |  8 ++++++++
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb
+index a1f47c6..0ac4780 100644
+--- a/lib/mini_magick/image.rb
++++ b/lib/mini_magick/image.rb
+@@ -82,17 +82,15 @@ def self.import_pixels(blob, columns, rows, depth, map, format = 'png')
+     def self.open(path_or_url, ext = nil, options = {})
+       options, ext = ext, nil if ext.is_a?(Hash)
+ 
+-      ext ||=
+-        if File.exist?(path_or_url)
+-          File.extname(path_or_url)
+-        else
+-          File.extname(URI(path_or_url).path)
+-        end
++      uri = URI(path_or_url.to_s)
+ 
++      ext ||= File.extname(uri.path)
+       ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon
+ 
+-      Kernel.open(path_or_url, "rb", options) do |file|
+-        read(file, ext)
++      if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP)
++        uri.open(options) { |file| read(file, ext) }
++      else
++        File.open(uri.to_s, "rb", options) { |file| read(file, ext) }
+       end
+     end
+ 
+diff --git a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb
+index 192d834..00f9cb0 100644
+--- a/spec/lib/mini_magick/image_spec.rb
++++ b/spec/lib/mini_magick/image_spec.rb
+@@ -76,6 +76,14 @@
+           expect(File.extname(image.path)).to eq ".jpg"
+         end
+ 
++        it "doesn't allow remote shell execution" do
++          expect {
++            described_class.open("| touch file.txt") # Kernel#open accepts this
++          }.to raise_error(URI::InvalidURIError)
++
++          expect(File.exist?("file.txt")).to eq(false)
++        end
++
+         it "accepts open-uri options" do
+           stub_request(:get, "http://example.com/image.jpg")
+             .with(headers: {"Foo" => "Bar"})

Remove-failing-spec.patch

@@ -0,0 +1,51 @@
+From 448350a04ae278dc42d35f45b53845a97e9f2138 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
+Date: Wed, 7 Dec 2022 09:33:28 +0100
+Subject: [PATCH] Remove failing spec
+
+1) With ImageMagick MiniMagick::Image#details when verbose information includes a clipping path does not hang when parsing verbose data
+   Failure/Error: details_hash[last_key] << line
+
+   NoMethodError:
+     undefined method `<<' for {"8BIM:1999,2998:#1"=>"<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"}:Hash
+
+                   details_hash[last_key] << line
+                                          ^^
+     Did you mean?  <
+   # ./lib/mini_magick/image/info.rb:149:in `block in details'
+   # ./lib/mini_magick/image/info.rb:138:in `each'
+   # ./lib/mini_magick/image/info.rb:138:in `each_with_object'
+   # ./lib/mini_magick/image/info.rb:138:in `details'
+   # ./lib/mini_magick/image/info.rb:31:in `[]'
+   # ./lib/mini_magick/image.rb:145:in `block in attribute'
+   # ./spec/lib/mini_magick/image_spec.rb:508:in `block (7 levels) in <top (required)>'
+   # ./spec/lib/mini_magick/image_spec.rb:507:in `block (6 levels) in <top (required)>'
+   # ./spec/spec_helper.rb:19:in `block (3 levels) in <top (required)>'
+---
+ spec/lib/mini_magick/image_spec.rb | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb
+index f327981..9537f01 100644
+--- a/spec/lib/mini_magick/image_spec.rb
++++ b/spec/lib/mini_magick/image_spec.rb
+@@ -496,19 +496,6 @@ def create(path = image_path)
+             expect(subject.details).not_to have_key("Software")
+           end
+         end
+-
+-        # GraphicsMagick does not output the clipping path
+-        context "when verbose information includes a clipping path", skip_cli: :graphicsmagick do
+-          subject { described_class.new(image_path(:clipping_path)) }
+-
+-          it "does not hang when parsing verbose data" do
+-            # Retrieving .details should happen very quickly but as of v4.3.6
+-            # will hang indefinitely without the timeout
+-            Timeout::timeout(10) do
+-              expect(subject.details['Clipping path'][0..4]).to eq "<?xml"
+-            end
+-          end
+-        end
+       end
+ 
+       describe "#data" do

rubygem-mini_magick.spec

@@ -1,14 +1,21 @@
 %global gem_name mini_magick
 Name:                rubygem-%{gem_name}
 Version:             4.8.0
-Release:             1
+Release:             4
 Summary:             Manipulate images with minimal use of memory via ImageMagick
 License:             MIT
 URL:                 https://github.com/minimagick/minimagick
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/minimagick/minimagick/archive/v%{version}.tar.gz
+# Use smallcase for MiniMagick::Image#details
+# https://github.com/minimagick/minimagick/pull/454/
 Patch0:              mini_magick-4.8.0-Use-smallcase-for-Image-details-in-tests.patch
+# Match new `identify` error message
+# https://github.com/minimagick/minimagick/pull/455/
 Patch1:              mini_magick-4.8.0-match-new-identify-error-message-in-tests.patch
+Patch2:              CVE-2019-13574-1.patch
+Patch3:              CVE-2019-13574-2.patch
+Patch4:              Remove-failing-spec.patch
 Requires:            ImageMagick
 BuildRequires:       ruby(release) rubygems-devel ruby rubygem(rspec) rubygem(webmock) ImageMagick
 BuildArch:           noarch
@@ -27,7 +34,7 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}
-ln -s minimagick-%{version}/spec spec
+%patch2 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -41,8 +48,11 @@ cp -a .%{gem_dir}/* \
 %check
 pushd .%{gem_instdir}
 tar xzvf %{SOURCE1}
+cd  minimagick-%{version}
 cat %{PATCH0} | patch -p1
 cat %{PATCH1} | patch -p1
+cat %{PATCH3} | patch -p1
+cat %{PATCH4} | patch -p1
 sed -i -e '/require "pry"/ s/^/#/g' \
        -e '/require "bundler/ s/^/#/g' \
   spec/spec_helper.rb
@@ -68,5 +78,14 @@ popd
 %{gem_instdir}/Rakefile
 
 %changelog
+* Tue Dec 13 2022 yaoxin <yaoxin30@h-partners.com> - 4.8.0-4
+- Fix build error
+
+* Tue Apr 13 2021 wangxiao65 <wangxiao65@huawei.com> - 4.8.0-3
+- Fix CVE-2019-13574
+
+* Tue Sep 8 2020 yanan li <liyanan032@huawei.com> - 4.8.0-2
+- fix build fail
+
 * Wed Aug 19 2020 geyanan <geyanan2@huawei.com> - 4.8.0-1
 - package init

rubygem-mini_magick.yaml

@@ -1,4 +1,4 @@
-version_control:github
-src_repo:/minimagick/minimagick
-tag_prefix:"v"
-seperator:"."
+version_control: github
+src_repo: minimagick/minimagick
+tag_prefix: "v"
+separator: "."