Fix CVE-2022-24836

CVE-2022-24836.patch

@@ -0,0 +1,16 @@
+diff --git a/lib/nokogiri/html/document.rb b/lib/nokogiri/html/document.rb
+index d3792bc..8fffa43 100644
+--- a/lib/nokogiri/html/document.rb
++++ b/lib/nokogiri/html/document.rb
+@@ -254,7 +254,7 @@ module Nokogiri
+           if Nokogiri.jruby? && EncodingReader.is_jruby_without_fix?
+             return EncodingReader.detect_encoding_for_jruby_without_fix(chunk)
+           end
+-          m = chunk.match(/\A(<\?xml[ \t\r\n]+[^>]*>)/) and
++          m = chunk.match(/\A(<\?xml[ \t\r\n][^>]*>)/) and
+             return Nokogiri.XML(m[1]).encoding
+ 
+           if Nokogiri.jruby?
+-- 
+2.27.0
+

rubygem-nokogiri.spec

@@ -7,7 +7,7 @@
 Summary:	An HTML, XML, SAX, and Reader parser
 Name:		rubygem-%{gem_name}
 Version:	%{mainver}
-Release:	4
+Release:	5
 License:	MIT
 URL:		https://nokogiri.org
 Source0:	https://rubygems.org/gems/%{gem_name}-%{mainver}%{?prever}.gem
@@ -19,6 +19,8 @@ Patch2:         CVE-2020-26247.patch
 Patch3:         CVE-2021-41098-1.patch
 Patch4:         CVE-2021-41098-2.patch
 Patch5:		fix-test-push-parser-fail.patch
+# refer https://github.com/sparklemotion/nokogiri/commit/e444525
+Patch6:         CVE-2022-24836.patch
 BuildRequires:  ruby(release) 	ruby(rubygems) 	rubygem(minitest) 	rubygems-devel
 Obsoletes:      ruby-%{gem_name} <= 1.5.2-2
 BuildRequires:  gcc 	rubygem(pkg-config) 	libxml2-devel 	libxslt-devel 	ruby-devel
@@ -66,6 +68,7 @@ cd $TOPDIR/%{gem_name}-%{version}
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 cd -
 
 gem specification -l --ruby %{SOURCE0} > %{gem_name}.gemspec
@@ -160,6 +163,9 @@ popd
 %{gem_dir}/doc/%{gem_name}-%{mainver}%{?prever}/
 
 %changelog
+* Sun Apr 24 2022 wangkai <wangkai385@huawei.com> - 1.10.5-5
+- Fix CVE-2022-24836
+
 * Thu Dec 9 2021 baizhonggui <baizhonggui@huawei.com> - 1.10.5-4
 - fix compile failed