CVE-2023-38037.patch

@@ -1,60 +0,0 @@
-From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
-From: Aaron Patterson <aaron@rubyonrails.org>
-Date: Tue, 22 Aug 2023 09:58:43 -0700
-Subject: [PATCH] Use a temporary file for storing unencrypted files while
- editing
-
-Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
-
-When we're editing the contents of encrypted files, we should use the
-`Tempfile` class because it creates temporary files with restrictive
-permissions.  This prevents other users on the same system from reading
-the contents of those files while the user is editing them.
-
-[CVE-2023-38037]
----
- .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
- activesupport/test/encrypted_file_test.rb      |  8 ++++++++
- railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
- 3 files changed, 26 insertions(+), 17 deletions(-)
-
-diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
-index 54ba53c03b981..913d5e57c1bfb 100644
---- a/railties/lib/rails/secrets.rb
-+++ b/railties/lib/rails/secrets.rb
-@@ -1,6 +1,7 @@
- # frozen_string_literal: true
- 
- require "yaml"
-+require "tempfile"
- require "active_support/message_encryptor"
- require "active_support/core_ext/string/strip"
- 
- module Rails
-@@ -87,17 +88,18 @@ def preprocess(path)
-         end
- 
-         def writing(contents)
--          tmp_file = "#{File.basename(path)}.#{Process.pid}"
--          tmp_path = File.join(Dir.tmpdir, tmp_file)
--          IO.binwrite(tmp_path, contents)
-+          file_name = "#{File.basename(path)}.#{Process.pid}"
- 
--          yield tmp_path
-+          Tempfile.create(["", "-" + file_name]) do |tmp_file|
-+            tmp_path = Pathname.new(tmp_file)
-+            tmp_path.binwrite contents
- 
--          updated_contents = IO.binread(tmp_path)
-+            yield tmp_path
- 
--          write(updated_contents) if updated_contents != contents
--        ensure
--          FileUtils.rm(tmp_path) if File.exist?(tmp_path)
-+            updated_contents = tmp_path.binread
-+
-+            write(updated_contents) if updated_contents != contents
-+          end
-         end
- 
-         def encryptor

rubygem-railties.spec

@@ -1,20 +1,15 @@
-%global gem_name railties
 %bcond_with  test
 %{?_with_bootstrap: %global bootstrap 1}
 %global bootstrap 1
 Name:                rubygem-%{gem_name}
-Version:             5.2.4.4
-Release:             5
+Version:             5.2.3
+Release:             2
 Summary:             Tools for creating, working with, and running Rails applications
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/rails/archive/v%{version}.tar.gz
-# Check value of result.source_location in
-# test_unit/reporter.rb#format_rerun_snippet
-# https://github.com/rails/rails/pull/32297
 Patch0:              rubygem-railties-5.1.5-check-value-of-result-source-location.patch
-Patch1:              CVE-2023-38037.patch
 Suggests:            %{_bindir}/sqlite3
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(actioncable) = %{version}
 BuildRequires:       rubygem(actionmailer) = %{version} rubygem(actionpack) = %{version}
@@ -26,7 +21,6 @@ BuildRequires:       rubygem(thor) >= 0.18.1 rubygem(turbolinks) git
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(jquery-rails) rubygem(uglifier) rubygem(rails) %{_bindir}/node
 %endif
-Requires:            rubygem(bundler) ruby-devel sqlite-devel
 BuildArch:           noarch
 %description
 Rails internals: application bootup, plugins, generators, and rake tasks.
@@ -47,7 +41,6 @@ Documentation for %{name}.
 %gem_install -n %{SOURCE0}
 pushd .%{gem_instdir}
 %patch0 -p2
-%patch1 -p2
 popd
 
 %build
@@ -160,18 +153,6 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
-* Mon Sep 11 2023 wangkai <13474090681@163.com> - 5.2.4.4-5
-- Fix CVE-2023-38037
-
-* Tue Apr  6 2021 lingsheng <lingsheng@huawei.com> - 5.2.4.4-4
-- Add requires ruby-devel sqlite-devel
-
-* Tue Apr  6 2021 lingsheng <lingsheng@huawei.com> - 5.2.4.4-3
-- Add requires rubygem(bundler)
-
-* Mon Feb  8 2021 sunguoshuai <sunguoshuai@huawei.com> - 5.2.4.4-1
-- Upgrade to 5.2.4.4
-
 * Sat Sep 5 2020 liyanan <liyanan32@huawei.com> - 5.2.3-2
 - fix build fail