!12 Fix CVE-2022-31163

From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2022-31163.patch

@@ -0,0 +1,66 @@
+From 9905ca93abf7bf3e387bd592406e403cd18334c7 Mon Sep 17 00:00:00 2001
+From: Tobias Kraze <tobias.kraze@makandra.de>
+Date: Mon, 11 Jul 2022 09:54:12 +0200
+Subject: [PATCH] Fix directory traversal in Timezone.get when using Ruby data
+ source
+
+origin: https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7
+
+---
+ lib/tzinfo/ruby_data_source.rb | 2 +-
+ test/assets/payload.rb         | 1 +
+ test/tc_ruby_data_source.rb    | 6 ++++++
+ test/tc_timezone.rb            | 2 +-
+ 4 files changed, 9 insertions(+), 2 deletions(-)
+ create mode 100644 test/assets/payload.rb
+
+diff --git a/lib/tzinfo/ruby_data_source.rb b/lib/tzinfo/ruby_data_source.rb
+index b5a67524..b8a34e78 100644
+--- a/lib/tzinfo/ruby_data_source.rb
++++ b/lib/tzinfo/ruby_data_source.rb
+@@ -38,7 +38,7 @@ def initialize
+     # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
+     # identifier is invalid.
+     def load_timezone_info(identifier)
+-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
++      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*\z/
+       
+       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
+       
+diff --git a/test/assets/payload.rb b/test/assets/payload.rb
+new file mode 100644
+index 00000000..7ad83fc9
+--- /dev/null
++++ b/test/assets/payload.rb
+@@ -0,0 +1 @@
++raise 'This should never be executed'
+diff --git a/test/tc_ruby_data_source.rb b/test/tc_ruby_data_source.rb
+index 790dd8eb..9bd069a4 100644
+--- a/test/tc_ruby_data_source.rb
++++ b/test/tc_ruby_data_source.rb
+@@ -51,6 +51,12 @@ def test_load_timezone_info_invalid
+       @data_source.load_timezone_info('../Definitions/UTC')
+     end
+   end
++
++  def test_load_timezone_info_directory_traversal
++    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
++    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
++    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
++  end
+   
+   def test_load_timezone_info_nil
+     assert_raises(InvalidTimezoneIdentifier) do
+diff --git a/test/tc_timezone.rb b/test/tc_timezone.rb
+index 0dc06111..5f4614d3 100644
+--- a/test/tc_timezone.rb
++++ b/test/tc_timezone.rb
+@@ -213,7 +213,7 @@ def test_get_not_exist
+   end
+   
+   def test_get_invalid
+-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
++    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
+   end
+   
+   def test_get_nil

rubygem-tzinfo.spec

@@ -2,11 +2,12 @@
 %global gem_name tzinfo
 Name:                rubygem-%{gem_name}
 Version:             1.2.5
-Release:             2
+Release:             3
 Summary:             Daylight savings aware timezone library
 License:             MIT
 URL:                 http://tzinfo.github.io
 Source0:             https://rubygems.org/gems/tzinfo-%{version}.gem
+Patch0:              CVE-2022-31163.patch
 BuildRequires:       ruby(release) rubygems-devel ruby rubygem(minitest) rubygem(thread_safe)
 BuildArch:           noarch
 %description
@@ -21,7 +22,7 @@ BuildArch:           noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%autosetup -n %{gem_name}-%{version} -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -57,6 +58,9 @@ popd
 %{gem_instdir}/%{gem_name}.gemspec
 
 %changelog
+* Fri Mar 29 2024 wangkai <13474090681@163.com> - 1.2.5-3
+- Fix CVE-2022-31163
+
 * Sat Sep 5 2020 liyanan <liyanan32@huawei.com> - 1.2.5-2
 - fix build fail