diff --git a/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch b/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch index 29b0a96..2cca400 100644 --- a/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch +++ b/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch @@ -26,6 +26,43 @@ index ca2c1abefd..46aace7839 100644 io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ }) end +--- a/lib/rdoc/encoding.rb 2022-02-16 16:51:28.080178281 +0100 ++++ b/lib/rdoc/encoding.rb 2022-02-16 16:51:37.108160840 +0100 +@@ -18,7 +18,7 @@ + # unknown character in the target encoding will be replaced with '?' + + def self.read_file filename, encoding, force_transcode = false +- content = open filename, "rb" do |f| f.read end ++ content = File.open filename, "rb" do |f| f.read end + content.gsub!("\r\n", "\n") if RUBY_PLATFORM =~ /mswin|mingw/ + + utf8 = content.sub!(/\A\xef\xbb\xbf/, '') +--- a/lib/rdoc/parser.rb 2021-04-05 13:46:35.000000000 +0200 ++++ b/lib/rdoc/parser.rb 2022-02-16 15:37:17.904822389 +0100 +@@ -74,7 +74,12 @@ + def self.binary?(file) + return false if file =~ /\.(rdoc|txt)$/ + +- s = File.read(file, 1024) or return false ++ begin ++ open_file = File.open(file) ++ s = open_file.read(1024) or return false ++ ensure ++ open_file.close if open_file ++ end + + return true if s[0, 2] == Marshal.dump('')[0, 2] or s.index("\x00") + +@@ -92,7 +97,8 @@ + # http://www.garykessler.net/library/file_sigs.html + + def self.zip? file +- zip_signature = File.read file, 4 ++ zip_signature = '' ++ File.open(file) { |f| zip_signature = f.read(4) } + + zip_signature == "PK\x03\x04" or + zip_signature == "PK\x05\x06" or diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb index 3bce54b243..123b1a4f87 100644 --- a/test/rdoc/test_rdoc_rdoc.rb diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index d6ba9c7..d2cdffa 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 108 +%global release 109 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} @@ -1142,6 +1142,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Wed Feb 16 2022 Jarek Prokop - 2.5.9-109 +- Properly fix command injection vulnerability in Rdoc. + Related: CVE-2021-31799 + * Wed Feb 09 2022 Jarek Prokop - 2.5.9-108 - Fix command injection vulnerability in RDoc. Resolves: CVE-2021-31799