diff --git a/backport-Use-File.open-instead-of-Kernel-open.patch b/backport-Use-File.open-instead-of-Kernel-open.patch new file mode 100644 index 0000000000000000000000000000000000000000..c00a9cb83ec178570240ebd2d2a35b16ad8f99d4 --- /dev/null +++ b/backport-Use-File.open-instead-of-Kernel-open.patch @@ -0,0 +1,405 @@ +From 4a8c6ba6c4bd65a96949b994f4e10f2ac3342262 Mon Sep 17 00:00:00 2001 +From: SHIBATA Hiroshi +Date: Fri, 5 Jan 2018 16:10:12 +0900 +Subject: [PATCH] Use `File.open` instead of `Kernel#open`. + + We should use safety method. +--- + lib/rdoc/encoding.rb | 2 +- + lib/rdoc/erbio.rb | 2 +- + lib/rdoc/options.rb | 2 +- + lib/rdoc/parser.rb | 2 +- + lib/rdoc/rdoc.rb | 4 ++-- + lib/rdoc/ri/driver.rb | 2 +- + lib/rdoc/store.rb | 8 ++++---- + test/rdoc/test_rdoc_parser.rb | 18 +++++++++--------- + test/rdoc/test_rdoc_rdoc.rb | 18 +++++++++--------- + test/rdoc/test_rdoc_ri_paths.rb | 2 +- + test/rdoc/test_rdoc_servlet.rb | 2 +- + test/rdoc/test_rdoc_store.rb | 12 ++++++------ + 12 files changed, 37 insertions(+), 37 deletions(-) + +diff --git a/lib/rdoc/encoding.rb b/lib/rdoc/encoding.rb +index 54ecd89..c277efb 100644 +--- a/lib/rdoc/encoding.rb ++++ b/lib/rdoc/encoding.rb +@@ -18,7 +18,7 @@ module RDoc::Encoding + # unknown character in the target encoding will be replaced with '?' + + def self.read_file filename, encoding, force_transcode = false +- content = open filename, "rb" do |f| f.read end ++ content = File.open filename, "rb" do |f| f.read end + content.gsub!("\r\n", "\n") if RUBY_PLATFORM =~ /mswin|mingw/ + + utf8 = content.sub!(/\A\xef\xbb\xbf/, '') +diff --git a/lib/rdoc/erbio.rb b/lib/rdoc/erbio.rb +index 42ce895..29a9db5 100644 +--- a/lib/rdoc/erbio.rb ++++ b/lib/rdoc/erbio.rb +@@ -9,7 +9,7 @@ require 'erb' + # + # erbio = RDoc::ERBIO.new '<%= "hello world" %>', nil, nil + # +-# open 'hello.txt', 'w' do |io| ++# File.open 'hello.txt', 'w' do |io| + # erbio.result binding + # end + # +diff --git a/lib/rdoc/options.rb b/lib/rdoc/options.rb +index 17bbca8..99d7aaa 100644 +--- a/lib/rdoc/options.rb ++++ b/lib/rdoc/options.rb +@@ -1217,7 +1217,7 @@ Usage: #{opt.program_name} [options] [names...] + def write_options + RDoc.load_yaml + +- open '.rdoc_options', 'w' do |io| ++ File.open '.rdoc_options', 'w' do |io| + io.set_encoding Encoding::UTF_8 + + YAML.dump self, io +diff --git a/lib/rdoc/parser.rb b/lib/rdoc/parser.rb +index 2b826d9..597bcd6 100644 +--- a/lib/rdoc/parser.rb ++++ b/lib/rdoc/parser.rb +@@ -139,7 +139,7 @@ class RDoc::Parser + # Returns the file type from the modeline in +file_name+ + + def self.check_modeline file_name +- line = open file_name do |io| ++ line = File.open file_name do |io| + io.gets + end + +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index e0a45b8..0089fe9 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -189,7 +189,7 @@ class RDoc::RDoc + error "#{dir} exists and is not a directory" unless File.directory? dir + + begin +- open flag_file do |io| ++ File.open flag_file do |io| + unless force then + Time.parse io.gets + +@@ -234,7 +234,7 @@ option) + def update_output_dir(op_dir, time, last = {}) + return if @options.dry_run or not @options.update_output_dir + +- open output_flag_file(op_dir), "w" do |f| ++ File.open output_flag_file(op_dir), "w" do |f| + f.puts time.rfc2822 + last.each do |n, t| + f.puts "#{n}\t#{t.rfc2822}" +diff --git a/lib/rdoc/ri/driver.rb b/lib/rdoc/ri/driver.rb +index fa0e040..6b44384 100644 +--- a/lib/rdoc/ri/driver.rb ++++ b/lib/rdoc/ri/driver.rb +@@ -110,7 +110,7 @@ class RDoc::RI::Driver + def self.dump data_path + require 'pp' + +- open data_path, 'rb' do |io| ++ File.open data_path, 'rb' do |io| + pp Marshal.load(io.read) + end + end +diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb +index 07d03e9..f892df3 100644 +--- a/lib/rdoc/store.rb ++++ b/lib/rdoc/store.rb +@@ -768,7 +768,7 @@ class RDoc::Store + + marshal = Marshal.dump @cache + +- open cache_path, 'wb' do |io| ++ File.open cache_path, 'wb' do |io| + io.write marshal + end + end +@@ -844,7 +844,7 @@ class RDoc::Store + + marshal = Marshal.dump klass + +- open path, 'wb' do |io| ++ File.open path, 'wb' do |io| + io.write marshal + end + end +@@ -869,7 +869,7 @@ class RDoc::Store + + marshal = Marshal.dump method + +- open method_file(full_name, method.full_name), 'wb' do |io| ++ File.open method_file(full_name, method.full_name), 'wb' do |io| + io.write marshal + end + end +@@ -891,7 +891,7 @@ class RDoc::Store + + marshal = Marshal.dump page + +- open path, 'wb' do |io| ++ File.open path, 'wb' do |io| + io.write marshal + end + end +diff --git a/test/rdoc/test_rdoc_parser.rb b/test/rdoc/test_rdoc_parser.rb +index 5d4da7e..2cd0394 100644 +--- a/test/rdoc/test_rdoc_parser.rb ++++ b/test/rdoc/test_rdoc_parser.rb +@@ -19,7 +19,7 @@ class TestRDocParser < RDoc::TestCase + def test_class_binary_eh_ISO_2022_JP + iso_2022_jp = File.join Dir.tmpdir, "test_rdoc_parser_#{$$}.rd" + +- open iso_2022_jp, 'wb' do |io| ++ File.open iso_2022_jp, 'wb' do |io| + io.write "# coding: ISO-2022-JP\n" + io.write ":\e$B%3%^%s%I\e(B:\n" + end +@@ -31,7 +31,7 @@ class TestRDocParser < RDoc::TestCase + + def test_class_binary_eh_marshal + marshal = File.join Dir.tmpdir, "test_rdoc_parser_#{$$}.marshal" +- open marshal, 'wb' do |io| ++ File.open marshal, 'wb' do |io| + io.write Marshal.dump('') + io.write 'lots of text ' * 500 + end +@@ -92,7 +92,7 @@ class TestRDocParser < RDoc::TestCase + def test_class_for_executable + temp_dir do + content = "#!/usr/bin/env ruby -w\n" +- open 'app', 'w' do |io| io.write content end ++ File.open 'app', 'w' do |io| io.write content end + app = @store.add_file 'app' + + parser = @RP.for app, 'app', content, @options, :stats +@@ -126,7 +126,7 @@ class TestRDocParser < RDoc::TestCase + temp_dir do + content = "# -*- rdoc -*-\n= NEWS\n" + +- open 'NEWS', 'w' do |io| io.write content end ++ File.open 'NEWS', 'w' do |io| io.write content end + app = @store.add_file 'NEWS' + + parser = @RP.for app, 'NEWS', content, @options, :stats +@@ -140,7 +140,7 @@ class TestRDocParser < RDoc::TestCase + def test_can_parse_modeline + readme_ext = File.join Dir.tmpdir, "README.EXT.#{$$}" + +- open readme_ext, 'w' do |io| ++ File.open readme_ext, 'w' do |io| + io.puts "# README.EXT - -*- rdoc -*- created at: Mon Aug 7 16:45:54 JST 1995" + io.puts + io.puts "This document explains how to make extension libraries for Ruby." +@@ -162,7 +162,7 @@ class TestRDocParser < RDoc::TestCase + def test_check_modeline + readme_ext = File.join Dir.tmpdir, "README.EXT.#{$$}" + +- open readme_ext, 'w' do |io| ++ File.open readme_ext, 'w' do |io| + io.puts "# README.EXT - -*- RDoc -*- created at: Mon Aug 7 16:45:54 JST 1995" + io.puts + io.puts "This document explains how to make extension libraries for Ruby." +@@ -176,7 +176,7 @@ class TestRDocParser < RDoc::TestCase + def test_check_modeline_coding + readme_ext = File.join Dir.tmpdir, "README.EXT.#{$$}" + +- open readme_ext, 'w' do |io| ++ File.open readme_ext, 'w' do |io| + io.puts "# -*- coding: utf-8 -*-" + end + +@@ -188,7 +188,7 @@ class TestRDocParser < RDoc::TestCase + def test_check_modeline_with_other + readme_ext = File.join Dir.tmpdir, "README.EXT.#{$$}" + +- open readme_ext, 'w' do |io| ++ File.open readme_ext, 'w' do |io| + io.puts "# README.EXT - -*- mode: RDoc; indent-tabs-mode: nil -*-" + io.puts + io.puts "This document explains how to make extension libraries for Ruby." +@@ -202,7 +202,7 @@ class TestRDocParser < RDoc::TestCase + def test_check_modeline_no_modeline + readme_ext = File.join Dir.tmpdir, "README.EXT.#{$$}" + +- open readme_ext, 'w' do |io| ++ File.open readme_ext, 'w' do |io| + io.puts "This document explains how to make extension libraries for Ruby." + end + +diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb +index 07541df..c9b55fa 100644 +--- a/test/rdoc/test_rdoc_rdoc.rb ++++ b/test/rdoc/test_rdoc_rdoc.rb +@@ -115,7 +115,7 @@ class TestRDocRDoc < RDoc::TestCase + + def test_load_options_invalid + temp_dir do +- open '.rdoc_options', 'w' do |io| ++ File.open '.rdoc_options', 'w' do |io| + io.write "a: !ruby.yaml.org,2002:str |\nfoo" + end + +@@ -187,7 +187,7 @@ class TestRDocRDoc < RDoc::TestCase + temp_dir do |dir| + @rdoc.options.root = Pathname(Dir.pwd) + +- open 'test.txt', 'w' do |io| ++ File.open 'test.txt', 'w' do |io| + io.puts 'hi' + end + +@@ -223,7 +223,7 @@ class TestRDocRDoc < RDoc::TestCase + temp_dir do |dir| + @rdoc.options.parse %W[--root #{test_path}] + +- open 'include.txt', 'w' do |io| ++ File.open 'include.txt', 'w' do |io| + io.puts ':include: test.txt' + end + +@@ -244,7 +244,7 @@ class TestRDocRDoc < RDoc::TestCase + @rdoc.options.page_dir = Pathname('pages') + @rdoc.options.root = Pathname(Dir.pwd) + +- open 'pages/test.txt', 'w' do |io| ++ File.open 'pages/test.txt', 'w' do |io| + io.puts 'hi' + end + +@@ -263,7 +263,7 @@ class TestRDocRDoc < RDoc::TestCase + temp_dir do |dir| + @rdoc.options.root = Pathname(dir) + +- open 'test.txt', 'w' do |io| ++ File.open 'test.txt', 'w' do |io| + io.puts 'hi' + end + +@@ -340,7 +340,7 @@ class TestRDocRDoc < RDoc::TestCase + + def test_remove_unparseable_tags_emacs + temp_dir do +- open 'TAGS', 'wb' do |io| # emacs ++ File.open 'TAGS', 'wb' do |io| # emacs + io.write "\f\nlib/foo.rb,43\n" + end + +@@ -354,7 +354,7 @@ class TestRDocRDoc < RDoc::TestCase + + def test_remove_unparseable_tags_vim + temp_dir do +- open 'TAGS', 'w' do |io| # emacs ++ File.open 'TAGS', 'w' do |io| # emacs + io.write "!_TAG_" + end + +@@ -405,7 +405,7 @@ class TestRDocRDoc < RDoc::TestCase + + def test_setup_output_dir_exists + Dir.mktmpdir {|path| +- open @rdoc.output_flag_file(path), 'w' do |io| ++ File.open @rdoc.output_flag_file(path), 'w' do |io| + io.puts Time.at 0 + io.puts "./lib/rdoc.rb\t#{Time.at 86400}" + end +@@ -419,7 +419,7 @@ class TestRDocRDoc < RDoc::TestCase + + def test_setup_output_dir_exists_empty_created_rid + Dir.mktmpdir {|path| +- open @rdoc.output_flag_file(path), 'w' do end ++ File.open @rdoc.output_flag_file(path), 'w' do end + + e = assert_raises RDoc::Error do + @rdoc.setup_output_dir path, false +diff --git a/test/rdoc/test_rdoc_ri_paths.rb b/test/rdoc/test_rdoc_ri_paths.rb +index b0f3683..0e00fd4 100644 +--- a/test/rdoc/test_rdoc_ri_paths.rb ++++ b/test/rdoc/test_rdoc_ri_paths.rb +@@ -22,7 +22,7 @@ class TestRDocRIPaths < RDoc::TestCase + specs.each do |spec| + spec.loaded_from = spec.spec_file + +- open spec.spec_file, 'w' do |file| ++ File.open spec.spec_file, 'w' do |file| + file.write spec.to_ruby_for_cache + end + +diff --git a/test/rdoc/test_rdoc_servlet.rb b/test/rdoc/test_rdoc_servlet.rb +index 4dd1f08..414f3e9 100644 +--- a/test/rdoc/test_rdoc_servlet.rb ++++ b/test/rdoc/test_rdoc_servlet.rb +@@ -69,7 +69,7 @@ class TestRDocServlet < RDoc::TestCase + FileUtils.mkdir 'css' + + now = Time.now +- open 'css/rdoc.css', 'w' do |io| io.write 'h1 { color: red }' end ++ File.open 'css/rdoc.css', 'w' do |io| io.write 'h1 { color: red }' end + File.utime now, now, 'css/rdoc.css' + + @s.asset_dirs[:darkfish] = '.' +diff --git a/test/rdoc/test_rdoc_store.rb b/test/rdoc/test_rdoc_store.rb +index 4a4cf3a..0e5bcf6 100644 +--- a/test/rdoc/test_rdoc_store.rb ++++ b/test/rdoc/test_rdoc_store.rb +@@ -407,7 +407,7 @@ class TestRDocStore < XrefTestCase + + Dir.mkdir @tmpdir + +- open File.join(@tmpdir, 'cache.ri'), 'wb' do |io| ++ File.open File.join(@tmpdir, 'cache.ri'), 'wb' do |io| + Marshal.dump cache, io + end + +@@ -441,7 +441,7 @@ class TestRDocStore < XrefTestCase + + Dir.mkdir @tmpdir + +- open File.join(@tmpdir, 'cache.ri'), 'wb' do |io| ++ File.open File.join(@tmpdir, 'cache.ri'), 'wb' do |io| + Marshal.dump cache, io + end + +@@ -490,7 +490,7 @@ class TestRDocStore < XrefTestCase + + Dir.mkdir @tmpdir + +- open File.join(@tmpdir, 'cache.ri'), 'wb' do |io| ++ File.open File.join(@tmpdir, 'cache.ri'), 'wb' do |io| + Marshal.dump cache, io + end + +@@ -538,7 +538,7 @@ class TestRDocStore < XrefTestCase + + file = @s.method_file @klass.full_name, @meth.full_name + +- open file, 'wb' do |io| ++ File.open file, 'wb' do |io| + io.write "\x04\bU:\x14RDoc::AnyMethod[\x0Fi\x00I" + + "\"\vmethod\x06:\x06EF\"\x11Klass#method0:\vpublic" + + "o:\eRDoc::Markup::Document\x06:\v@parts[\x06" + +@@ -633,7 +633,7 @@ class TestRDocStore < XrefTestCase + + expected[:ancestors]['Object'] = %w[BasicObject] + +- open File.join(@tmpdir, 'cache.ri'), 'rb' do |io| ++ File.open File.join(@tmpdir, 'cache.ri'), 'rb' do |io| + cache = Marshal.load io.read + + assert_equal expected, cache +@@ -701,7 +701,7 @@ class TestRDocStore < XrefTestCase + + expected[:ancestors]['Object'] = %w[BasicObject] + +- open File.join(@tmpdir, 'cache.ri'), 'rb' do |io| ++ File.open File.join(@tmpdir, 'cache.ri'), 'rb' do |io| + cache = Marshal.load io.read + + assert_equal expected, cache +-- +2.27.0 + diff --git a/ruby.spec b/ruby.spec index 440416be85e824e7e8970b25ced684b39f61175f..4b2f5608031e02d0f1a1576bf4c4b89a2d35562f 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ Name: ruby Version: 2.5.8 -Release: 122 +Release: 123 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/ @@ -60,6 +60,7 @@ Patch6016: backport-CVE-2024-27280.patch Patch6017: backport-CVE-2024-27281-Filter-marshaled-objects.patch Patch6018: backport-CVE-2024-27281-Use-safe_load-for-.rdoc_options.patch Patch6019: backport-CVE-2024-27281-Fix-NoMethodError-for-start_with.patch +Patch6020: backport-Use-File.open-instead-of-Kernel-open.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -597,6 +598,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.* %changelog +* Sun Apr 07 2024 shixuantong - 2.5.8-123 +- Use File.open instead of Kernel#open to avoid potential security risks + * Sat Mar 30 2024 shixuantong - 2.5.8-122 - fix CVE-2024-27281