From b6bdb10d504200e2661630f487eb063c8640d5b4 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Thu, 17 Oct 2024 20:11:08 +0800
Subject: [PATCH] Fix CVE-2024-47889

---
 backport-CVE-2024-47889.patch | 41 +++++++++++++++++++++++++++++++++++
 rubygem-actionmailer.spec     | 13 ++++++++---
 2 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 backport-CVE-2024-47889.patch

diff --git a/backport-CVE-2024-47889.patch b/backport-CVE-2024-47889.patch
new file mode 100644
index 0000000..2f634ad
--- /dev/null
+++ b/backport-CVE-2024-47889.patch
@@ -0,0 +1,41 @@
+From 985f1923fa62806ff676e41de67c3b4552131ab9 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Fri, 11 Oct 2024 00:34:14 -0700
+Subject: [PATCH] Avoid backtracking in ActionMailer block_format
+
+[CVE-2024-47889]
+
+Thanks to yuki_osaki and scyoon for reporting this vulnerability
+---
+ lib/action_mailer/mail_helper.rb | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/lib/action_mailer/mail_helper.rb b/lib/action_mailer/mail_helper.rb
+index e7bed41..f527d5a 100644
+--- a/lib/action_mailer/mail_helper.rb
++++ b/lib/action_mailer/mail_helper.rb
+@@ -23,10 +23,18 @@ module ActionMailer
+       }.join("\n\n")
+ 
+       # Make list points stand on their own line
+-      formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { "  #{$1} #{$2.strip}\n" }
+-      formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { "  #{$1} #{$2.strip}\n" }
++      output = +""
++      splits = formatted.split(/(\*+|\#+)/)
++      while line = splits.shift
++        if line.start_with?("*", "#") && splits[0].start_with?(" ")
++          output.chomp!(" ") while output.end_with?(" ")
++          output << "  #{line} #{splits.shift.strip}\n"
++        else
++          output << line
++        end
++      end
+ 
+-      formatted
++      output
+     end
+ 
+     # Access the mailer instance.
+-- 
+2.33.0
+
diff --git a/rubygem-actionmailer.spec b/rubygem-actionmailer.spec
index 891c47d..57ead43 100644
--- a/rubygem-actionmailer.spec
+++ b/rubygem-actionmailer.spec
@@ -2,12 +2,13 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             1
+Release:             2
 Summary:             Email composition, delivery, and receiving framework (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
+Patch3000:           backport-CVE-2024-47889.patch
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(actionpack) = %{version}
 BuildRequires:       rubygem(activejob) = %{version} rubygem(mail) >= 2.5.4
 BuildArch:           noarch
@@ -26,6 +27,9 @@ Documentation for %{name}.
 %prep
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
+pushd .%{gem_instdir}
+%patch3000 -p1
+popd
 
 %build
 
@@ -54,8 +58,11 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
-* Mon Feb  8 2021 sunguoshuai <sunguoshuai@huawei.com> - 5.2.4.4-1
+* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-2
+- Fix CVE-2024-47889
+
+* Mon Feb  8 2021 sunguoshuai <sunguoshuai@huawei.com> - 1:5.2.4.4-1
 - Upgrade to 5.2.4.4
 
-* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1
+* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 1:5.2.3-1
 - Package init
-- 
Gitee