From ad8e8e24bb13341706a535a533fafafeda316a4a Mon Sep 17 00:00:00 2001 From: zouzhimin Date: Wed, 12 Jun 2024 04:07:12 +0800 Subject: [PATCH] fix CVE-2022-23633 --- backport-Fix-CVE-2022-23633.patch | 79 +++++++++++++++++++++++++++++++ rubygem-activesupport.spec | 10 +++- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-CVE-2022-23633.patch diff --git a/backport-Fix-CVE-2022-23633.patch b/backport-Fix-CVE-2022-23633.patch new file mode 100644 index 0000000..41d253c --- /dev/null +++ b/backport-Fix-CVE-2022-23633.patch @@ -0,0 +1,79 @@ +From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Fri, 11 Feb 2022 11:23:01 -0800 +Subject: [PATCH] Fix reloader to work with new Executor signature + +This is a follow up to [CVE-2022-23633]. +--- + lib/active_support/reloader.rb | 2 +- + lib/active_support/execution_wrapper.rb | 29 ++++++++++--------- + 2 file changed, 11 insertion(+), 10 deletion(-) + +diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb +index 2f81cd4..e751866 100644 +--- a/lib/active_support/reloader.rb ++++ b/lib/active_support/reloader.rb +@@ -58,7 +58,7 @@ module ActiveSupport + prepare! + end + +- def self.run! # :nodoc: ++ def self.run!(reset: false) # :nodoc: + if check! + super + else + +diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb +index ca810db584..07c4f435db 100644 +--- a/lib/active_support/execution_wrapper.rb ++++ b/lib/active_support/execution_wrapper.rb +@@ -62,18 +62,21 @@ def self.register_hook(hook, outer: false) + # after the work has been performed. + # + # Where possible, prefer +wrap+. +- def self.run! +- if active? +- Null ++ def self.run!(reset: false) ++ if reset ++ lost_instance = active.delete(Thread.current) ++ lost_instance&.complete! + else +- new.tap do |instance| +- success = nil +- begin +- instance.run! +- success = true +- ensure +- instance.complete! unless success +- end ++ return Null if active? ++ end ++ ++ new.tap do |instance| ++ success = nil ++ begin ++ instance.run! ++ success = true ++ ensure ++ instance.complete! unless success + end + end + end +@@ -102,11 +105,11 @@ def self.inherited(other) # :nodoc: + self.active = Concurrent::Hash.new + + def self.active? # :nodoc: +- @active[Thread.current] ++ @active.key?(Thread.current) + end + + def run! # :nodoc: +- self.class.active[Thread.current] = true ++ self.class.active[Thread.current] = self + run_callbacks(:run) + end + +-- +2.43.0 + diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec index 6a2a4a7..ef85176 100644 --- a/rubygem-activesupport.spec +++ b/rubygem-activesupport.spec @@ -3,7 +3,7 @@ Name: rubygem-%{gem_name} Epoch: 2 Version: 5.2.4.4 -Release: 3 +Release: 4 Summary: A support libraries and Ruby core extensions extracted from the Rails framework License: MIT URL: http://rubyonrails.org @@ -11,6 +11,7 @@ Source0: https://rubygems.org/gems/activesupport-5.2.4.4.gem Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Patch0: CVE-2023-22796.patch Patch1: CVE-2023-38037.patch +Patch2: backport-Fix-CVE-2022-23633.patch Requires: rubygem(bigdecimal) rubygem(json) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli) @@ -33,6 +34,7 @@ Documentation for %{name}. %setup -q -n %{gem_name}-%{version} %patch0 -p2 %patch1 -p1 +%patch2 -p1 %build gem build ../%{gem_name}-%{version}.gemspec @@ -76,6 +78,12 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Tue Jun 25 2024 zouzhimin - 2:5.2.4.4-4 +- Type:CVES +- ID:CVE-2022-23633 +- SUG:NA +- DESC:fix CVE-2022-23633 + * Mon Sep 11 2023 wangkai <13474090681@163.com> - 2:5.2.4.4-3 - Fix CVE-2023-38037 -- Gitee