diff --git a/CVE-2022-23633.patch b/CVE-2022-23633.patch new file mode 100644 index 0000000000000000000000000000000000000000..58807f6b5fd5bbbfeb0ee4edcea86d75c232f0fa --- /dev/null +++ b/CVE-2022-23633.patch @@ -0,0 +1,79 @@ +From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Fri, 11 Feb 2022 11:23:01 -0800 +Subject: [PATCH] Fix reloader to work with new Executor signature + +This is a follow up to [CVE-2022-23633]. +--- + lib/active_support/reloader.rb | 2 +- + lib/active_support/execution_wrapper.rb | 29 ++++++++++--------- + 2 file changed, 11 insertion(+), 10 deletion(-) + +diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb +index 2f81cd4..e751866 100644 +--- a/lib/active_support/reloader.rb ++++ b/lib/active_support/reloader.rb +@@ -58,7 +58,7 @@ module ActiveSupport + prepare! + end + +- def self.run! # :nodoc: ++ def self.run!(reset: false) # :nodoc: + if check! + super + else + +diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb +index ca810db584..07c4f435db 100644 +--- a/lib/active_support/execution_wrapper.rb ++++ b/lib/active_support/execution_wrapper.rb +@@ -63,18 +63,21 @@ def self.register_hook(hook, outer: false) + # after the work has been performed. + # + # Where possible, prefer +wrap+. +- def self.run! +- if active? +- Null ++ def self.run!(reset: false) ++ if reset ++ lost_instance = active.delete(Thread.current) ++ lost_instance&.complete! + else +- new.tap do |instance| +- success = nil +- begin +- instance.run! +- success = true +- ensure +- instance.complete! unless success +- end ++ return Null if active? ++ end ++ ++ new.tap do |instance| ++ success = nil ++ begin ++ instance.run! ++ success = true ++ ensure ++ instance.complete! unless success + end + end + end +@@ -103,11 +106,11 @@ def self.inherited(other) # :nodoc: + self.active = Concurrent::Hash.new + + def self.active? # :nodoc: +- @active[Thread.current] ++ @active.key?(Thread.current) + end + + def run! # :nodoc: +- self.class.active[Thread.current] = true ++ self.class.active[Thread.current] = self + run_callbacks(:run) + end + +-- +2.43.0 + diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec index 9d5e9d38a3e73a899198a66a7ecd423aa9090423..87612b170c27e35c57864e3dac3f8bec07804214 100644 --- a/rubygem-activesupport.spec +++ b/rubygem-activesupport.spec @@ -2,7 +2,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 6.1.4.1 -Release: 5 +Release: 7 Summary: A support libraries and Ruby core extensions extracted from the Rails framework License: MIT URL: http://rubyonrails.org @@ -13,6 +13,9 @@ Patch0: Add-support-dalli-3.2.2.patch Patch1: CVE-2023-22796.patch Patch2: CVE-2023-38037.patch Patch3: CVE-2023-38037-test.patch +# https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb +# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545 +Patch3000: CVE-2022-23633.patch Requires: rubygem(bigdecimal) rubygem(json) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli) @@ -39,7 +42,7 @@ pushd %{_builddir}/test popd %patch1 -p2 %patch2 -p2 - +%patch3000 -p1 %build gem build ../%{gem_name}-%{version}.gemspec @@ -87,11 +90,20 @@ popd %doc %{gem_instdir}/README.rdoc %changelog -* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-5 +* Tue Jun 25 2024 zouzhimin - 1:6.1.4.1-7 +- Type:CVES +- ID:CVE-2022-23633 +- SUG:NA +- DESC:fix CVE-2022-23633 + +* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-6 - Fix CVE-2023-38037 -* Thu Mar 30 2023 caodongxia - 1:6.1.4.1-4 -- Fix the self-compilation problem and start memcached as the root user +* Fri Mar 10 2023 caodongxia - 1:6.1.4.1-5 +- Rectify the failure to start memcached as the root user + +* Thu Mar 9 2023 caodongxia - 1:6.1.4.1-4 +- Fix the self-compilation problem * Tue Feb 21 2023 wushaozheng - 1:6.1.4.1-3 - fix CVE-2023-22796