From 608f1a37aea025b1b07bbe4e581cf8a5874a20d1 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 17 Sep 2025 11:14:22 +0800
Subject: [PATCH] Fix CVE-2022-39379

(cherry picked from commit 8eda48e8e9f5d2dc65b69089d2f0d08550625154)
---
 CVE-2022-39379.patch | 32 ++++++++++++++++++++++++++++++++
 rubygem-fluent.spec  |  8 ++++++--
 2 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2022-39379.patch

diff --git a/CVE-2022-39379.patch b/CVE-2022-39379.patch
new file mode 100644
index 0000000..b35cd2d
--- /dev/null
+++ b/CVE-2022-39379.patch
@@ -0,0 +1,32 @@
+From 48e5b85dab1b6d4c273090d538fc11b3f2fd8135 Mon Sep 17 00:00:00 2001
+From: Takuro Ashie <ashie@clear-code.com>
+Date: Thu, 27 Oct 2022 11:44:28 +0900
+Subject: [PATCH] Remove `object` from the available list of
+ `FLUENT_OJ_OPTION_MODE`
+
+There is less benefit by this option in actual, and it will instroduce
+serious security risk since it can execute arbitrary Ruby code.
+We remove it since keeping it secure is difficult.
+
+ref: GHSL-2022-067
+
+Signed-off-by: Takuro Ashie <ashie@clear-code.com>
+
+Origin: https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
+---
+ lib/fluent/oj_options.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/fluent/oj_options.rb b/lib/fluent/oj_options.rb
+index f1c274c119..a76e1f81ba 100644
+--- a/lib/fluent/oj_options.rb
++++ b/lib/fluent/oj_options.rb
+@@ -11,7 +11,7 @@ class OjOptions
+ 
+     ALLOWED_VALUES = {
+       'bigdecimal_load': %i[bigdecimal float auto],
+-      'mode': %i[strict null compat json rails object custom]
++      'mode': %i[strict null compat json rails custom]
+     }
+ 
+     DEFAULTS = {
diff --git a/rubygem-fluent.spec b/rubygem-fluent.spec
index ec52a0c..1884fcc 100644
--- a/rubygem-fluent.spec
+++ b/rubygem-fluent.spec
@@ -2,11 +2,12 @@
 %global gem_name fluentd
 Name:		rubygem-fluentd
 Version:	1.14.5
-Release:	2
+Release:	3
 Summary:	Fluentd event collector
 License:	Apache-2.0
 URL:		https://www.fluentd.org/
 Source0:	https://rubygems.org/gems/fluentd-1.14.5.gem
+Patch0: 	CVE-2022-39379.patch
 BuildArch:	noarch
 
 BuildRequires:	rubygem-bundler
@@ -40,7 +41,7 @@ BuildArch: noarch
 Fluentd is an open source data collector designed to scale and simplify log management. It can collect, process and ship many kinds of data in near real-time.
 
 %prep
-%autosetup -n fluentd-1.14.5
+%autosetup -n fluentd-%{version} -p1
 gem spec %{SOURCE0} -l --ruby > fluentd.gemspec
 sed -i '/http_parser.rb/s/< 0.7.0/<= 0.7.0/g' fluentd.gemspec
 sed -i '/tzinfo/s/~> 1.0/>= 1.0/g' fluentd.gemspec
@@ -87,6 +88,9 @@ mv %{buildroot}/filelist.lst .
 %{gem_docdir}/*
 
 %changelog
+* Wed Sep 17 2025 yaoxin <1024769339@qq.com> - 1.14.5-3
+- Fix CVE-2022-39379
+
 * Thu Mar 30 2023 liyanan <liyanan32@h-partners.com> - 1.14.5-2
 - Add requires rubygem-capng_c
 
-- 
Gitee