From: Mingli Yu <mingli...@windriver.com> Backport a patch to fix CVE-2021-31799.
Signed-off-by: Mingli Yu <mingli...@windriver.com> Signed-off-by: Anuj Mittal <anuj.mit...@intel.com> --- .../ruby/ruby/CVE-2021-31799.patch | 57 +++++++++++++++++++ meta/recipes-devtools/ruby/ruby_3.0.1.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch new file mode 100644 index 0000000000..83064e85ab --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch @@ -0,0 +1,57 @@ +From b1c73f239fe9af97de837331849f55d67c27561e Mon Sep 17 00:00:00 2001 +From: aycabta <ayca...@gmail.com> +Date: Sun, 2 May 2021 20:52:23 +0900 +Subject: [PATCH] [ruby/rdoc] Use File.open to fix the OS Command Injection + vulnerability in CVE-2021-31799 + +https://github.com/ruby/rdoc/commit/a7f5d6ab88 + +CVE: CVE-2021-31799 + +Upstream-Status: Backport[https://github.com/ruby/ruby/commit/b1c73f239fe9af97de837331849f55d67c27561e] + +Signed-off-by: Mingli Yu <mingli...@windriver.com> +--- + lib/rdoc/rdoc.rb | 2 +- + test/rdoc/test_rdoc_rdoc.rb | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index 680a8612f7..904625f105 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -444,7 +444,7 @@ def remove_unparseable files + files.reject do |file, *| + file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or + (file =~ /tags$/i and +- open(file, 'rb') { |io| ++ File.open(file, 'rb') { |io| + io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ + }) + end +diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb +index 3910dd4656..a83d5a1b88 100644 +--- a/test/rdoc/test_rdoc_rdoc.rb ++++ b/test/rdoc/test_rdoc_rdoc.rb +@@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim + end + end + ++ def test_remove_unparseable_CVE_2021_31799 ++ temp_dir do ++ file_list = ['| touch evil.txt && echo tags'] ++ file_list.each do |f| ++ FileUtils.touch f ++ end ++ ++ assert_equal file_list, @rdoc.remove_unparseable(file_list) ++ assert_equal file_list, Dir.children('.') ++ end ++ end ++ + def test_setup_output_dir + Dir.mktmpdir {|d| + path = File.join d, 'testdir' +-- +2.17.1 + diff --git a/meta/recipes-devtools/ruby/ruby_3.0.1.bb b/meta/recipes-devtools/ruby/ruby_3.0.1.bb index ae953a0a89..4ac7383a97 100644 --- a/meta/recipes-devtools/ruby/ruby_3.0.1.bb +++ b/meta/recipes-devtools/ruby/ruby_3.0.1.bb @@ -8,6 +8,7 @@ SRC_URI += " \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ file://CVE-2021-31810.patch \ file://CVE-2021-32066.patch \ + file://CVE-2021-31799.patch \ " SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727" -- 2.31.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#156079): https://lists.openembedded.org/g/openembedded-core/message/156079 Mute This Topic: https://lists.openembedded.org/mt/85640872/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
