!23 [sync] PR-19: Fix CVE-2024-47889

From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

backport-CVE-2024-47889-test.patch

@@ -0,0 +1,21 @@
+diff --git a/actionmailer/test/mail_helper_test.rb b/actionmailer/test/mail_helper_test.rb
+index a8ab19a95c0e3..e49eabdce8275 100644
+--- a/actionmailer/test/mail_helper_test.rb
++++ b/actionmailer/test/mail_helper_test.rb
+@@ -121,4 +121,16 @@ def test_use_cache
+       assert_equal "Greetings from a cache helper block", mail.body.encoded
+     end
+   end
++
++  def helper
++    Object.new.extend(ActionMailer::MailHelper)
++  end
++
++  def test_block_format
++    assert_equal "  * foo\n", helper.block_format(" * foo")
++    assert_equal "  * foo\n", helper.block_format("   * foo")
++    assert_equal "  * foo\n", helper.block_format("* foo")
++    assert_equal "  * foo\n*bar", helper.block_format("* foo*bar")
++    assert_equal "  * foo\n  * bar\n", helper.block_format("* foo * bar")
++  end
+ end

backport-CVE-2024-47889.patch

@@ -0,0 +1,39 @@
+From 985f1923fa62806ff676e41de67c3b4552131ab9 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Fri, 11 Oct 2024 00:34:14 -0700
+Subject: [PATCH] Avoid backtracking in ActionMailer block_format
+
+[CVE-2024-47889]
+
+Thanks to yuki_osaki and scyoon for reporting this vulnerability
+---
+ actionmailer/lib/action_mailer/mail_helper.rb | 14 +++++++++++---
+ actionmailer/test/mail_helper_test.rb         | 12 ++++++++++++
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/actionmailer/lib/action_mailer/mail_helper.rb b/actionmailer/lib/action_mailer/mail_helper.rb
+index e7bed41f8d294..f527d5a59ebf5 100644
+--- a/actionmailer/lib/action_mailer/mail_helper.rb
++++ b/actionmailer/lib/action_mailer/mail_helper.rb
+@@ -23,10 +23,18 @@ def block_format(text)
+       }.join("\n\n")
+ 
+       # Make list points stand on their own line
+-      formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { "  #{$1} #{$2.strip}\n" }
+-      formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { "  #{$1} #{$2.strip}\n" }
++      output = +""
++      splits = formatted.split(/(\*+|\#+)/)
++      while line = splits.shift
++        if line.start_with?("*", "#") && splits[0].start_with?(" ")
++          output.chomp!(" ") while output.end_with?(" ")
++          output << "  #{line} #{splits.shift.strip}\n"
++        else
++          output << line
++        end
++      end
+ 
+-      formatted
++      output
+     end
+ 
+     # Access the mailer instance.

rubygem-actionmailer.spec

@@ -3,13 +3,15 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	6.1.4.1
-Release:	1
+Release:	2
 Summary:	Email composition and delivery framework (part of Rails)
 License:	MIT
 URL:		https://rubyonrails.org
 Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1: 	actionmailer-%{version}-tests.txz
 Source2:	rails-%{version}-tools.txz
+Patch3000:	backport-CVE-2024-47889.patch
+Patch3001:	backport-CVE-2024-47889-test.patch
 
 BuildRequires:	ruby(release)
 BuildRequires:	rubygems-devel
@@ -34,6 +36,11 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
+%patch3000 -p2
+
+pushd %{_builddir}
+%patch3001 -p2
+popd
 
 %build
 gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec
@@ -65,11 +72,14 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
-* Wed May 04 2022 wangkerong <wangkerong@h-partners.com> - 6.1.4.1-1
+* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-2
+- Fix CVE-2024-47889
+
+* Wed May 04 2022 wangkerong <wangkerong@h-partners.com> - 1:6.1.4.1-1
 - Upgrade to 6.1.4.1
 
-* Mon Feb  8 2021 sunguoshuai <sunguoshuai@huawei.com> - 5.2.4.4-1
+* Mon Feb  8 2021 sunguoshuai <sunguoshuai@huawei.com> - 1:5.2.4.4-1
 - Upgrade to 5.2.4.4
 
-* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1
+* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 1:5.2.3-1
 - Package init