7 changed files with 2 additions and 321 deletions
--- a/CVE-2022-23633.patch
+++ b/CVE-2022-23633.patch
@ -1,79 +0,0 @@
-From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001
-From: Aaron Patterson <aaron@rubyonrails.org>
-Date: Fri, 11 Feb 2022 11:23:01 -0800
-Subject: [PATCH] Fix reloader to work with new Executor signature
-
-This is a follow up to [CVE-2022-23633].
---
- lib/active_support/reloader.rb | 2 +-
- lib/active_support/execution_wrapper.rb   | 29 ++++++++++---------
- 2 file changed, 11 insertion(+), 10 deletion(-)
-
-diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb
-index 2f81cd4..e751866 100644
--- a/lib/active_support/reloader.rb
-+++ b/lib/active_support/reloader.rb
-@@ -58,7 +58,7 @@ module ActiveSupport
-       prepare!
-     end
- 
-    def self.run! # :nodoc:
-+    def self.run!(reset: false) # :nodoc:
-       if check!
-         super
-       else
-
-diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb
-index ca810db584..07c4f435db 100644
--- a/lib/active_support/execution_wrapper.rb
-+++ b/lib/active_support/execution_wrapper.rb
-@@ -63,18 +63,21 @@ def self.register_hook(hook, outer: false)
-     # after the work has been performed.
-     #
-     # Where possible, prefer +wrap+.
-    def self.run!
-      if active?
-        Null
-+    def self.run!(reset: false)
-+      if reset
-+        lost_instance = active.delete(Thread.current)
-+        lost_instance&.complete!
-       else
-        new.tap do |instance|
-          success = nil
-          begin
-            instance.run!
-            success = true
-          ensure
-            instance.complete! unless success
-          end
-+        return Null if active?
-+      end
-+
-+      new.tap do |instance|
-+        success = nil
-+        begin
-+          instance.run!
-+          success = true
-+        ensure
-+          instance.complete! unless success
-         end
-       end
-     end
-@@ -103,11 +106,11 @@ def self.inherited(other) # :nodoc:
-     self.active = Concurrent::Hash.new
- 
-     def self.active? # :nodoc:
-      @active[Thread.current]
-+      @active.key?(Thread.current)
-     end
- 
-     def run! # :nodoc:
-      self.class.active[Thread.current] = true
-+      self.class.active[Thread.current] = self
-       run_callbacks(:run)
-     end
- 
-- 
-2.43.0
-
--- a/CVE-2023-22796.patch
+++ b/CVE-2023-22796.patch
@ -1,27 +0,0 @@
-From a7cda7e6aa5334ab41b1f4b0f671be931be946ef Mon Sep 17 00:00:00 2001
-From: John Hawthorn <john@hawthorn.email>
-Date: Wed, 11 Jan 2023 10:14:55 -0800
-Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
-
-[CVE-2023-22796]
---
- activesupport/lib/active_support/inflector/methods.rb | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
-index ad136532bf..acb86fe1a4 100644
--- a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
-+++ b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
-@@ -93,8 +93,7 @@ def underscore(camel_cased_word)
-       return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
-       word = camel_cased_word.to_s.gsub("::", "/")
-       word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
-      word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2')
-      word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
-+      word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
-       word.tr!("-", "_")
-       word.downcase!
-       word
-- 
-2.35.1
-
--- a/CVE-2023-28120-test.patch
+++ b/CVE-2023-28120-test.patch
@ -1,51 +0,0 @@
-From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
-From: Akira Matsuda <ronnie@dio.jp>
-Date: Thu, 5 Jan 2023 05:25:37 +0900
-Subject: [PATCH] Implement SafeBuffer#bytesplice
-
---
- .../core_ext/string/output_safety.rb          |  4 +++
- .../test/core_ext/string_ext_test.rb          | 30 +++++++++++++++++++
- 2 files changed, 34 insertions(+)
-
-diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
-index a51f2f64cbe27..c436821c94a0b 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
-+++ b/activesupport/test/core_ext/string_ext_test.rb
-@@ -987,6 +987,36 @@ def to_s
-     assert_predicate string, :html_safe?
-   end
- 
-+  if "".respond_to?(:bytesplice)
-+    test "Bytesplicing safe into safe yields safe" do
-+      string = "hello".html_safe
-+      string.bytesplice(0, 0, "<b>".html_safe)
-+
-+      assert_equal "<b>hello", string
-+      assert_predicate string, :html_safe?
-+
-+      string = "hello".html_safe
-+      string.bytesplice(0..1, "<b>".html_safe)
-+
-+      assert_equal "<b>llo", string
-+      assert_predicate string, :html_safe?
-+    end
-+
-+    test "Bytesplicing unsafe into safe yields escaped safe" do
-+      string = "hello".html_safe
-+      string.bytesplice(1, 0, "<b>")
-+
-+      assert_equal "h&lt;b&gt;ello", string
-+      assert_predicate string, :html_safe?
-+
-+      string = "hello".html_safe
-+      string.bytesplice(1..2, "<b>")
-+
-+      assert_equal "h&lt;b&gt;lo", string
-+      assert_predicate string, :html_safe?
-+    end
-+  end
-+
-   test "emits normal string yaml" do
-     assert_equal "foo".to_yaml, "foo".html_safe.to_yaml(foo: 1)
-   end
--- a/CVE-2023-28120.patch
+++ b/CVE-2023-28120.patch
@ -1,25 +0,0 @@
-From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
-From: Akira Matsuda <ronnie@dio.jp>
-Date: Thu, 5 Jan 2023 05:25:37 +0900
-Subject: [PATCH] Implement SafeBuffer#bytesplice
-
---
- .../core_ext/string/output_safety.rb          |  4 +++
- .../test/core_ext/string_ext_test.rb          | 30 +++++++++++++++++++
- 2 files changed, 34 insertions(+)
-
-diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
-index 8a06ccdd8e385..a627540a353db 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
-+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
-@@ -216,6 +216,10 @@ def concat(value)
-     end
-     alias << concat
- 
-+    def bytesplice(*args, value)
-+      super(*args, implicit_html_escape_interpolated_argument(value))
-+    end
-+
-     def insert(index, value)
-       super(index, html_escape_interpolated_argument(value))
-     end
--- a/CVE-2023-38037-test.patch
+++ b/CVE-2023-38037-test.patch
@ -1,39 +0,0 @@
-From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
-From: Aaron Patterson <aaron@rubyonrails.org>
-Date: Tue, 22 Aug 2023 09:58:43 -0700
-Subject: [PATCH] Use a temporary file for storing unencrypted files while
- editing
-
-Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
-
-When we're editing the contents of encrypted files, we should use the
-`Tempfile` class because it creates temporary files with restrictive
-permissions.  This prevents other users on the same system from reading
-the contents of those files while the user is editing them.
-
-[CVE-2023-38037]
---
- .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
- activesupport/test/encrypted_file_test.rb      |  8 ++++++++
- railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
- 3 files changed, 26 insertions(+), 17 deletions(-)
-
-diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
-index 0050685065a9e..49f7437764fe8 100644
--- a/activesupport/test/encrypted_file_test.rb
-+++ b/activesupport/test/encrypted_file_test.rb
-@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
-     assert_equal "#{@content} and went by the lake", @encrypted_file.read
-   end
- 
-+  test "change sets restricted permissions" do
-+    @encrypted_file.write(@content)
-+    @encrypted_file.change do |file|
-+      assert_predicate file, :owned?
-+      assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
-+    end
-+  end
-+
-   test "raise MissingKeyError when key is missing" do
-     assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
-       encrypted_file(@content_path, key_path: "", env_key: "").read
--- a/CVE-2023-38037.patch
+++ b/CVE-2023-38037.patch
@ -1,58 +0,0 @@
-From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
-From: Aaron Patterson <aaron@rubyonrails.org>
-Date: Tue, 22 Aug 2023 09:58:43 -0700
-Subject: [PATCH] Use a temporary file for storing unencrypted files while
- editing
-
-Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
-
-When we're editing the contents of encrypted files, we should use the
-`Tempfile` class because it creates temporary files with restrictive
-permissions.  This prevents other users on the same system from reading
-the contents of those files while the user is editing them.
-
-[CVE-2023-38037]
---
- .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
- activesupport/test/encrypted_file_test.rb      |  8 ++++++++
- railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
- 3 files changed, 26 insertions(+), 17 deletions(-)
-
-diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
-index a35cc54ef5c52..dc28aa9a15fa9 100644
--- a/activesupport/lib/active_support/encrypted_file.rb
-+++ b/activesupport/lib/active_support/encrypted_file.rb
-@@ -1,7 +1,7 @@
- # frozen_string_literal: true
- 
- require "pathname"
-require "tmpdir"
-+require "tempfile"
- require "active_support/message_encryptor"
- 
- module ActiveSupport
-@@ -69,17 +69,16 @@ def change(&block)
- 
-     private
-       def writing(contents)
-        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
-        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
-        tmp_path.binwrite contents
-+        Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
-+          tmp_path = Pathname.new(tmp_file)
-+          tmp_path.binwrite contents
- 
-        yield tmp_path
-+          yield tmp_path
- 
-        updated_contents = tmp_path.binread
-+          updated_contents = tmp_path.binread
- 
-        write(updated_contents) if updated_contents != contents
-      ensure
-        FileUtils.rm(tmp_path) if tmp_path&.exist?
-+          write(updated_contents) if updated_contents != contents
-+        end
-       end
- 
- 
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -2,7 +2,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             6.1.4.1
-Release:             8
+Release:             2
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@ -10,15 +10,6 @@ Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             %{gem_name}-%{version}-tests.txz
 Source2:             rails-%{version}-tools.txz
 Patch0:              Add-support-dalli-3.2.2.patch
-Patch1:              CVE-2023-22796.patch
-Patch2:              CVE-2023-38037.patch
-Patch3:              CVE-2023-38037-test.patch
-# https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb
-# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
-Patch3000:           CVE-2022-23633.patch
-# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
-Patch3001:           CVE-2023-28120.patch
-Patch3002:           CVE-2023-28120-test.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -41,13 +32,7 @@ Documentation for %{name}.
 %setup -q -n %{gem_name}-%{version} -b1 -b2
 pushd %{_builddir}/test
 %patch0 -p1
-%patch3 -p3
-%patch3002 -p3
 popd
-%patch1 -p2
-%patch2 -p2
-%patch3000 -p1
-%patch3001 -p2

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -71,11 +56,7 @@ done
 sed -i '/def test_iso8601_output_and_reparsing$/,/^  end$/ s/^/#/' test/core_ext/duration_test.rb
 sed -i '/assert_nil mapped\[:b\]/ s/^/#/' test/core_ext/hash/transform_values_test.rb
 sed -i '/require .bundler./ s/^/#/' test/abstract_unit.rb
-if [ `whoami` = "root" ]; then
-    memcached -u root &
-else
-    memcached &
-fi
+memcached &
 mPID=$!
 sleep 1
 ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
@ -95,27 +76,6 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
-* Wed Jun 26 2024 wangkai <13474090681@163.com> - 1:6.1.4.1-8
- Fix CVE-2023-28120
-
-* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7
- Type:CVES
- ID:CVE-2022-23633
- SUG:NA
- DESC:fix CVE-2022-23633
-
-* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-6
- Fix CVE-2023-38037
-
-* Fri Mar 10 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-5
- Rectify the failure to start memcached as the root user
-
-* Thu Mar 9 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-4
- Fix the self-compilation problem
-
-* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:6.1.4.1-3
- fix CVE-2023-22796 
-
 * Tue Jul 05 2022 liyanan <liyanan32@h-partners.com> - 6.1.4.1-2
 - Add support dalli 3.2.2