diff options
| author |   Mingli Yu <mingli.yu@windriver.com> | 2021-09-14 16:57:18 +0800 |
|---|---|---|
| committer |   Anuj Mittal <anuj.mittal@intel.com> | 2021-09-15 10:04:54 +0800 |
| commit | 97d0237e254a0d90b58fe35a1b40d549991b3779 (patch) | |
| tree | db40aacad2b0ebe485312a2d06b000aaebc0d59c /meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch | |
| parent | e14761916290c01683d72eb8e3de530f944fdfab (diff) | |
| download | openembedded-core-contrib-97d0237e254a0d90b58fe35a1b40d549991b3779.tar.gz | |
ruby: fix CVE-2021-31799
Backport a patch to fix CVE-2021-31799.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch')
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch new file mode 100644 index 0000000000..83064e85ab --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch @@ -0,0 +1,57 @@ +From b1c73f239fe9af97de837331849f55d67c27561e Mon Sep 17 00:00:00 2001 +From: aycabta <aycabta@gmail.com> +Date: Sun, 2 May 2021 20:52:23 +0900 +Subject: [PATCH] [ruby/rdoc] Use File.open to fix the OS Command Injection + vulnerability in CVE-2021-31799 + +https://github.com/ruby/rdoc/commit/a7f5d6ab88 + +CVE: CVE-2021-31799 + +Upstream-Status: Backport[https://github.com/ruby/ruby/commit/b1c73f239fe9af97de837331849f55d67c27561e] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/rdoc/rdoc.rb | 2 +- + test/rdoc/test_rdoc_rdoc.rb | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index 680a8612f7..904625f105 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -444,7 +444,7 @@ def remove_unparseable files + files.reject do |file, *| + file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or + (file =~ /tags$/i and +- open(file, 'rb') { |io| ++ File.open(file, 'rb') { |io| + io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ + }) + end +diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb +index 3910dd4656..a83d5a1b88 100644 +--- a/test/rdoc/test_rdoc_rdoc.rb ++++ b/test/rdoc/test_rdoc_rdoc.rb +@@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim + end + end + ++ def test_remove_unparseable_CVE_2021_31799 ++ temp_dir do ++ file_list = ['| touch evil.txt && echo tags'] ++ file_list.each do |f| ++ FileUtils.touch f ++ end ++ ++ assert_equal file_list, @rdoc.remove_unparseable(file_list) ++ assert_equal file_list, Dir.children('.') ++ end ++ end ++ + def test_setup_output_dir + Dir.mktmpdir {|d| + path = File.join d, 'testdir' +-- +2.17.1 + |