diff options
| author |   Lee Chee Yang <chee.yang.lee@intel.com> | 2022-02-28 11:38:37 +0800 |
|---|---|---|
| committer |   Anuj Mittal <anuj.mittal@intel.com> | 2022-03-07 15:39:05 +0800 |
| commit | edb6df08cb47a39918d28c709675d995c9e10031 (patch) | |
| tree | 1da0f0797c9535c53ab2456ac70cc526f221a5f9 /meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch | |
| parent | 7b5723ae41b7fcdc73a24f04ec0cda4fba8f8622 (diff) | |
| download | openembedded-core-edb6df08cb47a39918d28c709675d995c9e10031.tar.gz | |
ruby : update to 3.0.3
Do not tweak a file that is no longer installed.
Ruby 3.0.3 includes security fixes.
CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
CVE-2021-41816: Buffer Overrun in CGI.escape_html
CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
Ruby 3.0.2 release includes security fixes.
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
CVE-2021-31799: A command injection vulnerability in RDoc
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch')
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch deleted file mode 100644 index 83064e85ab..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b1c73f239fe9af97de837331849f55d67c27561e Mon Sep 17 00:00:00 2001 -From: aycabta <aycabta@gmail.com> -Date: Sun, 2 May 2021 20:52:23 +0900 -Subject: [PATCH] [ruby/rdoc] Use File.open to fix the OS Command Injection - vulnerability in CVE-2021-31799 - -https://github.com/ruby/rdoc/commit/a7f5d6ab88 - -CVE: CVE-2021-31799 - -Upstream-Status: Backport[https://github.com/ruby/ruby/commit/b1c73f239fe9af97de837331849f55d67c27561e] - -Signed-off-by: Mingli Yu <mingli.yu@windriver.com> ---- - lib/rdoc/rdoc.rb | 2 +- - test/rdoc/test_rdoc_rdoc.rb | 12 ++++++++++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb -index 680a8612f7..904625f105 100644 ---- a/lib/rdoc/rdoc.rb -+++ b/lib/rdoc/rdoc.rb -@@ -444,7 +444,7 @@ def remove_unparseable files - files.reject do |file, *| - file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or - (file =~ /tags$/i and -- open(file, 'rb') { |io| -+ File.open(file, 'rb') { |io| - io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ - }) - end -diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb -index 3910dd4656..a83d5a1b88 100644 ---- a/test/rdoc/test_rdoc_rdoc.rb -+++ b/test/rdoc/test_rdoc_rdoc.rb -@@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim - end - end - -+ def test_remove_unparseable_CVE_2021_31799 -+ temp_dir do -+ file_list = ['| touch evil.txt && echo tags'] -+ file_list.each do |f| -+ FileUtils.touch f -+ end -+ -+ assert_equal file_list, @rdoc.remove_unparseable(file_list) -+ assert_equal file_list, Dir.children('.') -+ end -+ end -+ - def test_setup_output_dir - Dir.mktmpdir {|d| - path = File.join d, 'testdir' --- -2.17.1 - |