commit: bd224377c5ba4404b0650baaa31b54d7bbf924b7 Author: Hans de Graaff <graaff <AT> gentoo <DOT> org> AuthorDate: Fri Jul 21 17:50:47 2023 +0000 Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org> CommitDate: Fri Jul 21 17:50:47 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd224377
dev-ruby/redcloth: fix CVE-2023-31606 Bug: https://bugs.gentoo.org/908035 Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org> .../files/redcloth-4.3.2-cve-2023-31606-1.patch | 22 +++++++++ .../files/redcloth-4.3.2-cve-2023-31606-2.patch | 22 +++++++++ dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild | 57 ++++++++++++++++++++++ 3 files changed, 101 insertions(+) diff --git a/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-1.patch b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-1.patch new file mode 100644 index 000000000000..f5de833dafb3 --- /dev/null +++ b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-1.patch @@ -0,0 +1,22 @@ +From 8d3b5c730596d254d0bbcfbab52f4158f03397b3 Mon Sep 17 00:00:00 2001 +From: Kornelius Kalnbach <[email protected]> +Date: Wed, 28 Jun 2023 17:24:55 +0200 +Subject: [PATCH] make regex faster with Atomic Grouping + +--- + lib/redcloth/formatters/html.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb +index b241c99..aaeae34 100644 +--- a/lib/redcloth/formatters/html.rb ++++ b/lib/redcloth/formatters/html.rb +@@ -324,7 +324,7 @@ def before_transform(text) + # Clean unauthorized tags. + def clean_html( text, allowed_tags = BASIC_TAGS ) + text.gsub!( /<!\[CDATA\[/, '' ) +- text.gsub!( /<(\/*)([A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m| ++ text.gsub!( /<(\/*)(?>[A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m| + raw = $~ + tag = raw[2].downcase + if allowed_tags.has_key? tag diff --git a/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-2.patch b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-2.patch new file mode 100644 index 000000000000..fd8de28f0e71 --- /dev/null +++ b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-2.patch @@ -0,0 +1,22 @@ +From 7429f32bdac4fccf9f5ab702afc9c47092a7b3df Mon Sep 17 00:00:00 2001 +From: Kornelius Kalnbach <[email protected]> +Date: Thu, 29 Jun 2023 00:31:50 +0200 +Subject: [PATCH] simplify fix + +--- + lib/redcloth/formatters/html.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb +index aaeae34..396c2d0 100644 +--- a/lib/redcloth/formatters/html.rb ++++ b/lib/redcloth/formatters/html.rb +@@ -324,7 +324,7 @@ def before_transform(text) + # Clean unauthorized tags. + def clean_html( text, allowed_tags = BASIC_TAGS ) + text.gsub!( /<!\[CDATA\[/, '' ) +- text.gsub!( /<(\/*)(?>[A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m| ++ text.gsub!( /<(\/*)([A-Za-z]\w*+)([^>]*?)(\s?\/?)>/ ) do |m| + raw = $~ + tag = raw[2].downcase + if allowed_tags.has_key? tag diff --git a/dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild b/dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild new file mode 100644 index 000000000000..b43a51c4804f --- /dev/null +++ b/dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild @@ -0,0 +1,57 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +USE_RUBY="ruby30 ruby31 ruby32" + +RUBY_FAKEGEM_NAME="RedCloth" + +RUBY_FAKEGEM_RECIPE_TEST="rspec3" +RUBY_FAKEGEM_TASK_DOC="" + +RUBY_FAKEGEM_DOCDIR="doc" + +RUBY_FAKEGEM_EXTRADOC="README.rdoc CHANGELOG" + +RUBY_FAKEGEM_REQUIRE_PATHS="lib/case_sensitive_require" + +RUBY_FAKEGEM_GEMSPEC=redcloth.gemspec + +RUBY_FAKEGEM_EXTENSIONS=(ext/redcloth_scan/extconf.rb) + +inherit ruby-fakegem + +DESCRIPTION="A module for using Textile in Ruby" +HOMEPAGE="https://github.com/jgarber/redcloth"; +SRC_URI="https://github.com/jgarber/redcloth/archive/v${PV}.tar.gz -> ${RUBY_FAKEGEM_NAME}-${PV}.tar.gz" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="" + +DEPEND+=" =dev-util/ragel-6*" + +PATCHES=( + "${FILESDIR}/${P}-load-documents.patch" + "${FILESDIR}/${P}-cve-2023-31606-1.patch" + "${FILESDIR}/${P}-cve-2023-31606-2.patch" +) + +ruby_add_bdepend " + >=dev-ruby/rake-0.8.7 + >=dev-ruby/rake-compiler-0.7.1 + test? ( >=dev-ruby/diff-lcs-1.1.2 )" + +all_ruby_prepare() { + sed -i -e '/[Bb]undler/d' Rakefile ${PN}.gemspec || die + rm -f tasks/{release,rspec,rvm}.rake || die + + # Fix version + sed -i -e '/TINY/ s/1/2/' lib/redcloth/version.rb || die +} + +each_ruby_prepare() { + ${RUBY} -S rake ext/redcloth_scan/extconf.rb || die +}
