From 9b1f51d215085272439c09c36b6d63a569bd9bec Mon Sep 17 00:00:00 2001
From: houyingchao <1348375921@qq.com>
Date: Thu, 21 Oct 2021 19:01:46 +0800
Subject: [PATCH] Fix CVE-2021-3881

---
 CVE-2019-3881-1.patch | 23 +++++++++++++++++++++++
 CVE-2019-3881-2.patch | 21 +++++++++++++++++++++
 rubygem-bundler.spec  | 13 +++++++++++--
 3 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2019-3881-1.patch
 create mode 100644 CVE-2019-3881-2.patch

diff --git a/CVE-2019-3881-1.patch b/CVE-2019-3881-1.patch
new file mode 100644
index 0000000..c06d55d
--- /dev/null
+++ b/CVE-2019-3881-1.patch
@@ -0,0 +1,23 @@
+From: Antonio Terceiro <terceiro@debian.org>
+Date: Thu, 3 May 2018 16:38:42 -0300
+Subject: Don't use insecure temporary directory as home directory
+Closes: #881749
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881749
+Upstream-Bug: https://github.com/bundler/bundler/issues/6501
+
+--- a/lib/bundler.rb
++++ b/lib/bundler.rb
+@@ -661,11 +661,8 @@
+ 
+     def tmp_home_path(warning)
+       Kernel.send(:require, "tmpdir")
+-      SharedHelpers.filesystem_access(Dir.tmpdir) do
+-        path = Bundler.tmp
+-        at_exit { Bundler.rm_rf(path) }
+-        path
+-      end
++      path = Pathname.new(Dir.mktmpdir("bundler-"))
++      path
+     rescue RuntimeError => e
+       raise e.exception("#{warning}\nBundler also failed to create a temporary home directory':\n#{e}")
+     end
diff --git a/CVE-2019-3881-2.patch b/CVE-2019-3881-2.patch
new file mode 100644
index 0000000..54df768
--- /dev/null
+++ b/CVE-2019-3881-2.patch
@@ -0,0 +1,21 @@
+From: Antonio Terceiro <terceiro@debian.org>
+Date: Thu, 3 May 2018 16:50:45 -0300
+Subject: Remove temporary home directories
+
+Closes: #796383
+---
+ lib/bundler.rb | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/lib/bundler.rb
++++ b/lib/bundler.rb
+@@ -662,6 +662,9 @@
+     def tmp_home_path(warning)
+       Kernel.send(:require, "tmpdir")
+       path = Pathname.new(Dir.mktmpdir("bundler-"))
++      at_exit do
++        FileUtils.remove_entry(path.to_s, true)
++      end
+       path
+     rescue RuntimeError => e
+       raise e.exception("#{warning}\nBundler also failed to create a temporary home directory':\n#{e}")
diff --git a/rubygem-bundler.spec b/rubygem-bundler.spec
index 268490c..ccdb5cf 100644
--- a/rubygem-bundler.spec
+++ b/rubygem-bundler.spec
@@ -8,12 +8,14 @@
 
 Name: rubygem-%{gem_name}
 Version: 2.2.19
-Release: 1
+Release: 2
 Summary: Library and utilities to manage a Ruby application's gem dependencies
 License: MIT
 URL: http://bundler.io
 Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1: https://github.com/rubygems/rubygems/archive/refs/tags/%{gem_name}-v%{version}.tar.gz
+Patch0001: CVE-2019-3881-1.patch
+Patch0002: CVE-2019-3881-2.patch
 BuildArch: noarch
 Requires: rubygem(io-console)
 BuildRequires: ruby(release) rubygems-devel ruby
@@ -40,8 +42,12 @@ Obsoletes: %{name}-doc < %{version}-%{release}
 This package provides help documents for %{name}.
 
 %prep
-%autosetup -c -T -n %{name}
+%setup -q -c -T
 %gem_install -n %{SOURCE0}
+pushd .%{gem_instdir}
+%patch0001 -p1
+%patch0002 -p1
+popd
 
 %build
 
@@ -130,6 +136,9 @@ popd
 %doc %{_mandir}/man5/*
 
 %changelog
+* Thu Oct 21 2021 houyingchao <houyingchao@huawei.com> - 2.2.19-2
+- Fix CVE-2019-3881
+
 * Wed Jun 8 2021 zhaomengchao <zhaomengchao3@huawei.com> - 2.2.19-1
 * Upgrade to 2.2.19
 
-- 
Gitee