diff --git a/CVE-2022-24836.patch b/CVE-2022-24836.patch new file mode 100644 index 0000000000000000000000000000000000000000..25b7c0f0ce6a0b38a673cf66d078209ab17ee7e3 --- /dev/null +++ b/CVE-2022-24836.patch @@ -0,0 +1,16 @@ +diff --git a/lib/nokogiri/html/document.rb b/lib/nokogiri/html/document.rb +index d3792bc..8fffa43 100644 +--- a/lib/nokogiri/html/document.rb ++++ b/lib/nokogiri/html/document.rb +@@ -254,7 +254,7 @@ module Nokogiri + if Nokogiri.jruby? && EncodingReader.is_jruby_without_fix? + return EncodingReader.detect_encoding_for_jruby_without_fix(chunk) + end +- m = chunk.match(/\A(<\?xml[ \t\r\n]+[^>]*>)/) and ++ m = chunk.match(/\A(<\?xml[ \t\r\n][^>]*>)/) and + return Nokogiri.XML(m[1]).encoding + + if Nokogiri.jruby? +-- +2.27.0 + diff --git a/rubygem-nokogiri.spec b/rubygem-nokogiri.spec index a2759b8252d68b241022d1d3c8f47be24cf6cbb7..7d71e3d354457ba0bee40390f6753c0c3dd8674e 100644 --- a/rubygem-nokogiri.spec +++ b/rubygem-nokogiri.spec @@ -7,7 +7,7 @@ Summary: An HTML, XML, SAX, and Reader parser Name: rubygem-%{gem_name} Version: %{mainver} -Release: 4 +Release: 5 License: MIT URL: https://nokogiri.org Source0: https://rubygems.org/gems/%{gem_name}-%{mainver}%{?prever}.gem @@ -19,6 +19,8 @@ Patch2: CVE-2020-26247.patch Patch3: CVE-2021-41098-1.patch Patch4: CVE-2021-41098-2.patch Patch5: fix-test-push-parser-fail.patch +# refer https://github.com/sparklemotion/nokogiri/commit/e444525 +Patch6: CVE-2022-24836.patch BuildRequires: ruby(release) ruby(rubygems) rubygem(minitest) rubygems-devel Obsoletes: ruby-%{gem_name} <= 1.5.2-2 BuildRequires: gcc rubygem(pkg-config) libxml2-devel libxslt-devel ruby-devel @@ -66,6 +68,7 @@ cd $TOPDIR/%{gem_name}-%{version} %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 cd - gem specification -l --ruby %{SOURCE0} > %{gem_name}.gemspec @@ -160,6 +163,9 @@ popd %{gem_dir}/doc/%{gem_name}-%{mainver}%{?prever}/ %changelog +* Sun Apr 24 2022 wangkai - 1.10.5-5 +- Fix CVE-2022-24836 + * Thu Dec 9 2021 baizhonggui - 1.10.5-4 - fix compile failed