Update to addressable 2.8.0.

Resolves: rhbz#1978860
3 years ago · 6e71046ad5
parent 231671376a
commit 6e71046ad5
4 changed files with 9 additions and 78 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1 @@
-/addressable-2.3.2.gem
-/addressable-2.3.5.gem
-/addressable-2.3.6.gem
-/addressable-2.3.8.gem
-/addressable-2.5.2.gem
-/addressable-2.7.0.gem
+/addressable-*.gem
--- a/rubygem-addressable-2.7.0-CVE-2021-32740.patch
+++ b/rubygem-addressable-2.7.0-CVE-2021-32740.patch
@ -1,57 +0,0 @@
-From b48ff03347a6d46e8dc674e242ce74c6381962a5 Mon Sep 17 00:00:00 2001
-From: Security Curious <security-curious@pm.me>
-Date: Fri, 2 Jul 2021 15:30:02 -0400
-Subject: [PATCH] Prevent ReDOS vuln on URI Template matching
-
-The regular expression used to match a template against a URL is
-vulnerable to a regular expression denial-of-service via catastrophic
-backtracking.
-
-This commit includes a test that demonstrates the failure without
-the fix as well as updates the regexp to remove the vulnerability.
-The vulnerability is removed by updating the grouping to be atomic.
---
- lib/addressable/template.rb       | 2 +-
- spec/addressable/template_spec.rb | 9 +++++++++
- 2 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb
-index 2696695..45967ce 100644
--- a/lib/addressable/template.rb
-+++ b/lib/addressable/template.rb
-@@ -37,7 +37,7 @@ class Template
-       Addressable::URI::CharacterClasses::DIGIT + '_'
- 
-     var_char =
-      "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
-+      "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
-     RESERVED =
-       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
-     UNRESERVED =
-diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb
-index a019165..d47589a 100644
--- a/spec/addressable/template_spec.rb
-+++ b/spec/addressable/template_spec.rb
-@@ -19,6 +19,7 @@
- require "spec_helper"
- 
- require "bigdecimal"
-+require "timeout"
- require "addressable/template"
- 
- shared_examples_for 'expands' do |tests|
-@@ -1340,6 +1341,14 @@ def self.match(name)
-         expect(subject).not_to match("foo_bar*")
-         expect(subject).not_to match("foo_bar:20")
-       end
-+
-+      it 'should parse in a reasonable time' do
-+        expect do
-+          Timeout.timeout(0.1) do
-+            expect(subject).not_to match("0"*25 + "!")
-+          end
-+        end.not_to raise_error
-+      end
-     end
-     context "VARIABLE_LIST" do
-       subject { Addressable::Template::VARIABLE_LIST }
--- a/rubygem-addressable.spec
+++ b/rubygem-addressable.spec
@ -2,15 +2,12 @@
 %global gem_name addressable

 Name: rubygem-%{gem_name}
-Version: 2.7.0
-Release: 5%{?dist}
+Version: 2.8.0
+Release: 1%{?dist}
 Summary: URI Implementation
 License: ASL 2.0
 URL: https://github.com/sporkmonger/addressable
 Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
-# https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5
-# https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g
-Patch0:  rubygem-addressable-2.7.0-CVE-2021-32740.patch
 BuildRequires: ruby(release)
 BuildRequires: rubygems-devel
 BuildRequires: rubygem(bigdecimal)
@ -34,14 +31,9 @@ Documentation for %{name}.

 %prep
 %setup -q -n %{gem_name}-%{version}
-%patch -p1

 %build
-# Create the gem as gem install only works on a gem file
 gem build ../%{gem_name}-%{version}.gemspec
-
-# %%gem_install compiles any C extensions and installs the gem into ./%%gem_dir
-# by default, so that we can move it into the buildroot in %%install
 %gem_install

 %install
@ -57,10 +49,6 @@ sed -i "/require 'bundler\/setup'/ s/^/#/" spec/spec_helper.rb
 # We don't care about code coverage.
 sed -i '/^begin$/,/^end$/ s/^/#/' spec/spec_helper.rb

-# rack-mount was deprecated upstream and is not available in Fedora anymore.
-# https://github.com/sporkmonger/addressable/issues/382
-mv spec/addressable/rack_mount_compat_spec.rb{,.disabled}
-
 # Remove tests failing because of missing internet connection.
 mv spec/addressable/net_http_compat_spec.rb{,.disabled}

@ -83,8 +71,13 @@ popd
 %doc %{gem_instdir}/README.md
 %{gem_instdir}/Rakefile
 %{gem_instdir}/spec
+%{gem_instdir}/%{gem_name}.gemspec

 %changelog
+* Sat Sep 18 2021 Pavel Valena <pvalena@redhat.com> - 2.8.0-1
+- Update to addressable 2.8.0.
+  Resolves: rhbz#1978860
+
 * Sun Aug  8 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.7.0-5
 - Upstream patch for CVE-2021-32740 (bug 1979702)

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (addressable-2.7.0.gem) = 4c438bbfa8874fdcf11eef1d1f7cceb1855ea85948daff13615a0af129d35f92cc918f4bd5bbe4cd6ebccc67a86fc582265f915dc39831ec64209de0bdeeb732
+SHA512 (addressable-2.8.0.gem) = c684f17940f717c2a65f9716ab9b3659948d6d51a60c38a7295fcf6fdc1c5785d2d315d2de7dab9f66a6c31f62247177d78d5d6eb556f5bb49926d4f00f8e4c8