dev-ruby/redcloth: fix CVE-2023-31606

Bug: https://bugs.gentoo.org/908035 Signed-off-by: Hans de Graaff <graaff@gentoo.org>
author: Hans de Graaff <graaff@gentoo.org> 2023-07-21 19:50:47 +0200
committer: Hans de Graaff <graaff@gentoo.org> 2023-07-21 19:50:47 +0200
commit: bd224377c5ba4404b0650baaa31b54d7bbf924b7 (patch)
tree: f465e27927fb243c93aa39a9eab535f639186c15 /dev-ruby/redcloth
parent: dev-ruby/actiontext: add missing test dep on sqlite (diff)
download: gentoo-bd224377c5ba4404b0650baaa31b54d7bbf924b7.tar.gz
gentoo-bd224377c5ba4404b0650baaa31b54d7bbf924b7.tar.bz2
gentoo-bd224377c5ba4404b0650baaa31b54d7bbf924b7.zip
3 files changed, 101 insertions, 0 deletions
diff --git a/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-1.patch b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-1.patch
new file mode 100644
index 000000000000..f5de833dafb3
--- /dev/null
+++ b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-1.patch
@@ -0,0 +1,22 @@
+From 8d3b5c730596d254d0bbcfbab52f4158f03397b3 Mon Sep 17 00:00:00 2001
+From: Kornelius Kalnbach <murphy@rubychan.de>
+Date: Wed, 28 Jun 2023 17:24:55 +0200
+Subject: [PATCH] make regex faster with Atomic Grouping
+
+---
+ lib/redcloth/formatters/html.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
+index b241c99..aaeae34 100644
+--- a/lib/redcloth/formatters/html.rb
++++ b/lib/redcloth/formatters/html.rb
+@@ -324,7 +324,7 @@ def before_transform(text)
+   # Clean unauthorized tags.
+   def clean_html( text, allowed_tags = BASIC_TAGS )
+     text.gsub!( /<!\[CDATA\[/, '' )
+-    text.gsub!( /<(\/*)([A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m|
++    text.gsub!( /<(\/*)(?>[A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m|
+       raw = $~
+       tag = raw[2].downcase
+       if allowed_tags.has_key? tag
diff --git a/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-2.patch b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-2.patch
new file mode 100644
index 000000000000..fd8de28f0e71
--- /dev/null
+++ b/dev-ruby/redcloth/files/redcloth-4.3.2-cve-2023-31606-2.patch
@@ -0,0 +1,22 @@
+From 7429f32bdac4fccf9f5ab702afc9c47092a7b3df Mon Sep 17 00:00:00 2001
+From: Kornelius Kalnbach <murphy@rubychan.de>
+Date: Thu, 29 Jun 2023 00:31:50 +0200
+Subject: [PATCH] simplify fix
+
+---
+ lib/redcloth/formatters/html.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
+index aaeae34..396c2d0 100644
+--- a/lib/redcloth/formatters/html.rb
++++ b/lib/redcloth/formatters/html.rb
+@@ -324,7 +324,7 @@ def before_transform(text)
+   # Clean unauthorized tags.
+   def clean_html( text, allowed_tags = BASIC_TAGS )
+     text.gsub!( /<!\[CDATA\[/, '' )
+-    text.gsub!( /<(\/*)(?>[A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m|
++    text.gsub!( /<(\/*)([A-Za-z]\w*+)([^>]*?)(\s?\/?)>/ ) do |m|
+       raw = $~
+       tag = raw[2].downcase
+       if allowed_tags.has_key? tag
diff --git a/dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild b/dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild
new file mode 100644
index 000000000000..b43a51c4804f
--- /dev/null
+++ b/dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+USE_RUBY="ruby30 ruby31 ruby32"
+
+RUBY_FAKEGEM_NAME="RedCloth"
+
+RUBY_FAKEGEM_RECIPE_TEST="rspec3"
+RUBY_FAKEGEM_TASK_DOC=""
+
+RUBY_FAKEGEM_DOCDIR="doc"
+
+RUBY_FAKEGEM_EXTRADOC="README.rdoc CHANGELOG"
+
+RUBY_FAKEGEM_REQUIRE_PATHS="lib/case_sensitive_require"
+
+RUBY_FAKEGEM_GEMSPEC=redcloth.gemspec
+
+RUBY_FAKEGEM_EXTENSIONS=(ext/redcloth_scan/extconf.rb)
+
+inherit ruby-fakegem
+
+DESCRIPTION="A module for using Textile in Ruby"
+HOMEPAGE="https://github.com/jgarber/redcloth"
+SRC_URI="https://github.com/jgarber/redcloth/archive/v${PV}.tar.gz -> ${RUBY_FAKEGEM_NAME}-${PV}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE=""
+
+DEPEND+=" =dev-util/ragel-6*"
+
+PATCHES=(
+	"${FILESDIR}/${P}-load-documents.patch"
+	"${FILESDIR}/${P}-cve-2023-31606-1.patch"
+	"${FILESDIR}/${P}-cve-2023-31606-2.patch"
+)
+
+ruby_add_bdepend "
+	>=dev-ruby/rake-0.8.7
+	>=dev-ruby/rake-compiler-0.7.1
+	test? ( >=dev-ruby/diff-lcs-1.1.2 )"
+
+all_ruby_prepare() {
+	sed -i -e '/[Bb]undler/d' Rakefile ${PN}.gemspec || die
+	rm -f tasks/{release,rspec,rvm}.rake || die
+
+	# Fix version
+	sed -i -e '/TINY/ s/1/2/' lib/redcloth/version.rb || die
+}
+
+each_ruby_prepare() {
+	${RUBY} -S rake ext/redcloth_scan/extconf.rb || die
+}
author	Hans de Graaff <graaff@gentoo.org>	2023-07-21 19:50:47 +0200
committer	Hans de Graaff <graaff@gentoo.org>	2023-07-21 19:50:47 +0200
commit	bd224377c5ba4404b0650baaa31b54d7bbf924b7 (patch)
tree	f465e27927fb243c93aa39a9eab535f639186c15 /dev-ruby/redcloth
parent	dev-ruby/actiontext: add missing test dep on sqlite (diff)
download	gentoo-bd224377c5ba4404b0650baaa31b54d7bbf924b7.tar.gz gentoo-bd224377c5ba4404b0650baaa31b54d7bbf924b7.tar.bz2 gentoo-bd224377c5ba4404b0650baaa31b54d7bbf924b7.zip