diff --git a/SPECS/rubygem-thor/CVE-2025-54314.patch b/SPECS/rubygem-thor/CVE-2025-54314.patch new file mode 100644 index 00000000000..76e307662af --- /dev/null +++ b/SPECS/rubygem-thor/CVE-2025-54314.patch @@ -0,0 +1,64 @@ +From 16edd00fcc29a6f5849a08b38756679b03e443f2 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Wed, 23 Jul 2025 04:26:48 +0000 +Subject: [PATCH] Fix CVE CVE-2025-54314 in rubygem-thor + +Upstream Patch Reference: https://github.com/rails/thor/commit/f7418232b167cbb5c8071b7d0491aef82948feff.patch +--- + lib/thor/shell/basic.rb | 2 +- + spec/actions/create_file_spec.rb | 2 +- + spec/shell/basic_spec.rb | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/thor/shell/basic.rb b/lib/thor/shell/basic.rb +index a490de4..887d191 100644 +--- a/lib/thor/shell/basic.rb ++++ b/lib/thor/shell/basic.rb +@@ -496,7 +496,7 @@ class Thor + Tempfile.open([File.basename(destination), File.extname(destination)], File.dirname(destination)) do |temp| + temp.write content + temp.rewind +- system %(#{merge_tool} "#{temp.path}" "#{destination}") ++ system(merge_tool, temp.path, destination) + end + end + +diff --git a/spec/actions/create_file_spec.rb b/spec/actions/create_file_spec.rb +index 1e0c934..2841735 100644 +--- a/spec/actions/create_file_spec.rb ++++ b/spec/actions/create_file_spec.rb +@@ -134,7 +134,7 @@ describe Thor::Actions::CreateFile do + create_file("doc/config.rb") + allow(@base.shell).to receive(:merge_tool).and_return("meld") + expect(Thor::LineEditor).to receive(:readline).and_return("m") +- expect(@base.shell).to receive(:system).with(/meld/) ++ expect(@base.shell).to receive(:system).with("meld", /doc\/config\.rb/, /doc\/config\.rb/) + invoke! + end + end +diff --git a/spec/shell/basic_spec.rb b/spec/shell/basic_spec.rb +index b51c5e8..573f7a4 100644 +--- a/spec/shell/basic_spec.rb ++++ b/spec/shell/basic_spec.rb +@@ -502,14 +502,14 @@ TABLE + it "invokes the merge tool" do + allow(shell).to receive(:merge_tool).and_return("meld") + expect(Thor::LineEditor).to receive(:readline).and_return("m") +- expect(shell).to receive(:system).with(/meld/) ++ expect(shell).to receive(:system).with("meld", /foo/, "foo") + capture(:stdout) { shell.file_collision("foo") {} } + end + + it "invokes the merge tool that specified at ENV['THOR_MERGE']" do + allow(ENV).to receive(:[]).with("THOR_MERGE").and_return("meld") + expect(Thor::LineEditor).to receive(:readline).and_return("m") +- expect(shell).to receive(:system).with(/meld/) ++ expect(shell).to receive(:system).with("meld", /foo/, "foo") + capture(:stdout) { shell.file_collision("foo") {} } + end + +-- +-- +2.45.4 + diff --git a/SPECS/rubygem-thor/rubygem-thor.spec b/SPECS/rubygem-thor/rubygem-thor.spec index d814dfc2b46..ceb0b791aeb 100644 --- a/SPECS/rubygem-thor/rubygem-thor.spec +++ b/SPECS/rubygem-thor/rubygem-thor.spec @@ -5,13 +5,14 @@ Summary: Thor is a toolkit for building powerful command-line interfaces Name: rubygem-%{gem_name} Version: 1.2.1 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT Vendor: Microsoft Corporation Distribution: Mariner URL: http://whatisthor.com/ Source0: https://github.com/rails/thor/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz +Patch0: CVE-2025-54314.patch BuildRequires: ruby %description @@ -19,6 +20,7 @@ Thor is a toolkit for building powerful command-line interfaces. %prep %setup -q -n %{gem_name}-%{version} +%patch 0 -p1 %build gem build %{gem_name} @@ -32,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Wed Jul 23 2025 Azure Linux Security Servicing Account - 1.2.1-3 +- Patch for CVE-2025-54314 + * Thu Dec 21 2023 Sindhu Karri - 1.2.1-2 - Promote package to Mariner Base repo