From f057cb8e906bb01e9a78dbd1ac61128b6ab96d8c Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Wed, 23 Jul 2025 04:27:09 +0000 Subject: [PATCH 1/2] Patch rubygem-thor for CVE-2025-54314 --- SPECS/rubygem-thor/CVE-2025-54314.patch | 27 +++++++++++++++++++++++++ SPECS/rubygem-thor/rubygem-thor.spec | 7 ++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 SPECS/rubygem-thor/CVE-2025-54314.patch diff --git a/SPECS/rubygem-thor/CVE-2025-54314.patch b/SPECS/rubygem-thor/CVE-2025-54314.patch new file mode 100644 index 00000000000..434f57c69ba --- /dev/null +++ b/SPECS/rubygem-thor/CVE-2025-54314.patch @@ -0,0 +1,27 @@ +From 16edd00fcc29a6f5849a08b38756679b03e443f2 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Wed, 23 Jul 2025 04:26:48 +0000 +Subject: [PATCH] Fix CVE CVE-2025-54314 in rubygem-thor + +Upstream Patch Reference: https://github.com/rails/thor/commit/f7418232b167cbb5c8071b7d0491aef82948feff.patch +--- + lib/thor/shell/basic.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/thor/shell/basic.rb b/lib/thor/shell/basic.rb +index a490de4..887d191 100644 +--- a/lib/thor/shell/basic.rb ++++ b/lib/thor/shell/basic.rb +@@ -496,7 +496,7 @@ class Thor + Tempfile.open([File.basename(destination), File.extname(destination)], File.dirname(destination)) do |temp| + temp.write content + temp.rewind +- system %(#{merge_tool} "#{temp.path}" "#{destination}") ++ system(merge_tool, temp.path, destination) + end + end + +-- +2.45.4 + diff --git a/SPECS/rubygem-thor/rubygem-thor.spec b/SPECS/rubygem-thor/rubygem-thor.spec index d814dfc2b46..ceb0b791aeb 100644 --- a/SPECS/rubygem-thor/rubygem-thor.spec +++ b/SPECS/rubygem-thor/rubygem-thor.spec @@ -5,13 +5,14 @@ Summary: Thor is a toolkit for building powerful command-line interfaces Name: rubygem-%{gem_name} Version: 1.2.1 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT Vendor: Microsoft Corporation Distribution: Mariner URL: http://whatisthor.com/ Source0: https://github.com/rails/thor/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz +Patch0: CVE-2025-54314.patch BuildRequires: ruby %description @@ -19,6 +20,7 @@ Thor is a toolkit for building powerful command-line interfaces. %prep %setup -q -n %{gem_name}-%{version} +%patch 0 -p1 %build gem build %{gem_name} @@ -32,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Wed Jul 23 2025 Azure Linux Security Servicing Account - 1.2.1-3 +- Patch for CVE-2025-54314 + * Thu Dec 21 2023 Sindhu Karri - 1.2.1-2 - Promote package to Mariner Base repo From 034ae0eb70d5f5ac8041f9c0ad3184ee8cafeafd Mon Sep 17 00:00:00 2001 From: archana25-ms Date: Wed, 23 Jul 2025 08:36:01 +0000 Subject: [PATCH 2/2] Add changes to create_file_spec.rb & basic_spec.rb in CVE-2025-54314 --- SPECS/rubygem-thor/CVE-2025-54314.patch | 39 ++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/SPECS/rubygem-thor/CVE-2025-54314.patch b/SPECS/rubygem-thor/CVE-2025-54314.patch index 434f57c69ba..76e307662af 100644 --- a/SPECS/rubygem-thor/CVE-2025-54314.patch +++ b/SPECS/rubygem-thor/CVE-2025-54314.patch @@ -7,7 +7,9 @@ Subject: [PATCH] Fix CVE CVE-2025-54314 in rubygem-thor Upstream Patch Reference: https://github.com/rails/thor/commit/f7418232b167cbb5c8071b7d0491aef82948feff.patch --- lib/thor/shell/basic.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + spec/actions/create_file_spec.rb | 2 +- + spec/shell/basic_spec.rb | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/thor/shell/basic.rb b/lib/thor/shell/basic.rb index a490de4..887d191 100644 @@ -22,6 +24,41 @@ index a490de4..887d191 100644 end end +diff --git a/spec/actions/create_file_spec.rb b/spec/actions/create_file_spec.rb +index 1e0c934..2841735 100644 +--- a/spec/actions/create_file_spec.rb ++++ b/spec/actions/create_file_spec.rb +@@ -134,7 +134,7 @@ describe Thor::Actions::CreateFile do + create_file("doc/config.rb") + allow(@base.shell).to receive(:merge_tool).and_return("meld") + expect(Thor::LineEditor).to receive(:readline).and_return("m") +- expect(@base.shell).to receive(:system).with(/meld/) ++ expect(@base.shell).to receive(:system).with("meld", /doc\/config\.rb/, /doc\/config\.rb/) + invoke! + end + end +diff --git a/spec/shell/basic_spec.rb b/spec/shell/basic_spec.rb +index b51c5e8..573f7a4 100644 +--- a/spec/shell/basic_spec.rb ++++ b/spec/shell/basic_spec.rb +@@ -502,14 +502,14 @@ TABLE + it "invokes the merge tool" do + allow(shell).to receive(:merge_tool).and_return("meld") + expect(Thor::LineEditor).to receive(:readline).and_return("m") +- expect(shell).to receive(:system).with(/meld/) ++ expect(shell).to receive(:system).with("meld", /foo/, "foo") + capture(:stdout) { shell.file_collision("foo") {} } + end + + it "invokes the merge tool that specified at ENV['THOR_MERGE']" do + allow(ENV).to receive(:[]).with("THOR_MERGE").and_return("meld") + expect(Thor::LineEditor).to receive(:readline).and_return("m") +- expect(shell).to receive(:system).with(/meld/) ++ expect(shell).to receive(:system).with("meld", /foo/, "foo") + capture(:stdout) { shell.file_collision("foo") {} } + end + +-- -- 2.45.4