[AutoPR- Security] Patch rubygem-thor for CVE-2025-54314 [LOW] (#14369)

Co-authored-by: archana25-ms <[email protected]>

Author: azurelinux-security

SPECS/rubygem-thor/CVE-2025-54314.patch

@@ -0,0 +1,64 @@
+From 16edd00fcc29a6f5849a08b38756679b03e443f2 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Wed, 23 Jul 2025 04:26:48 +0000
+Subject: [PATCH] Fix CVE CVE-2025-54314 in rubygem-thor
+
+Upstream Patch Reference: https://github.com/rails/thor/commit/f7418232b167cbb5c8071b7d0491aef82948feff.patch
+---
+ lib/thor/shell/basic.rb | 2 +-
+ spec/actions/create_file_spec.rb | 2 +-
+ spec/shell/basic_spec.rb         | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/thor/shell/basic.rb b/lib/thor/shell/basic.rb
+index a490de4..887d191 100644
+--- a/lib/thor/shell/basic.rb
++++ b/lib/thor/shell/basic.rb
+@@ -496,7 +496,7 @@ class Thor
+         Tempfile.open([File.basename(destination), File.extname(destination)], File.dirname(destination)) do |temp|
+           temp.write content
+           temp.rewind
+-          system %(#{merge_tool} "#{temp.path}" "#{destination}")
++          system(merge_tool, temp.path, destination)
+         end
+       end
+ 
+diff --git a/spec/actions/create_file_spec.rb b/spec/actions/create_file_spec.rb
+index 1e0c934..2841735 100644
+--- a/spec/actions/create_file_spec.rb
++++ b/spec/actions/create_file_spec.rb
+@@ -134,7 +134,7 @@ describe Thor::Actions::CreateFile do
+           create_file("doc/config.rb")
+           allow(@base.shell).to receive(:merge_tool).and_return("meld")
+           expect(Thor::LineEditor).to receive(:readline).and_return("m")
+-          expect(@base.shell).to receive(:system).with(/meld/)
++	  expect(@base.shell).to receive(:system).with("meld", /doc\/config\.rb/, /doc\/config\.rb/)
+           invoke!
+         end
+       end
+diff --git a/spec/shell/basic_spec.rb b/spec/shell/basic_spec.rb
+index b51c5e8..573f7a4 100644
+--- a/spec/shell/basic_spec.rb
++++ b/spec/shell/basic_spec.rb
+@@ -502,14 +502,14 @@ TABLE
+       it "invokes the merge tool" do
+         allow(shell).to receive(:merge_tool).and_return("meld")
+         expect(Thor::LineEditor).to receive(:readline).and_return("m")
+-        expect(shell).to receive(:system).with(/meld/)
++        expect(shell).to receive(:system).with("meld", /foo/, "foo")
+         capture(:stdout) { shell.file_collision("foo") {} }
+       end
+ 
+       it "invokes the merge tool that specified at ENV['THOR_MERGE']" do
+         allow(ENV).to receive(:[]).with("THOR_MERGE").and_return("meld")
+         expect(Thor::LineEditor).to receive(:readline).and_return("m")
+-        expect(shell).to receive(:system).with(/meld/)
++        expect(shell).to receive(:system).with("meld", /foo/, "foo")
+         capture(:stdout) { shell.file_collision("foo") {} }
+       end
+ 
+-- 
+-- 
+2.45.4
+

SPECS/rubygem-thor/rubygem-thor.spec

@@ -5,20 +5,22 @@
 Summary:        Thor is a toolkit for building powerful command-line interfaces
 Name:           rubygem-%{gem_name}
 Version:        1.2.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Group:          Development/Languages
 License:        MIT
 Vendor:		    Microsoft Corporation
 Distribution:	Mariner
 URL:            http://whatisthor.com/
 Source0:        https://github.com/rails/thor/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
+Patch0:         CVE-2025-54314.patch
 BuildRequires:  ruby
 
 %description
 Thor is a toolkit for building powerful command-line interfaces.
 
 %prep
 %setup -q -n %{gem_name}-%{version}
+%patch 0 -p1
 
 %build
 gem build %{gem_name}
@@ -32,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Wed Jul 23 2025 Azure Linux Security Servicing Account <[email protected]> - 1.2.1-3
+- Patch for CVE-2025-54314
+
 * Thu Dec 21 2023 Sindhu Karri <[email protected]> - 1.2.1-2
 - Promote package to Mariner Base repo