packages/rubygem-actionmailer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-47889

Browse Source 
(cherry picked from commit 7c1fa60bfff86dd8054f38cb35ac4a2b94fef4d4)
This commit is contained in:
starlet-dx 2024-10-17 17:35:04 +08:00 committed by openeuler-sync-bot
parent 684bdae886
commit a8fe0578d7
3 changed files with 74 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
backport-CVE-2024-47889-test.patch Normal file
View File

@ -0,0 +1,21 @@
diff --git a/actionmailer/test/mail_helper_test.rb b/actionmailer/test/mail_helper_test.rb
index a8ab19a95c0e3..e49eabdce8275 100644
--- a/actionmailer/test/mail_helper_test.rb
+++ b/actionmailer/test/mail_helper_test.rb
@@ -121,4 +121,16 @@ def test_use_cache
assert_equal "Greetings from a cache helper block", mail.body.encoded
end
end
+
+ def helper
+ Object.new.extend(ActionMailer::MailHelper)
+ end
+
+ def test_block_format
+ assert_equal " * foo\n", helper.block_format(" * foo")
+ assert_equal " * foo\n", helper.block_format(" * foo")
+ assert_equal " * foo\n", helper.block_format("* foo")
+ assert_equal " * foo\n*bar", helper.block_format("* foo*bar")
+ assert_equal " * foo\n * bar\n", helper.block_format("* foo * bar")
+ end
end

39
backport-CVE-2024-47889.patch Normal file
View File

@ -0,0 +1,39 @@
From 985f1923fa62806ff676e41de67c3b4552131ab9 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Fri, 11 Oct 2024 00:34:14 -0700
Subject: [PATCH] Avoid backtracking in ActionMailer block_format
[CVE-2024-47889]
Thanks to yuki_osaki and scyoon for reporting this vulnerability
---
actionmailer/lib/action_mailer/mail_helper.rb | 14 +++++++++++---
actionmailer/test/mail_helper_test.rb | 12 ++++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/actionmailer/lib/action_mailer/mail_helper.rb b/actionmailer/lib/action_mailer/mail_helper.rb
index e7bed41f8d294..f527d5a59ebf5 100644
--- a/actionmailer/lib/action_mailer/mail_helper.rb
+++ b/actionmailer/lib/action_mailer/mail_helper.rb
@@ -23,10 +23,18 @@ def block_format(text)
}.join("\n\n")
# Make list points stand on their own line
- formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { " #{$1} #{$2.strip}\n" }
- formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { " #{$1} #{$2.strip}\n" }
+ output = +""
+ splits = formatted.split(/(\*+|\#+)/)
+ while line = splits.shift
+ if line.start_with?("*", "#") && splits[0].start_with?(" ")
+ output.chomp!(" ") while output.end_with?(" ")
+ output << " #{line} #{splits.shift.strip}\n"
+ else
+ output << line
+ end
+ end
- formatted
+ output
end
# Access the mailer instance.

18
rubygem-actionmailer.spec
View File

@ -3,13 +3,15 @@
Name: rubygem-%{gem_name}
Epoch: 1
Version: 6.1.4.1
Release: 1
Release: 2
Summary: Email composition and delivery framework (part of Rails)
License: MIT
URL: https://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: actionmailer-%{version}-tests.txz
Source2: rails-%{version}-tools.txz
Patch3000: backport-CVE-2024-47889.patch
Patch3001: backport-CVE-2024-47889-test.patch
BuildRequires: ruby(release)
BuildRequires: rubygems-devel
@ -34,6 +36,11 @@ Documentation for %{name}.
%prep
%setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
%patch3000 -p2
pushd %{_builddir}
%patch3001 -p2
popd
%build
gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec
@ -65,11 +72,14 @@ popd
%doc %{gem_instdir}/README.rdoc
%changelog
* Wed May 04 2022 wangkerong <wangkerong@h-partners.com> - 6.1.4.1-1
* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-2
- Fix CVE-2024-47889
* Wed May 04 2022 wangkerong <wangkerong@h-partners.com> - 1:6.1.4.1-1
- Upgrade to 6.1.4.1
* Mon Feb 8 2021 sunguoshuai <sunguoshuai@huawei.com> - 5.2.4.4-1
* Mon Feb 8 2021 sunguoshuai <sunguoshuai@huawei.com> - 1:5.2.4.4-1
- Upgrade to 5.2.4.4
* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1
* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 1:5.2.3-1
- Package init