!47 [sync] PR-46: Fix CVE-2023-28120

From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2024-06-26 08:43:00 +00:00 · 2024-06-26 08:43:00 +00:00 · 78763003cb
commit 78763003cb
parent 082c365b83 4a3c99b6d1
3 changed files with 85 additions and 1 deletions
--- a/CVE-2023-28120-test.patch
+++ b/CVE-2023-28120-test.patch
@ -0,0 +1,51 @@
+From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
+From: Akira Matsuda <ronnie@dio.jp>
+Date: Thu, 5 Jan 2023 05:25:37 +0900
+Subject: [PATCH] Implement SafeBuffer#bytesplice
+
+---
+ .../core_ext/string/output_safety.rb          |  4 +++
+ .../test/core_ext/string_ext_test.rb          | 30 +++++++++++++++++++
+ 2 files changed, 34 insertions(+)
+
+diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
+index a51f2f64cbe27..c436821c94a0b 100644
+--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
+@@ -987,6 +987,36 @@ def to_s
+     assert_predicate string, :html_safe?
+   end
+ 
+  if "".respond_to?(:bytesplice)
+    test "Bytesplicing safe into safe yields safe" do
+      string = "hello".html_safe
+      string.bytesplice(0, 0, "<b>".html_safe)
+
+      assert_equal "<b>hello", string
+      assert_predicate string, :html_safe?
+
+      string = "hello".html_safe
+      string.bytesplice(0..1, "<b>".html_safe)
+
+      assert_equal "<b>llo", string
+      assert_predicate string, :html_safe?
+    end
+
+    test "Bytesplicing unsafe into safe yields escaped safe" do
+      string = "hello".html_safe
+      string.bytesplice(1, 0, "<b>")
+
+      assert_equal "h&lt;b&gt;ello", string
+      assert_predicate string, :html_safe?
+
+      string = "hello".html_safe
+      string.bytesplice(1..2, "<b>")
+
+      assert_equal "h&lt;b&gt;lo", string
+      assert_predicate string, :html_safe?
+    end
+  end
+
+   test "emits normal string yaml" do
+     assert_equal "foo".to_yaml, "foo".html_safe.to_yaml(foo: 1)
+   end
--- a/CVE-2023-28120.patch
+++ b/CVE-2023-28120.patch
@ -0,0 +1,25 @@
+From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
+From: Akira Matsuda <ronnie@dio.jp>
+Date: Thu, 5 Jan 2023 05:25:37 +0900
+Subject: [PATCH] Implement SafeBuffer#bytesplice
+
+---
+ .../core_ext/string/output_safety.rb          |  4 +++
+ .../test/core_ext/string_ext_test.rb          | 30 +++++++++++++++++++
+ 2 files changed, 34 insertions(+)
+
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 8a06ccdd8e385..a627540a353db 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -216,6 +216,10 @@ def concat(value)
+     end
+     alias << concat
+ 
+    def bytesplice(*args, value)
+      super(*args, implicit_html_escape_interpolated_argument(value))
+    end
+
+     def insert(index, value)
+       super(index, html_escape_interpolated_argument(value))
+     end
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -2,7 +2,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             6.1.4.1
-Release:             7
+Release:             8
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@ -16,6 +16,9 @@ Patch3:              CVE-2023-38037-test.patch
 # https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb
 # https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
 Patch3000:           CVE-2022-23633.patch
+# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
+Patch3001:           CVE-2023-28120.patch
+Patch3002:           CVE-2023-28120-test.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -39,10 +42,12 @@ Documentation for %{name}.
 pushd %{_builddir}/test
 %patch0 -p1
 %patch3 -p3
+%patch3002 -p3
 popd
 %patch1 -p2
 %patch2 -p2
 %patch3000 -p1
+%patch3001 -p2

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -90,6 +95,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Wed Jun 26 2024 wangkai <13474090681@163.com> - 1:6.1.4.1-8
+- Fix CVE-2023-28120
+
 * Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7
 - Type:CVES
 - ID:CVE-2022-23633