packages/rubygem-activesupport
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:78763003cb69117f99dda23344ec8db412dfa04f
Branches Tags
packages:main
..
compare: packages:ca3c471ce45d19ffad2803eddda3d80dfd640084
Branches Tags
packages:main

No commits in common. "78763003cb69117f99dda23344ec8db412dfa04f" and "ca3c471ce45d19ffad2803eddda3d80dfd640084" have entirely different histories.
78763003cb ... ca3c471ce4

7 changed files with 2 additions and 321 deletions
Show Stats Expand all files Collapse all files

79
CVE-2022-23633.patch
View File

@ -1,79 +0,0 @@
From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Fri, 11 Feb 2022 11:23:01 -0800
Subject: [PATCH] Fix reloader to work with new Executor signature
This is a follow up to [CVE-2022-23633].
---
lib/active_support/reloader.rb | 2 +-
lib/active_support/execution_wrapper.rb | 29 ++++++++++---------
2 file changed, 11 insertion(+), 10 deletion(-)
diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb
index 2f81cd4..e751866 100644
--- a/lib/active_support/reloader.rb
+++ b/lib/active_support/reloader.rb
@@ -58,7 +58,7 @@ module ActiveSupport
prepare!
end
- def self.run! # :nodoc:
+ def self.run!(reset: false) # :nodoc:
if check!
super
else
diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb
index ca810db584..07c4f435db 100644
--- a/lib/active_support/execution_wrapper.rb
+++ b/lib/active_support/execution_wrapper.rb
@@ -63,18 +63,21 @@ def self.register_hook(hook, outer: false)
# after the work has been performed.
#
# Where possible, prefer +wrap+.
- def self.run!
- if active?
- Null
+ def self.run!(reset: false)
+ if reset
+ lost_instance = active.delete(Thread.current)
+ lost_instance&.complete!
else
- new.tap do |instance|
- success = nil
- begin
- instance.run!
- success = true
- ensure
- instance.complete! unless success
- end
+ return Null if active?
+ end
+
+ new.tap do |instance|
+ success = nil
+ begin
+ instance.run!
+ success = true
+ ensure
+ instance.complete! unless success
end
end
end
@@ -103,11 +106,11 @@ def self.inherited(other) # :nodoc:
self.active = Concurrent::Hash.new
def self.active? # :nodoc:
- @active[Thread.current]
+ @active.key?(Thread.current)
end
def run! # :nodoc:
- self.class.active[Thread.current] = true
+ self.class.active[Thread.current] = self
run_callbacks(:run)
end
--
2.43.0

27
CVE-2023-22796.patch
View File

@ -1,27 +0,0 @@
From a7cda7e6aa5334ab41b1f4b0f671be931be946ef Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 11 Jan 2023 10:14:55 -0800
Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
---
activesupport/lib/active_support/inflector/methods.rb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
index ad136532bf..acb86fe1a4 100644
--- a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
+++ b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
@@ -93,8 +93,7 @@ def underscore(camel_cased_word)
return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
word = camel_cased_word.to_s.gsub("::", "/")
word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
- word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2')
- word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
+ word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
word.tr!("-", "_")
word.downcase!
word
--
2.35.1

51
CVE-2023-28120-test.patch
View File

@ -1,51 +0,0 @@
From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
From: Akira Matsuda <ronnie@dio.jp>
Date: Thu, 5 Jan 2023 05:25:37 +0900
Subject: [PATCH] Implement SafeBuffer#bytesplice
---
.../core_ext/string/output_safety.rb | 4 +++
.../test/core_ext/string_ext_test.rb | 30 +++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index a51f2f64cbe27..c436821c94a0b 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -987,6 +987,36 @@ def to_s
assert_predicate string, :html_safe?
end
+ if "".respond_to?(:bytesplice)
+ test "Bytesplicing safe into safe yields safe" do
+ string = "hello".html_safe
+ string.bytesplice(0, 0, "<b>".html_safe)
+
+ assert_equal "<b>hello", string
+ assert_predicate string, :html_safe?
+
+ string = "hello".html_safe
+ string.bytesplice(0..1, "<b>".html_safe)
+
+ assert_equal "<b>llo", string
+ assert_predicate string, :html_safe?
+ end
+
+ test "Bytesplicing unsafe into safe yields escaped safe" do
+ string = "hello".html_safe
+ string.bytesplice(1, 0, "<b>")
+
+ assert_equal "h&lt;b&gt;ello", string
+ assert_predicate string, :html_safe?
+
+ string = "hello".html_safe
+ string.bytesplice(1..2, "<b>")
+
+ assert_equal "h&lt;b&gt;lo", string
+ assert_predicate string, :html_safe?
+ end
+ end
+
test "emits normal string yaml" do
assert_equal "foo".to_yaml, "foo".html_safe.to_yaml(foo: 1)
end

25
CVE-2023-28120.patch
View File

@ -1,25 +0,0 @@
From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
From: Akira Matsuda <ronnie@dio.jp>
Date: Thu, 5 Jan 2023 05:25:37 +0900
Subject: [PATCH] Implement SafeBuffer#bytesplice
---
.../core_ext/string/output_safety.rb | 4 +++
.../test/core_ext/string_ext_test.rb | 30 +++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 8a06ccdd8e385..a627540a353db 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -216,6 +216,10 @@ def concat(value)
end
alias << concat
+ def bytesplice(*args, value)
+ super(*args, implicit_html_escape_interpolated_argument(value))
+ end
+
def insert(index, value)
super(index, html_escape_interpolated_argument(value))
end

39
CVE-2023-38037-test.patch
View File

@ -1,39 +0,0 @@
From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
editing
Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions. This prevents other users on the same system from reading
the contents of those files while the user is editing them.
[CVE-2023-38037]
---
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
activesupport/test/encrypted_file_test.rb | 8 ++++++++
railties/lib/rails/secrets.rb | 18 ++++++++++--------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
index 0050685065a9e..49f7437764fe8 100644
--- a/activesupport/test/encrypted_file_test.rb
+++ b/activesupport/test/encrypted_file_test.rb
@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
assert_equal "#{@content} and went by the lake", @encrypted_file.read
end
+ test "change sets restricted permissions" do
+ @encrypted_file.write(@content)
+ @encrypted_file.change do |file|
+ assert_predicate file, :owned?
+ assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
+ end
+ end
+
test "raise MissingKeyError when key is missing" do
assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
encrypted_file(@content_path, key_path: "", env_key: "").read

58
CVE-2023-38037.patch
View File

@ -1,58 +0,0 @@
From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
editing
Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions. This prevents other users on the same system from reading
the contents of those files while the user is editing them.
[CVE-2023-38037]
---
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
activesupport/test/encrypted_file_test.rb | 8 ++++++++
railties/lib/rails/secrets.rb | 18 ++++++++++--------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
index a35cc54ef5c52..dc28aa9a15fa9 100644
--- a/activesupport/lib/active_support/encrypted_file.rb
+++ b/activesupport/lib/active_support/encrypted_file.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
require "pathname"
-require "tmpdir"
+require "tempfile"
require "active_support/message_encryptor"
module ActiveSupport
@@ -69,17 +69,16 @@ def change(&block)
private
def writing(contents)
- tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
- tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
- tmp_path.binwrite contents
+ Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
+ tmp_path = Pathname.new(tmp_file)
+ tmp_path.binwrite contents
- yield tmp_path
+ yield tmp_path
- updated_contents = tmp_path.binread
+ updated_contents = tmp_path.binread
- write(updated_contents) if updated_contents != contents
- ensure
- FileUtils.rm(tmp_path) if tmp_path&.exist?
+ write(updated_contents) if updated_contents != contents
+ end
end

42
rubygem-activesupport.spec
View File

@ -2,7 +2,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 6.1.4.1 Version: 6.1.4.1
Release: 8 Release: 2
Summary: A support libraries and Ruby core extensions extracted from the Rails framework Summary: A support libraries and Ruby core extensions extracted from the Rails framework
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -10,15 +10,6 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: %{gem_name}-%{version}-tests.txz Source1: %{gem_name}-%{version}-tests.txz
Source2: rails-%{version}-tools.txz Source2: rails-%{version}-tools.txz
Patch0: Add-support-dalli-3.2.2.patch Patch0: Add-support-dalli-3.2.2.patch
Patch1: CVE-2023-22796.patch
Patch2: CVE-2023-38037.patch
Patch3: CVE-2023-38037-test.patch
# https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb
# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
Patch3000: CVE-2022-23633.patch
# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
Patch3001: CVE-2023-28120.patch
Patch3002: CVE-2023-28120-test.patch
Requires: rubygem(bigdecimal) rubygem(json) Requires: rubygem(bigdecimal) rubygem(json)
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli) BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -41,13 +32,7 @@ Documentation for %{name}.
%setup -q -n %{gem_name}-%{version} -b1 -b2 %setup -q -n %{gem_name}-%{version} -b1 -b2
pushd %{_builddir}/test pushd %{_builddir}/test
%patch0 -p1 %patch0 -p1
%patch3 -p3
%patch3002 -p3
popd popd
%patch1 -p2
%patch2 -p2
%patch3000 -p1
%patch3001 -p2
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -71,11 +56,7 @@ done
sed -i '/def test_iso8601_output_and_reparsing$/,/^ end$/ s/^/#/' test/core_ext/duration_test.rb sed -i '/def test_iso8601_output_and_reparsing$/,/^ end$/ s/^/#/' test/core_ext/duration_test.rb
sed -i '/assert_nil mapped\[:b\]/ s/^/#/' test/core_ext/hash/transform_values_test.rb sed -i '/assert_nil mapped\[:b\]/ s/^/#/' test/core_ext/hash/transform_values_test.rb
sed -i '/require .bundler./ s/^/#/' test/abstract_unit.rb sed -i '/require .bundler./ s/^/#/' test/abstract_unit.rb
if [ `whoami` = "root" ]; then
memcached -u root &
else
memcached & memcached &
fi
mPID=$! mPID=$!
sleep 1 sleep 1
ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)' ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
@ -95,27 +76,6 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Wed Jun 26 2024 wangkai <13474090681@163.com> - 1:6.1.4.1-8
- Fix CVE-2023-28120
* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7
- Type:CVES
- ID:CVE-2022-23633
- SUG:NA
- DESC:fix CVE-2022-23633
* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-6
- Fix CVE-2023-38037
* Fri Mar 10 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-5
- Rectify the failure to start memcached as the root user
* Thu Mar 9 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-4
- Fix the self-compilation problem
* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:6.1.4.1-3
- fix CVE-2023-22796
* Tue Jul 05 2022 liyanan <liyanan32@h-partners.com> - 6.1.4.1-2 * Tue Jul 05 2022 liyanan <liyanan32@h-partners.com> - 6.1.4.1-2
- Add support dalli 3.2.2 - Add support dalli 3.2.2