!47 [sync] PR-46: Fix CVE-2023-28120

From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2022-23633.patch

@@ -0,0 +1,79 @@
+From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Fri, 11 Feb 2022 11:23:01 -0800
+Subject: [PATCH] Fix reloader to work with new Executor signature
+
+This is a follow up to [CVE-2022-23633].
+---
+ lib/active_support/reloader.rb | 2 +-
+ lib/active_support/execution_wrapper.rb   | 29 ++++++++++---------
+ 2 file changed, 11 insertion(+), 10 deletion(-)
+
+diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb
+index 2f81cd4..e751866 100644
+--- a/lib/active_support/reloader.rb
++++ b/lib/active_support/reloader.rb
+@@ -58,7 +58,7 @@ module ActiveSupport
+       prepare!
+     end
+ 
+-    def self.run! # :nodoc:
++    def self.run!(reset: false) # :nodoc:
+       if check!
+         super
+       else
+
+diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb
+index ca810db584..07c4f435db 100644
+--- a/lib/active_support/execution_wrapper.rb
++++ b/lib/active_support/execution_wrapper.rb
+@@ -63,18 +63,21 @@ def self.register_hook(hook, outer: false)
+     # after the work has been performed.
+     #
+     # Where possible, prefer +wrap+.
+-    def self.run!
+-      if active?
+-        Null
++    def self.run!(reset: false)
++      if reset
++        lost_instance = active.delete(Thread.current)
++        lost_instance&.complete!
+       else
+-        new.tap do |instance|
+-          success = nil
+-          begin
+-            instance.run!
+-            success = true
+-          ensure
+-            instance.complete! unless success
+-          end
++        return Null if active?
++      end
++
++      new.tap do |instance|
++        success = nil
++        begin
++          instance.run!
++          success = true
++        ensure
++          instance.complete! unless success
+         end
+       end
+     end
+@@ -103,11 +106,11 @@ def self.inherited(other) # :nodoc:
+     self.active = Concurrent::Hash.new
+ 
+     def self.active? # :nodoc:
+-      @active[Thread.current]
++      @active.key?(Thread.current)
+     end
+ 
+     def run! # :nodoc:
+-      self.class.active[Thread.current] = true
++      self.class.active[Thread.current] = self
+       run_callbacks(:run)
+     end
+ 
+-- 
+2.43.0
+

CVE-2023-22796.patch

@@ -0,0 +1,27 @@
+From a7cda7e6aa5334ab41b1f4b0f671be931be946ef Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Wed, 11 Jan 2023 10:14:55 -0800
+Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
+
+[CVE-2023-22796]
+---
+ activesupport/lib/active_support/inflector/methods.rb | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
+index ad136532bf..acb86fe1a4 100644
+--- a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
++++ b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
+@@ -93,8 +93,7 @@ def underscore(camel_cased_word)
+       return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
+       word = camel_cased_word.to_s.gsub("::", "/")
+       word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
+-      word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2')
+-      word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
++      word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
+       word.tr!("-", "_")
+       word.downcase!
+       word
+-- 
+2.35.1
+

CVE-2023-28120-test.patch

@@ -0,0 +1,51 @@
+From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
+From: Akira Matsuda <ronnie@dio.jp>
+Date: Thu, 5 Jan 2023 05:25:37 +0900
+Subject: [PATCH] Implement SafeBuffer#bytesplice
+
+---
+ .../core_ext/string/output_safety.rb          |  4 +++
+ .../test/core_ext/string_ext_test.rb          | 30 +++++++++++++++++++
+ 2 files changed, 34 insertions(+)
+
+diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
+index a51f2f64cbe27..c436821c94a0b 100644
+--- a/activesupport/test/core_ext/string_ext_test.rb
++++ b/activesupport/test/core_ext/string_ext_test.rb
+@@ -987,6 +987,36 @@ def to_s
+     assert_predicate string, :html_safe?
+   end
+ 
++  if "".respond_to?(:bytesplice)
++    test "Bytesplicing safe into safe yields safe" do
++      string = "hello".html_safe
++      string.bytesplice(0, 0, "<b>".html_safe)
++
++      assert_equal "<b>hello", string
++      assert_predicate string, :html_safe?
++
++      string = "hello".html_safe
++      string.bytesplice(0..1, "<b>".html_safe)
++
++      assert_equal "<b>llo", string
++      assert_predicate string, :html_safe?
++    end
++
++    test "Bytesplicing unsafe into safe yields escaped safe" do
++      string = "hello".html_safe
++      string.bytesplice(1, 0, "<b>")
++
++      assert_equal "h&lt;b&gt;ello", string
++      assert_predicate string, :html_safe?
++
++      string = "hello".html_safe
++      string.bytesplice(1..2, "<b>")
++
++      assert_equal "h&lt;b&gt;lo", string
++      assert_predicate string, :html_safe?
++    end
++  end
++
+   test "emits normal string yaml" do
+     assert_equal "foo".to_yaml, "foo".html_safe.to_yaml(foo: 1)
+   end

CVE-2023-28120.patch

@@ -0,0 +1,25 @@
+From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
+From: Akira Matsuda <ronnie@dio.jp>
+Date: Thu, 5 Jan 2023 05:25:37 +0900
+Subject: [PATCH] Implement SafeBuffer#bytesplice
+
+---
+ .../core_ext/string/output_safety.rb          |  4 +++
+ .../test/core_ext/string_ext_test.rb          | 30 +++++++++++++++++++
+ 2 files changed, 34 insertions(+)
+
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 8a06ccdd8e385..a627540a353db 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
++++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -216,6 +216,10 @@ def concat(value)
+     end
+     alias << concat
+ 
++    def bytesplice(*args, value)
++      super(*args, implicit_html_escape_interpolated_argument(value))
++    end
++
+     def insert(index, value)
+       super(index, html_escape_interpolated_argument(value))
+     end

CVE-2023-38037-test.patch

@@ -0,0 +1,39 @@
+From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
+index 0050685065a9e..49f7437764fe8 100644
+--- a/activesupport/test/encrypted_file_test.rb
++++ b/activesupport/test/encrypted_file_test.rb
+@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
+     assert_equal "#{@content} and went by the lake", @encrypted_file.read
+   end
+ 
++  test "change sets restricted permissions" do
++    @encrypted_file.write(@content)
++    @encrypted_file.change do |file|
++      assert_predicate file, :owned?
++      assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
++    end
++  end
++
+   test "raise MissingKeyError when key is missing" do
+     assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
+       encrypted_file(@content_path, key_path: "", env_key: "").read

CVE-2023-38037.patch

@@ -0,0 +1,58 @@
+From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
+index a35cc54ef5c52..dc28aa9a15fa9 100644
+--- a/activesupport/lib/active_support/encrypted_file.rb
++++ b/activesupport/lib/active_support/encrypted_file.rb
+@@ -1,7 +1,7 @@
+ # frozen_string_literal: true
+ 
+ require "pathname"
+-require "tmpdir"
++require "tempfile"
+ require "active_support/message_encryptor"
+ 
+ module ActiveSupport
+@@ -69,17 +69,16 @@ def change(&block)
+ 
+     private
+       def writing(contents)
+-        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
+-        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
+-        tmp_path.binwrite contents
++        Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
++          tmp_path = Pathname.new(tmp_file)
++          tmp_path.binwrite contents
+ 
+-        yield tmp_path
++          yield tmp_path
+ 
+-        updated_contents = tmp_path.binread
++          updated_contents = tmp_path.binread
+ 
+-        write(updated_contents) if updated_contents != contents
+-      ensure
+-        FileUtils.rm(tmp_path) if tmp_path&.exist?
++          write(updated_contents) if updated_contents != contents
++        end
+       end
+ 
+ 

rubygem-activesupport.spec

@@ -2,7 +2,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             6.1.4.1
-Release:             2
+Release:             8
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@@ -10,6 +10,15 @@ Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             %{gem_name}-%{version}-tests.txz
 Source2:             rails-%{version}-tools.txz
 Patch0:              Add-support-dalli-3.2.2.patch
+Patch1:              CVE-2023-22796.patch
+Patch2:              CVE-2023-38037.patch
+Patch3:              CVE-2023-38037-test.patch
+# https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb
+# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
+Patch3000:           CVE-2022-23633.patch
+# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
+Patch3001:           CVE-2023-28120.patch
+Patch3002:           CVE-2023-28120-test.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@@ -32,7 +41,13 @@ Documentation for %{name}.
 %setup -q -n %{gem_name}-%{version} -b1 -b2
 pushd %{_builddir}/test
 %patch0 -p1
+%patch3 -p3
+%patch3002 -p3
 popd
+%patch1 -p2
+%patch2 -p2
+%patch3000 -p1
+%patch3001 -p2
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -56,7 +71,11 @@ done
 sed -i '/def test_iso8601_output_and_reparsing$/,/^  end$/ s/^/#/' test/core_ext/duration_test.rb
 sed -i '/assert_nil mapped\[:b\]/ s/^/#/' test/core_ext/hash/transform_values_test.rb
 sed -i '/require .bundler./ s/^/#/' test/abstract_unit.rb
-memcached &
+if [ `whoami` = "root" ]; then
+    memcached -u root &
+else
+    memcached &
+fi
 mPID=$!
 sleep 1
 ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
@@ -76,6 +95,27 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Wed Jun 26 2024 wangkai <13474090681@163.com> - 1:6.1.4.1-8
+- Fix CVE-2023-28120
+
+* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7
+- Type:CVES
+- ID:CVE-2022-23633
+- SUG:NA
+- DESC:fix CVE-2022-23633
+
+* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-6
+- Fix CVE-2023-38037
+
+* Fri Mar 10 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-5
+- Rectify the failure to start memcached as the root user
+
+* Thu Mar 9 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-4
+- Fix the self-compilation problem
+
+* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:6.1.4.1-3
+- fix CVE-2023-22796 
+
 * Tue Jul 05 2022 liyanan <liyanan32@h-partners.com> - 6.1.4.1-2
 - Add support dalli 3.2.2