packages/rubygem-actionmailer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-47889

Browse Source
This commit is contained in:
starlet-dx 2024-10-17 20:11:08 +08:00
parent 93bc26191c
commit b6bdb10d50
2 changed files with 51 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
backport-CVE-2024-47889.patch Normal file
View File

@ -0,0 +1,41 @@
From 985f1923fa62806ff676e41de67c3b4552131ab9 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Fri, 11 Oct 2024 00:34:14 -0700
Subject: [PATCH] Avoid backtracking in ActionMailer block_format
[CVE-2024-47889]
Thanks to yuki_osaki and scyoon for reporting this vulnerability
---
lib/action_mailer/mail_helper.rb | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/lib/action_mailer/mail_helper.rb b/lib/action_mailer/mail_helper.rb
index e7bed41..f527d5a 100644
--- a/lib/action_mailer/mail_helper.rb
+++ b/lib/action_mailer/mail_helper.rb
@@ -23,10 +23,18 @@ module ActionMailer
}.join("\n\n")
# Make list points stand on their own line
- formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { " #{$1} #{$2.strip}\n" }
- formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { " #{$1} #{$2.strip}\n" }
+ output = +""
+ splits = formatted.split(/(\*+|\#+)/)
+ while line = splits.shift
+ if line.start_with?("*", "#") && splits[0].start_with?(" ")
+ output.chomp!(" ") while output.end_with?(" ")
+ output << " #{line} #{splits.shift.strip}\n"
+ else
+ output << line
+ end
+ end
- formatted
+ output
end
# Access the mailer instance.
--
2.33.0

13
rubygem-actionmailer.spec
View File

@ -2,12 +2,13 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 5.2.4.4 Version: 5.2.4.4
Release: 1 Release: 2
Summary: Email composition, delivery, and receiving framework (part of Rails) Summary: Email composition, delivery, and receiving framework (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
Patch3000: backport-CVE-2024-47889.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(actionpack) = %{version} BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(actionpack) = %{version}
BuildRequires: rubygem(activejob) = %{version} rubygem(mail) >= 2.5.4 BuildRequires: rubygem(activejob) = %{version} rubygem(mail) >= 2.5.4
BuildArch: noarch BuildArch: noarch
@ -26,6 +27,9 @@ Documentation for %{name}.
%prep %prep
%setup -q -c -T %setup -q -c -T
%gem_install -n %{SOURCE0} %gem_install -n %{SOURCE0}
pushd .%{gem_instdir}
%patch3000 -p1
popd
%build %build
@ -54,8 +58,11 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Mon Feb 8 2021 sunguoshuai <sunguoshuai@huawei.com> - 5.2.4.4-1 * Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-2
- Fix CVE-2024-47889
* Mon Feb 8 2021 sunguoshuai <sunguoshuai@huawei.com> - 1:5.2.4.4-1
- Upgrade to 5.2.4.4 - Upgrade to 5.2.4.4
* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1 * Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 1:5.2.3-1
- Package init - Package init