packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!64 Fix CVE-2024-41128 and CVE-2024-47887

Browse Source 
From: @starlet-dx 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-10-17 13:40:50 +00:00 committed by Gitee
commit 27e61067a1
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 81 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
backport-CVE-2024-41128.patch Normal file
View File

@ -0,0 +1,41 @@
From fb493bebae1a9b83e494fe7edbf01f6167d606fd Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:41:33 -0700
Subject: [PATCH] Avoid backtracking in filtered_query_string
Thanks scyoon for the patch
CVE-2024-41128
---
lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/lib/action_dispatch/http/filter_parameters.rb b/lib/action_dispatch/http/filter_parameters.rb
index ec86b8b..6bc5c0b 100644
--- a/lib/action_dispatch/http/filter_parameters.rb
+++ b/lib/action_dispatch/http/filter_parameters.rb
@@ -72,12 +72,17 @@ module ActionDispatch
ParameterFilter.new(filters)
end
- KV_RE = "[^&;=]+"
- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
def filtered_query_string # :doc:
- query_string.gsub(PAIR_RE) do |_|
- parameter_filter.filter($1 => $2).first.join("=")
+ parts = query_string.split(/([&;])/)
+ filtered_parts = parts.map do |part|
+ if part.include?("=")
+ key, value = part.split("=", 2)
+ parameter_filter.filter(key => value).first.join("=")
+ else
+ part
+ end
end
+ filtered_parts.join("")
end
end
end
--
2.33.0

29
backport-CVE-2024-47887.patch Normal file
View File

@ -0,0 +1,29 @@
From 8e057db25bff1dc7a98e9ae72e0083825b9ac545 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:32:00 -0700
Subject: [PATCH] Avoid backtracking in Token#raw_params
Thanks to scyoon for the patch
[CVE-2024-47887]
---
lib/action_controller/metal/http_authentication.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/action_controller/metal/http_authentication.rb b/lib/action_controller/metal/http_authentication.rb
index 01676f3..55760aa 100644
--- a/lib/action_controller/metal/http_authentication.rb
+++ b/lib/action_controller/metal/http_authentication.rb
@@ -481,7 +481,8 @@ module ActionController
# pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
# delimiters defined in +AUTHN_PAIR_DELIMITERS+.
def raw_params(auth)
- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+ _raw_params.reject!(&:empty?)
if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
_raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
--
2.33.0

12
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name}
Epoch: 1
Version: 5.2.4.4
Release: 5
Release: 6
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT
URL: http://rubyonrails.org
@ -18,6 +18,8 @@ Patch2: CVE-2023-22792.patch
Patch3: CVE-2023-22795.patch
# https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08
Patch3000: CVE-2022-23633.patch
Patch3001: backport-CVE-2024-41128.patch
Patch3002: backport-CVE-2024-47887.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
%if ! 0%{?bootstrap}
@ -48,6 +50,11 @@ Documentation for %{name}.
%patch3 -p1
%patch3000 -p1
pushd .%{gem_instdir}
%patch3001 -p1
%patch3002 -p1
popd
%build
%install
@ -77,6 +84,9 @@ popd
%doc %{gem_instdir}/README.rdoc
%changelog
* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-6
- Fix CVE-2024-41128 and CVE-2024-47887
* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:5.2.4.4-5
- Type:CVES
- ID:CVE-2022-23633