!59 fix CVE-2022-23633

From: @xiangbudaomz Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2024-06-26 02:33:48 +00:00 · 2024-06-26 02:33:48 +00:00 · a40ae98e35
commit a40ae98e35
parent d0c87cd191 c7635b94db
2 changed files with 42 additions and 1 deletions
--- a/CVE-2022-23633.patch
+++ b/CVE-2022-23633.patch
@ -0,0 +1,32 @@
+From 07d9600172a18b45791c89e95a642e13fc367545 Mon Sep 17 00:00:00 2001
+From: Jean Boussier <jean.boussier@gmail.com>
+Date: Fri, 11 Feb 2022 13:09:30 +0100
+Subject: [PATCH] ActionDispatch::Executor don't fully trust `body#close`
+
+Under certain circumstances, the middleware isn't informed that the
+response body has been fully closed which result in request state not
+being fully reset before the next request.
+
+[CVE-2022-23633]
+---
+ .../action_dispatch/middleware/executor.rb    |  2 +-
+ actionpack/test/dispatch/executor_test.rb     | 21 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletions(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
+index 129b18d3d9..a32f916260 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
+@@ -9,7 +9,7 @@ def initialize(app, executor)
+     end
+ 
+     def call(env)
+-      state = @executor.run!
+      state = @executor.run!(reset: true)
+       begin
+         response = @app.call(env)
+         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
+ 
+-- 
+2.25.1
+
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@ -4,7 +4,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             4
+Release:             5
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
@ -16,6 +16,8 @@ Patch1:              CVE-2021-22904.patch
 Patch2:              CVE-2023-22792.patch
 # https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2
 Patch3:              CVE-2023-22795.patch
+# https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08
+Patch3000:           CVE-2022-23633.patch

 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
@ -44,6 +46,7 @@ Documentation for %{name}.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch3000 -p1

 %build

@ -74,6 +77,12 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:5.2.4.4-5
+- Type:CVES
+- ID:CVE-2022-23633
+- SUG:NA
+- DESC:fix CVE-2022-23633
+
 * Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-4
 - Fix CVE-2023-22792 and CVE-2023-22795