Fix CVE-2024-41128 and CVE-2024-47887

backport-CVE-2024-41128.patch

@@ -0,0 +1,41 @@
+From fb493bebae1a9b83e494fe7edbf01f6167d606fd Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:41:33 -0700
+Subject: [PATCH] Avoid backtracking in filtered_query_string
+
+Thanks scyoon for the patch
+
+CVE-2024-41128
+---
+ lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/action_dispatch/http/filter_parameters.rb b/lib/action_dispatch/http/filter_parameters.rb
+index ec86b8b..6bc5c0b 100644
+--- a/lib/action_dispatch/http/filter_parameters.rb
++++ b/lib/action_dispatch/http/filter_parameters.rb
+@@ -72,12 +72,17 @@ module ActionDispatch
+         ParameterFilter.new(filters)
+       end
+ 
+-      KV_RE   = "[^&;=]+"
+-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
+       def filtered_query_string # :doc:
+-        query_string.gsub(PAIR_RE) do |_|
+-          parameter_filter.filter($1 => $2).first.join("=")
++        parts = query_string.split(/([&;])/)
++        filtered_parts = parts.map do |part|
++          if part.include?("=")
++            key, value = part.split("=", 2)
++            parameter_filter.filter(key => value).first.join("=")
++          else
++            part
++          end
+         end
++        filtered_parts.join("")
+       end
+     end
+   end
+-- 
+2.33.0
+

backport-CVE-2024-47887.patch

@@ -0,0 +1,29 @@
+From 8e057db25bff1dc7a98e9ae72e0083825b9ac545 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:32:00 -0700
+Subject: [PATCH] Avoid backtracking in Token#raw_params
+
+Thanks to scyoon for the patch
+
+[CVE-2024-47887]
+---
+ lib/action_controller/metal/http_authentication.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/action_controller/metal/http_authentication.rb b/lib/action_controller/metal/http_authentication.rb
+index 01676f3..55760aa 100644
+--- a/lib/action_controller/metal/http_authentication.rb
++++ b/lib/action_controller/metal/http_authentication.rb
+@@ -481,7 +481,8 @@ module ActionController
+       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
+       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
+       def raw_params(auth)
+-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
++        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
++        _raw_params.reject!(&:empty?)
+ 
+         if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
+           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
+-- 
+2.33.0
+

rubygem-actionpack.spec

@@ -4,7 +4,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             5
+Release:             6
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
@@ -18,6 +18,8 @@ Patch2:              CVE-2023-22792.patch
 Patch3:              CVE-2023-22795.patch
 # https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08
 Patch3000:           CVE-2022-23633.patch
+Patch3001:           backport-CVE-2024-41128.patch
+Patch3002:           backport-CVE-2024-47887.patch
 
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
@@ -48,6 +50,11 @@ Documentation for %{name}.
 %patch3 -p1
 %patch3000 -p1
 
+pushd .%{gem_instdir}
+%patch3001 -p1
+%patch3002 -p1
+popd
+
 %build
 
 %install
@@ -77,6 +84,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-6
+- Fix CVE-2024-41128 and CVE-2024-47887
+
 * Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:5.2.4.4-5
 - Type:CVES
 - ID:CVE-2022-23633