packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-23633

Browse Source
This commit is contained in:
zouzhimin 2024-06-12 11:04:53 +08:00
parent d0c87cd191
commit c7635b94db
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
CVE-2022-23633.patch Normal file
View File

@ -0,0 +1,32 @@
From 07d9600172a18b45791c89e95a642e13fc367545 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Fri, 11 Feb 2022 13:09:30 +0100
Subject: [PATCH] ActionDispatch::Executor don't fully trust `body#close`
Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request.
[CVE-2022-23633]
---
.../action_dispatch/middleware/executor.rb | 2 +-
actionpack/test/dispatch/executor_test.rb | 21 ++++++++++++++
2 files changed, 15 insertions(+), 1 deletions(-)
diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
index 129b18d3d9..a32f916260 100644
--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
@@ -9,7 +9,7 @@ def initialize(app, executor)
end
def call(env)
- state = @executor.run!
+ state = @executor.run!(reset: true)
begin
response = @app.call(env)
returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
--
2.25.1

11
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 5.2.4.4 Version: 5.2.4.4
Release: 4 Release: 5
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -16,6 +16,8 @@ Patch1: CVE-2021-22904.patch
Patch2: CVE-2023-22792.patch Patch2: CVE-2023-22792.patch
# https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2 # https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2
Patch3: CVE-2023-22795.patch Patch3: CVE-2023-22795.patch
# https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08
Patch3000: CVE-2022-23633.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
%if ! 0%{?bootstrap} %if ! 0%{?bootstrap}
@ -44,6 +46,7 @@ Documentation for %{name}.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch3000 -p1
%build %build
@ -74,6 +77,12 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:5.2.4.4-5
- Type:CVES
- ID:CVE-2022-23633
- SUG:NA
- DESC:fix CVE-2022-23633
* Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-4 * Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-4
- Fix CVE-2023-22792 and CVE-2023-22795 - Fix CVE-2023-22792 and CVE-2023-22795