Fix CVE-2023-38037

(cherry picked from commit 2f153051b6ec0f210720c92fb921afe983b94418)
2023-09-11 14:51:13 +08:00 · 2023-09-11 14:51:13 +08:00 · 8756d34f76
commit 8756d34f76
parent 67976979cc
2 changed files with 65 additions and 1 deletions
--- a/CVE-2023-38037.patch
+++ b/CVE-2023-38037.patch
@ -0,0 +1,59 @@
 From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
 From: Aaron Patterson <aaron@rubyonrails.org>
 Date: Tue, 22 Aug 2023 09:58:43 -0700
 Subject: [PATCH] Use a temporary file for storing unencrypted files while
 editing
 Refer: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
 When we're editing the contents of encrypted files, we should use the
 `Tempfile` class because it creates temporary files with restrictive
 permissions.  This prevents other users on the same system from reading
 the contents of those files while the user is editing them.
 [CVE-2023-38037]
 ---
 lib/active_support/encrypted_file.rb | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/lib/active_support/encrypted_file.rb b/lib/active_support/encrypted_file.rb
 index c66f1b5..cb63e6e 100644
 --- a/lib/active_support/encrypted_file.rb
 +++ b/lib/active_support/encrypted_file.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require "pathname"
 +require "tempfile"
 require "active_support/message_encryptor"
 module ActiveSupport
@@ -57,17 +58,16 @@ module ActiveSupport
     private
       def writing(contents)
 -        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
 -        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
 -        tmp_path.binwrite contents
 +        Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
 +          tmp_path = Pathname.new(tmp_file)
 +          tmp_path.binwrite contents
 -        yield tmp_path
 +          yield tmp_path
 -        updated_contents = tmp_path.binread
 +          updated_contents = tmp_path.binread
 -        write(updated_contents) if updated_contents != contents
 -      ensure
 -        FileUtils.rm(tmp_path) if tmp_path.exist?
 +          write(updated_contents) if updated_contents != contents
 +        end
       end
 -- 
 2.33.0
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -3,13 +3,14 @@
 Name:                rubygem-%{gem_name}
 Epoch:               2
 Version:             5.2.4.4
-Release:             2
+Release:             3
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/activesupport-5.2.4.4.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
 Patch0:              CVE-2023-22796.patch
 Patch1:              CVE-2023-38037.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -31,6 +32,7 @@ Documentation for %{name}.
 %prep
 %setup -q -n %{gem_name}-%{version}
 %patch0 -p2
 %patch1 -p1
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -74,6 +76,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 %changelog
 * Mon Sep 11 2023 wangkai <13474090681@163.com> - 2:5.2.4.4-3
 - Fix CVE-2023-38037
 * Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 2:5.2.4.4-2
 - fix CVE-2023-22796