From ae65a0536a6876d38750ee6ff2668a7e1ab41a4e Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 17 Oct 2024 20:54:37 +0800 Subject: [PATCH] Fix CVE-2024-41128 and CVE-2024-47887 --- backport-CVE-2024-41128.patch | 41 +++++++++++++++++++++++++++++++++++ backport-CVE-2024-47887.patch | 29 +++++++++++++++++++++++++ rubygem-actionpack.spec | 12 +++++++++- 3 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-41128.patch create mode 100644 backport-CVE-2024-47887.patch diff --git a/backport-CVE-2024-41128.patch b/backport-CVE-2024-41128.patch new file mode 100644 index 0000000..be6e45c --- /dev/null +++ b/backport-CVE-2024-41128.patch @@ -0,0 +1,41 @@ +From fb493bebae1a9b83e494fe7edbf01f6167d606fd Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Thu, 10 Oct 2024 20:41:33 -0700 +Subject: [PATCH] Avoid backtracking in filtered_query_string + +Thanks scyoon for the patch + +CVE-2024-41128 +--- + lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/action_dispatch/http/filter_parameters.rb b/lib/action_dispatch/http/filter_parameters.rb +index ec86b8b..6bc5c0b 100644 +--- a/lib/action_dispatch/http/filter_parameters.rb ++++ b/lib/action_dispatch/http/filter_parameters.rb +@@ -72,12 +72,17 @@ module ActionDispatch + ParameterFilter.new(filters) + end + +- KV_RE = "[^&;=]+" +- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})} + def filtered_query_string # :doc: +- query_string.gsub(PAIR_RE) do |_| +- parameter_filter.filter($1 => $2).first.join("=") ++ parts = query_string.split(/([&;])/) ++ filtered_parts = parts.map do |part| ++ if part.include?("=") ++ key, value = part.split("=", 2) ++ parameter_filter.filter(key => value).first.join("=") ++ else ++ part ++ end + end ++ filtered_parts.join("") + end + end + end +-- +2.33.0 + diff --git a/backport-CVE-2024-47887.patch b/backport-CVE-2024-47887.patch new file mode 100644 index 0000000..756310a --- /dev/null +++ b/backport-CVE-2024-47887.patch @@ -0,0 +1,29 @@ +From 8e057db25bff1dc7a98e9ae72e0083825b9ac545 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Thu, 10 Oct 2024 20:32:00 -0700 +Subject: [PATCH] Avoid backtracking in Token#raw_params + +Thanks to scyoon for the patch + +[CVE-2024-47887] +--- + lib/action_controller/metal/http_authentication.rb | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/action_controller/metal/http_authentication.rb b/lib/action_controller/metal/http_authentication.rb +index 01676f3..55760aa 100644 +--- a/lib/action_controller/metal/http_authentication.rb ++++ b/lib/action_controller/metal/http_authentication.rb +@@ -481,7 +481,8 @@ module ActionController + # pairs by the standardized :, ;, or \t + # delimiters defined in +AUTHN_PAIR_DELIMITERS+. + def raw_params(auth) +- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/) ++ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip) ++ _raw_params.reject!(&:empty?) + + if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}}) + _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}" +-- +2.33.0 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index 6a0d256..cc21848 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 5.2.4.4 -Release: 5 +Release: 6 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -18,6 +18,8 @@ Patch2: CVE-2023-22792.patch Patch3: CVE-2023-22795.patch # https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08 Patch3000: CVE-2022-23633.patch +Patch3001: backport-CVE-2024-41128.patch +Patch3002: backport-CVE-2024-47887.patch BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 %if ! 0%{?bootstrap} @@ -48,6 +50,11 @@ Documentation for %{name}. %patch3 -p1 %patch3000 -p1 +pushd .%{gem_instdir} +%patch3001 -p1 +%patch3002 -p1 +popd + %build %install @@ -77,6 +84,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Thu Oct 17 2024 yaoxin - 1:5.2.4.4-6 +- Fix CVE-2024-41128 and CVE-2024-47887 + * Tue Jun 25 2024 zouzhimin - 1:5.2.4.4-5 - Type:CVES - ID:CVE-2022-23633 -- Gitee