diff --git a/CVE-2023-38037-test.patch b/CVE-2023-38037-test.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d1ca7290168ff5c243ebc3331bc2f4c88d2829a --- /dev/null +++ b/CVE-2023-38037-test.patch @@ -0,0 +1,39 @@ +From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 22 Aug 2023 09:58:43 -0700 +Subject: [PATCH] Use a temporary file for storing unencrypted files while + editing + +Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 + +When we're editing the contents of encrypted files, we should use the +`Tempfile` class because it creates temporary files with restrictive +permissions. This prevents other users on the same system from reading +the contents of those files while the user is editing them. + +[CVE-2023-38037] +--- + .../lib/active_support/encrypted_file.rb | 17 ++++++++--------- + activesupport/test/encrypted_file_test.rb | 8 ++++++++ + railties/lib/rails/secrets.rb | 18 ++++++++++-------- + 3 files changed, 26 insertions(+), 17 deletions(-) + +diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb +index 9c4f289f7b1cf..92a3ecf972f1d 100644 +--- a/activesupport/test/encrypted_file_test.rb ++++ b/activesupport/test/encrypted_file_test.rb +@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase + assert_equal "#{@content} and went by the lake", @encrypted_file.read + end + ++ test "change sets restricted permissions" do ++ @encrypted_file.write(@content) ++ @encrypted_file.change do |file| ++ assert_predicate file, :owned? ++ assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}" ++ end ++ end ++ + test "raise MissingKeyError when key is missing" do + assert_raise ActiveSupport::EncryptedFile::MissingKeyError do + encrypted_file(@content_path, key_path: "", env_key: "").read diff --git a/CVE-2023-38037.patch b/CVE-2023-38037.patch new file mode 100644 index 0000000000000000000000000000000000000000..512a1a1fa8d425f20f32a19410fcbd2a4a965a4e --- /dev/null +++ b/CVE-2023-38037.patch @@ -0,0 +1,58 @@ +From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 22 Aug 2023 09:58:43 -0700 +Subject: [PATCH] Use a temporary file for storing unencrypted files while + editing + +Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 + +When we're editing the contents of encrypted files, we should use the +`Tempfile` class because it creates temporary files with restrictive +permissions. This prevents other users on the same system from reading +the contents of those files while the user is editing them. + +[CVE-2023-38037] +--- + .../lib/active_support/encrypted_file.rb | 17 ++++++++--------- + activesupport/test/encrypted_file_test.rb | 8 ++++++++ + railties/lib/rails/secrets.rb | 18 ++++++++++-------- + 3 files changed, 26 insertions(+), 17 deletions(-) + +diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb +index d2c9e624ccdbc..aac3dea4d8baa 100644 +--- a/activesupport/lib/active_support/encrypted_file.rb ++++ b/activesupport/lib/active_support/encrypted_file.rb +@@ -1,7 +1,7 @@ + # frozen_string_literal: true + + require "pathname" +-require "tmpdir" ++require "tempfile" + require "active_support/message_encryptor" + + module ActiveSupport +@@ -81,17 +81,16 @@ def change(&block) + + private + def writing(contents) +- tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}" +- tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file) +- tmp_path.binwrite contents ++ Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file| ++ tmp_path = Pathname.new(tmp_file) ++ tmp_path.binwrite contents + +- yield tmp_path ++ yield tmp_path + +- updated_contents = tmp_path.binread ++ updated_contents = tmp_path.binread + +- write(updated_contents) if updated_contents != contents +- ensure +- FileUtils.rm(tmp_path) if tmp_path&.exist? ++ write(updated_contents) if updated_contents != contents ++ end + end + + diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec index 746831e5d6c72cfe62b80230eeacb45e0c194e77..a69cc0dfb45b316073a5ea91c4b5f787b4d98348 100644 --- a/rubygem-activesupport.spec +++ b/rubygem-activesupport.spec @@ -2,7 +2,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.7 -Release: 1 +Release: 2 Summary: A support libraries and Ruby core extensions extracted from the Rails framework License: MIT URL: http://rubyonrails.org @@ -23,6 +23,8 @@ Patch1: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_calle Patch2: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with-test.patch # https://github.com/rails/rails/pull/45370 Patch3: rubygem-activesupport-7.0.2.3-Fix-tests-for-minitest-5.16.patch +Patch4: CVE-2023-38037.patch +Patch5: CVE-2023-38037-test.patch Requires: rubygem(bigdecimal) rubygem(json) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) @@ -46,9 +48,11 @@ Documentation for %{name}. %setup -q -n %{gem_name}-%{version} -b1 -b2 %patch1 -p2 %patch3 -p2 +%patch4 -p2 pushd %{_builddir} %patch2 -p2 +%patch5 -p2 popd %build @@ -95,6 +99,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:7.0.7-2 +- Fix CVE-2023-38037 + * Fri Aug 18 2023 wangkai - 1:7.0.7-1 - Upgrade to version 7.0.7