From 8756d34f76b547d72feb76b7e9bc9c05c1bdb61a Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 11 Sep 2023 14:51:13 +0800 Subject: [PATCH] Fix CVE-2023-38037 (cherry picked from commit 2f153051b6ec0f210720c92fb921afe983b94418) --- CVE-2023-38037.patch | 59 ++++++++++++++++++++++++++++++++++++++ rubygem-activesupport.spec | 7 ++++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-38037.patch diff --git a/CVE-2023-38037.patch b/CVE-2023-38037.patch new file mode 100644 index 0000000..bcb6825 --- /dev/null +++ b/CVE-2023-38037.patch @@ -0,0 +1,59 @@ +From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 22 Aug 2023 09:58:43 -0700 +Subject: [PATCH] Use a temporary file for storing unencrypted files while + editing + +Refer: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f + +When we're editing the contents of encrypted files, we should use the +`Tempfile` class because it creates temporary files with restrictive +permissions. This prevents other users on the same system from reading +the contents of those files while the user is editing them. + +[CVE-2023-38037] + +--- + lib/active_support/encrypted_file.rb | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/lib/active_support/encrypted_file.rb b/lib/active_support/encrypted_file.rb +index c66f1b5..cb63e6e 100644 +--- a/lib/active_support/encrypted_file.rb ++++ b/lib/active_support/encrypted_file.rb +@@ -1,6 +1,7 @@ + # frozen_string_literal: true + + require "pathname" ++require "tempfile" + require "active_support/message_encryptor" + + module ActiveSupport +@@ -57,17 +58,16 @@ module ActiveSupport + + private + def writing(contents) +- tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}" +- tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file) +- tmp_path.binwrite contents ++ Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file| ++ tmp_path = Pathname.new(tmp_file) ++ tmp_path.binwrite contents + +- yield tmp_path ++ yield tmp_path + +- updated_contents = tmp_path.binread ++ updated_contents = tmp_path.binread + +- write(updated_contents) if updated_contents != contents +- ensure +- FileUtils.rm(tmp_path) if tmp_path.exist? ++ write(updated_contents) if updated_contents != contents ++ end + end + + +-- +2.33.0 + diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec index 632144b..6a2a4a7 100644 --- a/rubygem-activesupport.spec +++ b/rubygem-activesupport.spec @@ -3,13 +3,14 @@ Name: rubygem-%{gem_name} Epoch: 2 Version: 5.2.4.4 -Release: 2 +Release: 3 Summary: A support libraries and Ruby core extensions extracted from the Rails framework License: MIT URL: http://rubyonrails.org Source0: https://rubygems.org/gems/activesupport-5.2.4.4.gem Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Patch0: CVE-2023-22796.patch +Patch1: CVE-2023-38037.patch Requires: rubygem(bigdecimal) rubygem(json) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli) @@ -31,6 +32,7 @@ Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version} %patch0 -p2 +%patch1 -p1 %build gem build ../%{gem_name}-%{version}.gemspec @@ -74,6 +76,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Mon Sep 11 2023 wangkai <13474090681@163.com> - 2:5.2.4.4-3 +- Fix CVE-2023-38037 + * Tue Feb 21 2023 wushaozheng - 2:5.2.4.4-2 - fix CVE-2023-22796 -- Gitee