From 8134b5bce770b8f1ca7bb4b8ae0263baf5fc0720 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 11 Sep 2023 15:51:27 +0800 Subject: [PATCH] Fix CVE-2023-38037 (cherry picked from commit b82e154a032761d2204d19e261f9d6aa2a651e4a) --- CVE-2023-38037.patch | 60 +++++++++++++++++++++++++++++++++++++++++++ rubygem-railties.spec | 7 ++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-38037.patch diff --git a/CVE-2023-38037.patch b/CVE-2023-38037.patch new file mode 100644 index 0000000..0582393 --- /dev/null +++ b/CVE-2023-38037.patch @@ -0,0 +1,60 @@ +From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 22 Aug 2023 09:58:43 -0700 +Subject: [PATCH] Use a temporary file for storing unencrypted files while + editing + +Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f + +When we're editing the contents of encrypted files, we should use the +`Tempfile` class because it creates temporary files with restrictive +permissions. This prevents other users on the same system from reading +the contents of those files while the user is editing them. + +[CVE-2023-38037] +--- + .../lib/active_support/encrypted_file.rb | 17 ++++++++--------- + activesupport/test/encrypted_file_test.rb | 8 ++++++++ + railties/lib/rails/secrets.rb | 18 ++++++++++-------- + 3 files changed, 26 insertions(+), 17 deletions(-) + +diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb +index 54ba53c03b981..913d5e57c1bfb 100644 +--- a/railties/lib/rails/secrets.rb ++++ b/railties/lib/rails/secrets.rb +@@ -1,6 +1,7 @@ + # frozen_string_literal: true + + require "yaml" ++require "tempfile" + require "active_support/message_encryptor" + require "active_support/core_ext/string/strip" + + module Rails +@@ -87,17 +88,18 @@ def preprocess(path) + end + + def writing(contents) +- tmp_file = "#{File.basename(path)}.#{Process.pid}" +- tmp_path = File.join(Dir.tmpdir, tmp_file) +- IO.binwrite(tmp_path, contents) ++ file_name = "#{File.basename(path)}.#{Process.pid}" + +- yield tmp_path ++ Tempfile.create(["", "-" + file_name]) do |tmp_file| ++ tmp_path = Pathname.new(tmp_file) ++ tmp_path.binwrite contents + +- updated_contents = IO.binread(tmp_path) ++ yield tmp_path + +- write(updated_contents) if updated_contents != contents +- ensure +- FileUtils.rm(tmp_path) if File.exist?(tmp_path) ++ updated_contents = tmp_path.binread ++ ++ write(updated_contents) if updated_contents != contents ++ end + end + + def encryptor diff --git a/rubygem-railties.spec b/rubygem-railties.spec index 5f491b4..095d296 100644 --- a/rubygem-railties.spec +++ b/rubygem-railties.spec @@ -4,7 +4,7 @@ %global bootstrap 1 Name: rubygem-%{gem_name} Version: 5.2.4.4 -Release: 4 +Release: 5 Summary: Tools for creating, working with, and running Rails applications License: MIT URL: http://rubyonrails.org @@ -14,6 +14,7 @@ Source1: https://github.com/rails/rails/archive/v%{version}.tar.gz # test_unit/reporter.rb#format_rerun_snippet # https://github.com/rails/rails/pull/32297 Patch0: rubygem-railties-5.1.5-check-value-of-result-source-location.patch +Patch1: CVE-2023-38037.patch Suggests: %{_bindir}/sqlite3 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(actioncable) = %{version} BuildRequires: rubygem(actionmailer) = %{version} rubygem(actionpack) = %{version} @@ -46,6 +47,7 @@ Documentation for %{name}. %gem_install -n %{SOURCE0} pushd .%{gem_instdir} %patch0 -p2 +%patch1 -p2 popd %build @@ -158,6 +160,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Mon Sep 11 2023 wangkai <13474090681@163.com> - 5.2.4.4-5 +- Fix CVE-2023-38037 + * Tue Apr 6 2021 lingsheng - 5.2.4.4-4 - Add requires ruby-devel sqlite-devel -- Gitee