!33 Fix CVE-2023-38037

From: @wk333 Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2023-09-11 09:10:36 +00:00 · 2023-09-11 09:10:36 +00:00 · 24b4b7755e
commit 24b4b7755e
parent 5efe71aed2 bea4b0f0ac
3 changed files with 106 additions and 2 deletions
--- a/CVE-2023-38037-test.patch
+++ b/CVE-2023-38037-test.patch
@ -0,0 +1,39 @@
+From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
+index 0050685065a9e..49f7437764fe8 100644
+--- a/activesupport/test/encrypted_file_test.rb
+++ b/activesupport/test/encrypted_file_test.rb
+@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
+     assert_equal "#{@content} and went by the lake", @encrypted_file.read
+   end
+ 
+  test "change sets restricted permissions" do
+    @encrypted_file.write(@content)
+    @encrypted_file.change do |file|
+      assert_predicate file, :owned?
+      assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
+    end
+  end
+
+   test "raise MissingKeyError when key is missing" do
+     assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
+       encrypted_file(@content_path, key_path: "", env_key: "").read
--- a/CVE-2023-38037.patch
+++ b/CVE-2023-38037.patch
@ -0,0 +1,58 @@
+From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
+index a35cc54ef5c52..dc28aa9a15fa9 100644
+--- a/activesupport/lib/active_support/encrypted_file.rb
+++ b/activesupport/lib/active_support/encrypted_file.rb
+@@ -1,7 +1,7 @@
+ # frozen_string_literal: true
+ 
+ require "pathname"
+-require "tmpdir"
+require "tempfile"
+ require "active_support/message_encryptor"
+ 
+ module ActiveSupport
+@@ -69,17 +69,16 @@ def change(&block)
+ 
+     private
+       def writing(contents)
+-        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
+-        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
+-        tmp_path.binwrite contents
+        Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
+          tmp_path = Pathname.new(tmp_file)
+          tmp_path.binwrite contents
+ 
+-        yield tmp_path
+          yield tmp_path
+ 
+-        updated_contents = tmp_path.binread
+          updated_contents = tmp_path.binread
+ 
+-        write(updated_contents) if updated_contents != contents
+-      ensure
+-        FileUtils.rm(tmp_path) if tmp_path&.exist?
+          write(updated_contents) if updated_contents != contents
+        end
+       end
+ 
+ 
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -2,7 +2,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             6.1.4.1
-Release:             4
+Release:             5
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@ -10,7 +10,9 @@ Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             %{gem_name}-%{version}-tests.txz
 Source2:             rails-%{version}-tools.txz
 Patch0:              Add-support-dalli-3.2.2.patch
-Patch1:	  	     CVE-2023-22796.patch
+Patch1:              CVE-2023-22796.patch
+Patch2:              CVE-2023-38037.patch
+Patch3:              CVE-2023-38037-test.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
 BuildRequires:       rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -33,8 +35,10 @@ Documentation for %{name}.
 %setup -q -n %{gem_name}-%{version} -b1 -b2
 pushd %{_builddir}/test
 %patch0 -p1
+%patch3 -p3
 popd
 %patch1 -p2
+%patch2 -p2


 %build
@ -83,6 +87,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-5
+- Fix CVE-2023-38037
+
 * Thu Mar 30 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-4
 - Fix the self-compilation problem and start memcached as the root user