packages/rubygem-activesupport
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:5de64d1601b0ceaf0b01b4f9eefa46dbb09e447e
Branches Tags
packages:main
..
compare: packages:99e585a0e596f39b5ca1f6c0a0aed457269c40fd
Branches Tags
packages:main

No commits in common. "5de64d1601b0ceaf0b01b4f9eefa46dbb09e447e" and "99e585a0e596f39b5ca1f6c0a0aed457269c40fd" have entirely different histories.
5de64d1601 ... 99e585a0e5

6 changed files with 2 additions and 289 deletions
Show Stats Expand all files Collapse all files

45
Add-support-dalli-3.2.2.patch
View File

@ -1,45 +0,0 @@
diff -Nur a/cache/stores/mem_cache_store_test.rb b/cache/stores/mem_cache_store_test.rb
--- a/cache/stores/mem_cache_store_test.rb 2021-08-20 00:25:04.000000000 +0800
+++ b/cache/stores/mem_cache_store_test.rb 2022-07-05 11:22:22.774850776 +0800
@@ -17,8 +17,12 @@
end
end
-class UnavailableDalliServer < Dalli::Server
- def alive?
+class UnavailableDalliServer < Dalli::Protocol::Binary
+ def alive? # before https://github.com/petergoldstein/dalli/pull/863
+ false
+ end
+
+ def ensure_connected! # after https://github.com/petergoldstein/dalli/pull/863
false
end
end
@@ -263,17 +267,21 @@
end
def emulating_unavailability
- old_server = Dalli.send(:remove_const, :Server)
- Dalli.const_set(:Server, UnavailableDalliServer)
+ old_server = Dalli::Protocol.send(:remove_const, :Binary)
+ Dalli::Protocol.const_set(:Binary, UnavailableDalliServer)
yield ActiveSupport::Cache::MemCacheStore.new
ensure
- Dalli.send(:remove_const, :Server)
- Dalli.const_set(:Server, old_server)
+ Dalli::Protocol.send(:remove_const, :Binary)
+ Dalli::Protocol.const_set(:Binary, old_server)
end
def servers(cache = @cache)
- client(cache).instance_variable_get(:@servers)
+ if client(cache).instance_variable_defined?(:@normalized_servers)
+ client(cache).instance_variable_get(:@normalized_servers)
+ else
+ client(cache).instance_variable_get(:@servers)
+ end
end
def client(cache = @cache)

79
CVE-2022-23633.patch
View File

@ -1,79 +0,0 @@
From d1267768e9f57ebcf86ff7f011aca7fb08e733eb Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Fri, 11 Feb 2022 11:23:01 -0800
Subject: [PATCH] Fix reloader to work with new Executor signature
This is a follow up to [CVE-2022-23633].
---
lib/active_support/reloader.rb | 2 +-
lib/active_support/execution_wrapper.rb | 29 ++++++++++---------
2 file changed, 11 insertion(+), 10 deletion(-)
diff --git a/lib/active_support/reloader.rb b/lib/active_support/reloader.rb
index 2f81cd4..e751866 100644
--- a/lib/active_support/reloader.rb
+++ b/lib/active_support/reloader.rb
@@ -58,7 +58,7 @@ module ActiveSupport
prepare!
end
- def self.run! # :nodoc:
+ def self.run!(reset: false) # :nodoc:
if check!
super
else
diff --git a/lib/active_support/execution_wrapper.rb b/lib/active_support/execution_wrapper.rb
index ca810db584..07c4f435db 100644
--- a/lib/active_support/execution_wrapper.rb
+++ b/lib/active_support/execution_wrapper.rb
@@ -63,18 +63,21 @@ def self.register_hook(hook, outer: false)
# after the work has been performed.
#
# Where possible, prefer +wrap+.
- def self.run!
- if active?
- Null
+ def self.run!(reset: false)
+ if reset
+ lost_instance = active.delete(Thread.current)
+ lost_instance&.complete!
else
- new.tap do |instance|
- success = nil
- begin
- instance.run!
- success = true
- ensure
- instance.complete! unless success
- end
+ return Null if active?
+ end
+
+ new.tap do |instance|
+ success = nil
+ begin
+ instance.run!
+ success = true
+ ensure
+ instance.complete! unless success
end
end
end
@@ -103,11 +106,11 @@ def self.inherited(other) # :nodoc:
self.active = Concurrent::Hash.new
def self.active? # :nodoc:
- @active[Thread.current]
+ @active.key?(Thread.current)
end
def run! # :nodoc:
- self.class.active[Thread.current] = true
+ self.class.active[Thread.current] = self
run_callbacks(:run)
end
--
2.43.0

27
CVE-2023-22796.patch
View File

@ -1,27 +0,0 @@
From a7cda7e6aa5334ab41b1f4b0f671be931be946ef Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 11 Jan 2023 10:14:55 -0800
Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
---
activesupport/lib/active_support/inflector/methods.rb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
index ad136532bf..acb86fe1a4 100644
--- a/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
+++ b/activesupport-6.1.4.1/lib/active_support/inflector/methods.rb
@@ -93,8 +93,7 @@ def underscore(camel_cased_word)
return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
word = camel_cased_word.to_s.gsub("::", "/")
word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
- word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2')
- word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
+ word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
word.tr!("-", "_")
word.downcase!
word
--
2.35.1

39
CVE-2023-38037-test.patch
View File

@ -1,39 +0,0 @@
From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
editing
Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions. This prevents other users on the same system from reading
the contents of those files while the user is editing them.
[CVE-2023-38037]
---
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
activesupport/test/encrypted_file_test.rb | 8 ++++++++
railties/lib/rails/secrets.rb | 18 ++++++++++--------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
index 0050685065a9e..49f7437764fe8 100644
--- a/activesupport/test/encrypted_file_test.rb
+++ b/activesupport/test/encrypted_file_test.rb
@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
assert_equal "#{@content} and went by the lake", @encrypted_file.read
end
+ test "change sets restricted permissions" do
+ @encrypted_file.write(@content)
+ @encrypted_file.change do |file|
+ assert_predicate file, :owned?
+ assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
+ end
+ end
+
test "raise MissingKeyError when key is missing" do
assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
encrypted_file(@content_path, key_path: "", env_key: "").read

58
CVE-2023-38037.patch
View File

@ -1,58 +0,0 @@
From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
editing
Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f
When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions. This prevents other users on the same system from reading
the contents of those files while the user is editing them.
[CVE-2023-38037]
---
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
activesupport/test/encrypted_file_test.rb | 8 ++++++++
railties/lib/rails/secrets.rb | 18 ++++++++++--------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
index a35cc54ef5c52..dc28aa9a15fa9 100644
--- a/activesupport/lib/active_support/encrypted_file.rb
+++ b/activesupport/lib/active_support/encrypted_file.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
require "pathname"
-require "tmpdir"
+require "tempfile"
require "active_support/message_encryptor"
module ActiveSupport
@@ -69,17 +69,16 @@ def change(&block)
private
def writing(contents)
- tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
- tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
- tmp_path.binwrite contents
+ Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
+ tmp_path = Pathname.new(tmp_file)
+ tmp_path.binwrite contents
- yield tmp_path
+ yield tmp_path
- updated_contents = tmp_path.binread
+ updated_contents = tmp_path.binread
- write(updated_contents) if updated_contents != contents
- ensure
- FileUtils.rm(tmp_path) if tmp_path&.exist?
+ write(updated_contents) if updated_contents != contents
+ end
end

43
rubygem-activesupport.spec
View File

@ -2,20 +2,13 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 6.1.4.1 Version: 6.1.4.1
Release: 7 Release: 1
Summary: A support libraries and Ruby core extensions extracted from the Rails framework Summary: A support libraries and Ruby core extensions extracted from the Rails framework
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: %{gem_name}-%{version}-tests.txz Source1: %{gem_name}-%{version}-tests.txz
Source2: rails-%{version}-tools.txz Source2: rails-%{version}-tools.txz
Patch0: Add-support-dalli-3.2.2.patch
Patch1: CVE-2023-22796.patch
Patch2: CVE-2023-38037.patch
Patch3: CVE-2023-38037-test.patch
# https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb
# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
Patch3000: CVE-2022-23633.patch
Requires: rubygem(bigdecimal) rubygem(json) Requires: rubygem(bigdecimal) rubygem(json)
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli) BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -36,13 +29,6 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} -b1 -b2 %setup -q -n %{gem_name}-%{version} -b1 -b2
pushd %{_builddir}/test
%patch0 -p1
%patch3 -p3
popd
%patch1 -p2
%patch2 -p2
%patch3000 -p1
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -66,11 +52,7 @@ done
sed -i '/def test_iso8601_output_and_reparsing$/,/^ end$/ s/^/#/' test/core_ext/duration_test.rb sed -i '/def test_iso8601_output_and_reparsing$/,/^ end$/ s/^/#/' test/core_ext/duration_test.rb
sed -i '/assert_nil mapped\[:b\]/ s/^/#/' test/core_ext/hash/transform_values_test.rb sed -i '/assert_nil mapped\[:b\]/ s/^/#/' test/core_ext/hash/transform_values_test.rb
sed -i '/require .bundler./ s/^/#/' test/abstract_unit.rb sed -i '/require .bundler./ s/^/#/' test/abstract_unit.rb
if [ `whoami` = "root" ]; then memcached &
memcached -u root &
else
memcached &
fi
mPID=$! mPID=$!
sleep 1 sleep 1
ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)' ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
@ -90,27 +72,6 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7
- Type:CVES
- ID:CVE-2022-23633
- SUG:NA
- DESC:fix CVE-2022-23633
* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-6
- Fix CVE-2023-38037
* Fri Mar 10 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-5
- Rectify the failure to start memcached as the root user
* Thu Mar 9 2023 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-4
- Fix the self-compilation problem
* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:6.1.4.1-3
- fix CVE-2023-22796
* Tue Jul 05 2022 liyanan <liyanan32@h-partners.com> - 6.1.4.1-2
- Add support dalli 3.2.2
* Wed Mar 02 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 6.1.4.1-1 * Wed Mar 02 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 6.1.4.1-1
- update to 6.1.4.1 - update to 6.1.4.1