Projects
openEuler:24.03:SP1:Everything
rubygem-actionpack
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 4
View file
_service:tar_scm:rubygem-actionpack.spec
Changed
@@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.7 -Release: 3 +Release: 4 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -29,6 +29,9 @@ Patch3: CVE-2024-28103.patch Patch4: CVE-2024-28103-test.patch +Patch3000: backport-CVE-2024-41128.patch +Patch3001: backport-CVE-2024-47887.patch + # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) BuildRequires: rubygems-devel @@ -68,6 +71,9 @@ %patch1 -p2 %patch3 -p2 +%patch3000 -p2 +%patch3001 -p2 + pushd %{_builddir} %patch0 -p2 %patch2 -p2 @@ -114,6 +120,9 @@ %doc %{gem_instdir}/README.rdoc %changelog +* Fri Oct 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-4 +- Fix CVE-2024-41128 and CVE-2024-47887 + * Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-3 - Fix CVE-2024-28103
View file
_service:tar_scm:backport-CVE-2024-41128.patch
Added
@@ -0,0 +1,38 @@ +From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001 +From: John Hawthorn <john@hawthorn.email> +Date: Thu, 10 Oct 2024 20:41:33 -0700 +Subject: PATCH Avoid backtracking in filtered_query_string + +Thanks scyoon for the patch + +CVE-2024-41128 +--- + .../lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb +index d053fc0b9f781..0e2e771da104d 100644 +--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb ++++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb +@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc: + ActiveSupport::ParameterFilter.new(filters) + end + +- KV_RE = "^&;=+" +- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})} + def filtered_query_string # :doc: +- query_string.gsub(PAIR_RE) do |_| +- parameter_filter.filter($1 => $2).first.join("=") ++ parts = query_string.split(/(&;)/) ++ filtered_parts = parts.map do |part| ++ if part.include?("=") ++ key, value = part.split("=", 2) ++ parameter_filter.filter(key => value).first.join("=") ++ else ++ part ++ end + end ++ filtered_parts.join("") + end + end + end
View file
_service:tar_scm:backport-CVE-2024-47887.patch
Added
@@ -0,0 +1,26 @@ +From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001 +From: John Hawthorn <john@hawthorn.email> +Date: Thu, 10 Oct 2024 20:32:00 -0700 +Subject: PATCH Avoid backtracking in Token#raw_params + +Thanks to scyoon for the patch + +CVE-2024-47887 +--- + actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb +index 439ffd5c99490..e42791bbc23d8 100644 +--- a/actionpack/lib/action_controller/metal/http_authentication.rb ++++ b/actionpack/lib/action_controller/metal/http_authentication.rb +@@ -506,7 +506,8 @@ def rewrite_param_values(array_params) + # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt> + # delimiters defined in +AUTHN_PAIR_DELIMITERS+. + def raw_params(auth) +- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/) ++ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip) ++ _raw_params.reject!(&:empty?) + + if !_raw_params.first&.start_with?(TOKEN_KEY) + _raw_params0 = "#{TOKEN_KEY}#{_raw_params.first}"
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2