Projects
openEuler:24.03:SP1:Everything:64G
rubygem-actionmailer
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:rubygem-actionmailer.spec
Changed
@@ -3,7 +3,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.7 -Release: 1 +Release: 2 Summary: Email composition and delivery framework (part of Rails) License: MIT URL: https://rubyonrails.org @@ -18,6 +18,8 @@ # git clone http://github.com/rails/rails.git --no-checkout # cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/ Source2: rails-%{version}-tools.txz +Patch3000: backport-CVE-2024-47889.patch +Patch3001: backport-CVE-2024-47889-test.patch BuildRequires: ruby(release) BuildRequires: rubygems-devel @@ -43,6 +45,11 @@ %prep %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 +%patch3000 -p2 + +pushd %{_builddir} +%patch3001 -p2 +popd %build gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec @@ -76,6 +83,9 @@ %doc %{gem_instdir}/README.rdoc %changelog +* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2 +- Fix CVE-2024-47889 + * Thu Aug 17 2023 xu_ping <707078654@qq.com> - 1:7.0.7-1 - Upgrade to version 7.0.7
View file
_service:tar_scm:backport-CVE-2024-47889-test.patch
Added
@@ -0,0 +1,21 @@ +diff --git a/actionmailer/test/mail_helper_test.rb b/actionmailer/test/mail_helper_test.rb +index a8ab19a95c0e3..e49eabdce8275 100644 +--- a/actionmailer/test/mail_helper_test.rb ++++ b/actionmailer/test/mail_helper_test.rb +@@ -121,4 +121,16 @@ def test_use_cache + assert_equal "Greetings from a cache helper block", mail.body.encoded + end + end ++ ++ def helper ++ Object.new.extend(ActionMailer::MailHelper) ++ end ++ ++ def test_block_format ++ assert_equal " * foo\n", helper.block_format(" * foo") ++ assert_equal " * foo\n", helper.block_format(" * foo") ++ assert_equal " * foo\n", helper.block_format("* foo") ++ assert_equal " * foo\n*bar", helper.block_format("* foo*bar") ++ assert_equal " * foo\n * bar\n", helper.block_format("* foo * bar") ++ end + end
View file
_service:tar_scm:backport-CVE-2024-47889.patch
Added
@@ -0,0 +1,39 @@ +From 0e5694f4d32544532d2301a9b4084eacb6986e94 Mon Sep 17 00:00:00 2001 +From: John Hawthorn <john@hawthorn.email> +Date: Fri, 11 Oct 2024 00:34:14 -0700 +Subject: PATCH Avoid backtracking in ActionMailer block_format + +CVE-2024-47889 + +Thanks to yuki_osaki and scyoon for reporting this vulnerability +--- + actionmailer/lib/action_mailer/mail_helper.rb | 14 +++++++++++--- + actionmailer/test/mail_helper_test.rb | 12 ++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/actionmailer/lib/action_mailer/mail_helper.rb b/actionmailer/lib/action_mailer/mail_helper.rb +index e7bed41f8d294..f527d5a59ebf5 100644 +--- a/actionmailer/lib/action_mailer/mail_helper.rb ++++ b/actionmailer/lib/action_mailer/mail_helper.rb +@@ -23,10 +23,18 @@ def block_format(text) + }.join("\n\n") + + # Make list points stand on their own line +- formatted.gsub!(/ *(*+) (^**)/) { " #{$1} #{$2.strip}\n" } +- formatted.gsub!(/ *(#+) (^#*)/) { " #{$1} #{$2.strip}\n" } ++ output = +"" ++ splits = formatted.split(/(\*+|\#+)/) ++ while line = splits.shift ++ if line.start_with?("*", "#") && splits0.start_with?(" ") ++ output.chomp!(" ") while output.end_with?(" ") ++ output << " #{line} #{splits.shift.strip}\n" ++ else ++ output << line ++ end ++ end + +- formatted ++ output + end + + # Access the mailer instance.
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/rubygem-actionmailer.git</param> - <param name="revision">openEuler-24.03-LTS-Next</param> + <param name="revision">openEuler-24.03-LTS-SP1</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2