!18 Fix CVE-2024-47889

From: @starlet-dx Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu
Fix CVE-2024-47889
2024-10-17 12:32:51 +00:00 · 2024-10-17 17:26:44 +08:00 · 2023-08-18 09:01:39 +00:00 · 2023-08-18 14:26:11 +08:00 · 2023-01-20 02:56:22 +00:00 · 2023-01-19 14:11:56 +08:00
8 changed files with 124 additions and 23 deletions
--- a/actionmailer-5.2.4.4.gem
+++ b/actionmailer-5.2.4.4.gem
--- a/actionmailer-7.0.7-tests.txz
+++ b/actionmailer-7.0.7-tests.txz
--- a/actionmailer-7.0.7.gem
+++ b/actionmailer-7.0.7.gem
--- a/backport-CVE-2024-47889-test.patch
+++ b/backport-CVE-2024-47889-test.patch
@ -0,0 +1,21 @@
 diff --git a/actionmailer/test/mail_helper_test.rb b/actionmailer/test/mail_helper_test.rb
 index a8ab19a95c0e3..e49eabdce8275 100644
 --- a/actionmailer/test/mail_helper_test.rb
 +++ b/actionmailer/test/mail_helper_test.rb
@@ -121,4 +121,16 @@ def test_use_cache
       assert_equal "Greetings from a cache helper block", mail.body.encoded
     end
   end
 +
 +  def helper
 +    Object.new.extend(ActionMailer::MailHelper)
 +  end
 +
 +  def test_block_format
 +    assert_equal "  * foo\n", helper.block_format(" * foo")
 +    assert_equal "  * foo\n", helper.block_format("   * foo")
 +    assert_equal "  * foo\n", helper.block_format("* foo")
 +    assert_equal "  * foo\n*bar", helper.block_format("* foo*bar")
 +    assert_equal "  * foo\n  * bar\n", helper.block_format("* foo * bar")
 +  end
 end
--- a/backport-CVE-2024-47889.patch
+++ b/backport-CVE-2024-47889.patch
@ -0,0 +1,39 @@
 From 0e5694f4d32544532d2301a9b4084eacb6986e94 Mon Sep 17 00:00:00 2001
 From: John Hawthorn <john@hawthorn.email>
 Date: Fri, 11 Oct 2024 00:34:14 -0700
 Subject: [PATCH] Avoid backtracking in ActionMailer block_format
 [CVE-2024-47889]
 Thanks to yuki_osaki and scyoon for reporting this vulnerability
 ---
 actionmailer/lib/action_mailer/mail_helper.rb | 14 +++++++++++---
 actionmailer/test/mail_helper_test.rb         | 12 ++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)
 diff --git a/actionmailer/lib/action_mailer/mail_helper.rb b/actionmailer/lib/action_mailer/mail_helper.rb
 index e7bed41f8d294..f527d5a59ebf5 100644
 --- a/actionmailer/lib/action_mailer/mail_helper.rb
 +++ b/actionmailer/lib/action_mailer/mail_helper.rb
@@ -23,10 +23,18 @@ def block_format(text)
       }.join("\n\n")
       # Make list points stand on their own line
 -      formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { "  #{$1} #{$2.strip}\n" }
 -      formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { "  #{$1} #{$2.strip}\n" }
 +      output = +""
 +      splits = formatted.split(/(\*+|\#+)/)
 +      while line = splits.shift
 +        if line.start_with?("*", "#") && splits[0].start_with?(" ")
 +          output.chomp!(" ") while output.end_with?(" ")
 +          output << "  #{line} #{splits.shift.strip}\n"
 +        else
 +          output << line
 +        end
 +      end
 -      formatted
 +      output
     end
     # Access the mailer instance.
--- a/rails-7.0.7-tools.txz
+++ b/rails-7.0.7-tools.txz
--- a/rubygem-actionmailer.spec
+++ b/rubygem-actionmailer.spec
@ -1,33 +1,59 @@
 %global gem_name actionmailer
-Name:                rubygem-%{gem_name}
+
-Epoch:               1
+Name:		rubygem-%{gem_name}
-Version:             5.2.4.4
+Epoch:		1
-Release:             1
+Version:	7.0.7
-Summary:             Email composition, delivery, and receiving framework (part of Rails)
+Release:	2
-License:             MIT
+Summary:	Email composition and delivery framework (part of Rails)
-URL:                 http://rubyonrails.org
+License:	MIT
-Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
+URL:		https://rubyonrails.org
-Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
+Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
-BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(actionpack) = %{version}
+# ActionMailer gem doesn't ship with the test suite.
-BuildRequires:       rubygem(activejob) = %{version} rubygem(mail) >= 2.5.4
+# You may check it out like so
-BuildArch:           noarch
+# git clone http://github.com/rails/rails.git
 # cd rails/actionmailer && git archive -v -o actionmailer-7.0.4-tests.txz v7.0.4 test/
 Source1: 	actionmailer-%{version}-tests.txz
 # The tools are needed for the test suite, are however unpackaged in gem file.
 # You may get them like so
 # git clone http://github.com/rails/rails.git --no-checkout
 # cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/
 Source2:	rails-%{version}-tools.txz
 Patch3000:	backport-CVE-2024-47889.patch
 Patch3001:	backport-CVE-2024-47889-test.patch
 BuildRequires:	ruby(release)
 BuildRequires:	rubygems-devel
 BuildRequires:	ruby >= 2.2.2
 BuildRequires:	rubygem(actionpack) = %{version}
 BuildRequires:	rubygem(activejob)  = %{version}
 BuildRequires:	rubygem(mail) >= 2.5.4
 BuildRequires:  rubygem(net-smtp)
 BuildArch:	noarch
 %description
-Email on Rails. Compose, deliver, receive, and test emails using the familiar
+Email on Rails. Compose, deliver, and test emails using the familiar
 controller/view pattern. First-class support for multipart email and
 attachments.
-%package doc
+%package	doc
-Summary:             Documentation for %{name}
+Summary:	Documentation for %{name}
-Requires:            %{name} = %{epoch}:%{version}-%{release}
+Requires:	%{name} = %{epoch}:%{version}-%{release}
-BuildArch:           noarch
+BuildArch:	noarch
-%description doc
+
 %description	doc
 Documentation for %{name}.
 %prep
-%setup -q -c -T
+%setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
-%gem_install -n %{SOURCE0}
+%patch3000 -p2
 pushd %{_builddir}
 %patch3001 -p2
 popd
 %build
 gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec
 %gem_install
 %install
 mkdir -p %{buildroot}%{gem_dir}
@ -36,9 +62,12 @@ cp -a .%{gem_dir}/* \
 %check
 pushd .%{gem_instdir}
-tar xzvf %{SOURCE1}
+ln -s %{_builddir}/tools ..
-cd rails-%{version}/%{gem_name}
+mv %{_builddir}/test .
-ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
+
 # Bigdecimal does not get auto-required
 # https://github.com/rails/rails/issues/44399
 ruby -Ilib:test -rbigdecimal -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
 popd
 %files
@ -54,6 +83,18 @@ popd
 %doc %{gem_instdir}/README.rdoc
 %changelog
 * Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2
 - Fix CVE-2024-47889
 * Thu Aug 17 2023 xu_ping <707078654@qq.com> - 1:7.0.7-1
 - Upgrade to version 7.0.7
 * Thu Jan 19 2023 wangkai <wangkai385@h-partners.com> - 1:7.0.4-1
 - Upgrade to version 7.0.4
 * Wed May 04 2022 wangkerong <wangkerong@h-partners.com> - 6.1.4.1-1
 - Upgrade to 6.1.4.1
 * Mon Feb  8 2021 sunguoshuai <sunguoshuai@huawei.com> - 5.2.4.4-1
 - Upgrade to 5.2.4.4
--- a/v5.2.4.4.tar.gz
+++ b/v5.2.4.4.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	a7259c554a	!18 Fix CVE-2024-47889 From: @starlet-dx Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2024-10-17 12:32:51 +00:00
starlet-dx	ea8fde5bea	Fix CVE-2024-47889	2024-10-17 17:26:44 +08:00
openeuler-ci-bot	420b24323f	!17 Upgrade version to 7.0.7 From: @cherry530 Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2023-08-18 09:01:39 +00:00
cherry530	6eab1237d2	Upgrade version 7.0.7 Signed-off-by: cherry530 <707078654@qq.com>	2023-08-18 14:26:11 +08:00
openeuler-ci-bot	7b33689fed	!16 Upgrade to version 7.0.4 From: @wk333 Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2023-01-20 02:56:22 +00:00
wk333	5ae1214ce0	Upgrade to version 7.0.4	2023-01-19 14:11:56 +08:00
openeuler-ci-bot	ca10a3093f	!14 【轻量级 PR】：fix bogus date From: @zhangshaoning_uniontech Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-06-20 01:55:27 +00:00
zhangshaoning	317fd47d24	fix bogus date	2022-06-17 06:10:20 +00:00
openeuler-ci-bot	ac9bce7830	!12 [sync] PR-11: Upgrade to 6.1.4.1 From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek	2022-03-31 01:31:10 +00:00
wangkerong	14923e204a	Upgrade to 6.1.4.1 (cherry picked from commit 8e35c7bb6f9b1c2479c7a2f7c8ae43197377aef2)	2022-03-04 18:16:54 +08:00