!31 Fix CVE-2023-38037

From: @wk333 Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2023-09-11 09:10:01 +00:00 · 2023-09-11 09:10:01 +00:00 · 1c70731ef9
commit 1c70731ef9
parent 6a19446919 08f83d15f6
3 changed files with 105 additions and 1 deletions
--- a/CVE-2023-38037-test.patch
+++ b/CVE-2023-38037-test.patch
@ -0,0 +1,39 @@
 From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
 From: Aaron Patterson <aaron@rubyonrails.org>
 Date: Tue, 22 Aug 2023 09:58:43 -0700
 Subject: [PATCH] Use a temporary file for storing unencrypted files while
 editing
 Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
 When we're editing the contents of encrypted files, we should use the
 `Tempfile` class because it creates temporary files with restrictive
 permissions.  This prevents other users on the same system from reading
 the contents of those files while the user is editing them.
 [CVE-2023-38037]
 ---
 .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
 activesupport/test/encrypted_file_test.rb      |  8 ++++++++
 railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
 3 files changed, 26 insertions(+), 17 deletions(-)
 diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
 index 9c4f289f7b1cf..92a3ecf972f1d 100644
 --- a/activesupport/test/encrypted_file_test.rb
 +++ b/activesupport/test/encrypted_file_test.rb
@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
     assert_equal "#{@content} and went by the lake", @encrypted_file.read
   end
 +  test "change sets restricted permissions" do
 +    @encrypted_file.write(@content)
 +    @encrypted_file.change do |file|
 +      assert_predicate file, :owned?
 +      assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
 +    end
 +  end
 +
   test "raise MissingKeyError when key is missing" do
     assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
       encrypted_file(@content_path, key_path: "", env_key: "").read
--- a/CVE-2023-38037.patch
+++ b/CVE-2023-38037.patch
@ -0,0 +1,58 @@
 From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
 From: Aaron Patterson <aaron@rubyonrails.org>
 Date: Tue, 22 Aug 2023 09:58:43 -0700
 Subject: [PATCH] Use a temporary file for storing unencrypted files while
 editing
 Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
 When we're editing the contents of encrypted files, we should use the
 `Tempfile` class because it creates temporary files with restrictive
 permissions.  This prevents other users on the same system from reading
 the contents of those files while the user is editing them.
 [CVE-2023-38037]
 ---
 .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
 activesupport/test/encrypted_file_test.rb      |  8 ++++++++
 railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
 3 files changed, 26 insertions(+), 17 deletions(-)
 diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
 index d2c9e624ccdbc..aac3dea4d8baa 100644
 --- a/activesupport/lib/active_support/encrypted_file.rb
 +++ b/activesupport/lib/active_support/encrypted_file.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require "pathname"
 -require "tmpdir"
 +require "tempfile"
 require "active_support/message_encryptor"
 module ActiveSupport
@@ -81,17 +81,16 @@ def change(&block)
     private
       def writing(contents)
 -        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
 -        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
 -        tmp_path.binwrite contents
 +        Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
 +          tmp_path = Pathname.new(tmp_file)
 +          tmp_path.binwrite contents
 -        yield tmp_path
 +          yield tmp_path
 -        updated_contents = tmp_path.binread
 +          updated_contents = tmp_path.binread
 -        write(updated_contents) if updated_contents != contents
 -      ensure
 -        FileUtils.rm(tmp_path) if tmp_path&.exist?
 +          write(updated_contents) if updated_contents != contents
 +        end
       end
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@ -2,7 +2,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             7.0.7
-Release:             1
+Release:             2
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@ -23,6 +23,8 @@ Patch1: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_calle
 Patch2: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with-test.patch
 # https://github.com/rails/rails/pull/45370
 Patch3: rubygem-activesupport-7.0.2.3-Fix-tests-for-minitest-5.16.patch
 Patch4: CVE-2023-38037.patch
 Patch5: CVE-2023-38037-test.patch
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
@ -46,9 +48,11 @@ Documentation for %{name}.
 %setup -q -n %{gem_name}-%{version} -b1 -b2
 %patch1 -p2
 %patch3 -p2
 %patch4 -p2
 pushd %{_builddir}
 %patch2 -p2
 %patch5 -p2
 popd
 %build
@ -95,6 +99,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 %changelog
 * Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:7.0.7-2
 - Fix CVE-2023-38037
 * Fri Aug 18 2023 wangkai <wang_kai001@hoperun.com> - 1:7.0.7-1
 - Upgrade to version 7.0.7