!31 Fix CVE-2023-38037

From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

Add-support-dalli-3.2.2.patch

@@ -1,45 +0,0 @@
-diff -Nur a/cache/stores/mem_cache_store_test.rb b/cache/stores/mem_cache_store_test.rb
---- a/cache/stores/mem_cache_store_test.rb	2021-08-20 00:25:04.000000000 +0800
-+++ b/cache/stores/mem_cache_store_test.rb	2022-07-05 11:22:22.774850776 +0800
-@@ -17,8 +17,12 @@
-   end
- end
- 
--class UnavailableDalliServer < Dalli::Server
--  def alive?
-+class UnavailableDalliServer < Dalli::Protocol::Binary
-+  def alive? # before https://github.com/petergoldstein/dalli/pull/863
-+    false
-+  end
-+
-+  def ensure_connected! # after https://github.com/petergoldstein/dalli/pull/863
-     false
-   end
- end
-@@ -263,17 +267,21 @@
-     end
- 
-     def emulating_unavailability
--      old_server = Dalli.send(:remove_const, :Server)
--      Dalli.const_set(:Server, UnavailableDalliServer)
-+      old_server = Dalli::Protocol.send(:remove_const, :Binary)
-+      Dalli::Protocol.const_set(:Binary, UnavailableDalliServer)
- 
-       yield ActiveSupport::Cache::MemCacheStore.new
-     ensure
--      Dalli.send(:remove_const, :Server)
--      Dalli.const_set(:Server, old_server)
-+      Dalli::Protocol.send(:remove_const, :Binary)
-+      Dalli::Protocol.const_set(:Binary, old_server)
-     end
- 
-     def servers(cache = @cache)
--      client(cache).instance_variable_get(:@servers)
-+      if client(cache).instance_variable_defined?(:@normalized_servers)
-+        client(cache).instance_variable_get(:@normalized_servers)
-+      else
-+        client(cache).instance_variable_get(:@servers)
-+      end
-     end
- 
-     def client(cache = @cache)

CVE-2023-22796.patch

@@ -1,26 +0,0 @@
-From 2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8 Mon Sep 17 00:00:00 2001
-From: John Hawthorn <john@hawthorn.email>
-Date: Wed, 11 Jan 2023 10:14:55 -0800
-Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
-
-[CVE-2023-22796]
----
- activesupport/lib/active_support/inflector/methods.rb | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/activesupport/lib/active_support/inflector/methods.rb b/activesupport/lib/active_support/inflector/methods.rb
-index 68a00d73f2..43abb9c4e1 100644
---- a/activesupport/lib/active_support/inflector/methods.rb
-+++ b/activesupport/lib/active_support/inflector/methods.rb
-@@ -97,7 +97,7 @@ def underscore(camel_cased_word)
-       return camel_cased_word.to_s unless /[A-Z-]|::/.match?(camel_cased_word)
-       word = camel_cased_word.to_s.gsub("::", "/")
-       word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
--      word.gsub!(/([A-Z]+)(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
-+      word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
-       word.tr!("-", "_")
-       word.downcase!
-       word
--- 
-2.35.1
-

CVE-2023-38037-test.patch

@@ -0,0 +1,39 @@
+From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
+index 9c4f289f7b1cf..92a3ecf972f1d 100644
+--- a/activesupport/test/encrypted_file_test.rb
++++ b/activesupport/test/encrypted_file_test.rb
+@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
+     assert_equal "#{@content} and went by the lake", @encrypted_file.read
+   end
+ 
++  test "change sets restricted permissions" do
++    @encrypted_file.write(@content)
++    @encrypted_file.change do |file|
++      assert_predicate file, :owned?
++      assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
++    end
++  end
++
+   test "raise MissingKeyError when key is missing" do
+     assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
+       encrypted_file(@content_path, key_path: "", env_key: "").read

CVE-2023-38037.patch

@@ -0,0 +1,58 @@
+From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
+index d2c9e624ccdbc..aac3dea4d8baa 100644
+--- a/activesupport/lib/active_support/encrypted_file.rb
++++ b/activesupport/lib/active_support/encrypted_file.rb
+@@ -1,7 +1,7 @@
+ # frozen_string_literal: true
+ 
+ require "pathname"
+-require "tmpdir"
++require "tempfile"
+ require "active_support/message_encryptor"
+ 
+ module ActiveSupport
+@@ -81,17 +81,16 @@ def change(&block)
+ 
+     private
+       def writing(contents)
+-        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
+-        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
+-        tmp_path.binwrite contents
++        Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
++          tmp_path = Pathname.new(tmp_file)
++          tmp_path.binwrite contents
+ 
+-        yield tmp_path
++          yield tmp_path
+ 
+-        updated_contents = tmp_path.binread
++          updated_contents = tmp_path.binread
+ 
+-        write(updated_contents) if updated_contents != contents
+-      ensure
+-        FileUtils.rm(tmp_path) if tmp_path&.exist?
++          write(updated_contents) if updated_contents != contents
++        end
+       end
+ 
+ 

rubygem-activesupport.spec

@@ -1,7 +1,7 @@
 %global gem_name activesupport
 Name:                rubygem-%{gem_name}
 Epoch:               1
-Version:             7.0.4
+Version:             7.0.7
 Release:             2
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
@@ -10,12 +10,12 @@ Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 # The activesupport gem doesn't ship with the test suite.
 # You may check it out like so
 # git clone http://github.com/rails/rails.git
-# cd rails/activesupport && git archive -v -o activesupport-7.0.4-tests.txz v7.0.4 test/
+# cd rails/activesupport && git archive -v -o activesupport-7.0.7-tests.txz v7.0.7 test/
 Source1:             %{gem_name}-%{version}-tests.txz
 # The tools are needed for the test suite, are however unpackaged in gem file.
 # You may get them like so
 # git clone http://github.com/rails/rails.git --no-checkout
-# cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/
+# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
 Source2:             rails-%{version}-tools.txz
 # Fixes for Minitest 5.16+
 # https://github.com/rails/rails/pull/45380
@@ -23,7 +23,8 @@ Patch1: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_calle
 Patch2: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with-test.patch
 # https://github.com/rails/rails/pull/45370
 Patch3: rubygem-activesupport-7.0.2.3-Fix-tests-for-minitest-5.16.patch
-Patch4: CVE-2023-22796.patch
+Patch4: CVE-2023-38037.patch
+Patch5: CVE-2023-38037-test.patch
 
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
@@ -51,6 +52,7 @@ Documentation for %{name}.
 
 pushd %{_builddir}
 %patch2 -p2
+%patch5 -p2
 popd
 
 %build
@@ -97,6 +99,18 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:7.0.7-2
+- Fix CVE-2023-38037
+
+* Fri Aug 18 2023 wangkai <wang_kai001@hoperun.com> - 1:7.0.7-1
+- Upgrade to version 7.0.7
+
+* Thu Aug 17 2023 liqiuyu <liqiuyu@kylinos.cn> - 1:7.0.6-1
+- Upgrade to version 7.0.6
+
+* Mon Aug 14 2023 caiyuxin <caiyuxin@kylinos.cn> - 1:7.0.4-3
+- Backport upstream fix for test failure with ruby3.2 wrt class_serial removal
+
 * Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:7.0.4-2
 - fix CVE-2023-22796