packages/rubygem-activesupport
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:174c87b7a5febb33516dd337c58c9bb9c1c0adb8
Branches Tags
packages:main
...
compare: packages:1c70731ef904182a80a1c974ad1244f235b186af
Branches Tags
packages:main

10 Commits
174c87b7a5 ... 1c70731ef9

Author SHA1 Message Date
openeuler-ci-bot
1c70731ef9
!31 Fix CVE-2023-38037 
From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2023-09-11 09:10:01 +00:00
wk333
08f83d15f6 Fix CVE-2023-38037 2023-09-11 11:38:17 +08:00
openeuler-ci-bot
6a19446919
!30 Upgrade to version 7.0.7 
From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2023-08-18 08:57:22 +00:00
wk333
ec5896f174 Upgrade to version 7.0.7 2023-08-18 09:49:49 +08:00
openeuler-ci-bot
dee0206fe2
!29 Upgrade to version 7.0.6 
From: @liqiuyu123 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2023-08-17 06:43:38 +00:00
liqiuyu123
d5ec4762f4 Upgrade to version 7.0.6 2023-08-17 14:30:53 +08:00
openeuler-ci-bot
8159f57b61
!28 [sync] PR-27: Backport upstream fix for test failure with ruby3.2 wrt class_serial removal 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2023-08-14 05:22:00 +00:00
jxy_git
62672db840 Backport upstream fix for test failure with ruby3.2 wrt class_serial removal 
(cherry picked from commit 90e30367f4f5250a92eaba3d89c3d3d32be0de91)
 2023-08-14 13:13:20 +08:00
openeuler-ci-bot
069d221148
!25 Upgrade to version 7.0.6 
From: @jxy_git 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek
 2023-08-12 11:02:33 +00:00
jxy_git
39ff55c60b Upgrade to version 7.0.6 2023-08-02 16:38:27 +08:00
9 changed files with 115 additions and 75 deletions
Show Stats Expand all files Collapse all files

45
Add-support-dalli-3.2.2.patch
View File

@ -1,45 +0,0 @@
diff -Nur a/cache/stores/mem_cache_store_test.rb b/cache/stores/mem_cache_store_test.rb
--- a/cache/stores/mem_cache_store_test.rb 2021-08-20 00:25:04.000000000 +0800
+++ b/cache/stores/mem_cache_store_test.rb 2022-07-05 11:22:22.774850776 +0800
@@ -17,8 +17,12 @@
end
end
-class UnavailableDalliServer < Dalli::Server
- def alive?
+class UnavailableDalliServer < Dalli::Protocol::Binary
+ def alive? # before https://github.com/petergoldstein/dalli/pull/863
+ false
+ end
+
+ def ensure_connected! # after https://github.com/petergoldstein/dalli/pull/863
false
end
end
@@ -263,17 +267,21 @@
end
def emulating_unavailability
- old_server = Dalli.send(:remove_const, :Server)
- Dalli.const_set(:Server, UnavailableDalliServer)
+ old_server = Dalli::Protocol.send(:remove_const, :Binary)
+ Dalli::Protocol.const_set(:Binary, UnavailableDalliServer)
yield ActiveSupport::Cache::MemCacheStore.new
ensure
- Dalli.send(:remove_const, :Server)
- Dalli.const_set(:Server, old_server)
+ Dalli::Protocol.send(:remove_const, :Binary)
+ Dalli::Protocol.const_set(:Binary, old_server)
end
def servers(cache = @cache)
- client(cache).instance_variable_get(:@servers)
+ if client(cache).instance_variable_defined?(:@normalized_servers)
+ client(cache).instance_variable_get(:@normalized_servers)
+ else
+ client(cache).instance_variable_get(:@servers)
+ end
end
def client(cache = @cache)

26
CVE-2023-22796.patch
View File

@ -1,26 +0,0 @@
From 2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 11 Jan 2023 10:14:55 -0800
Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
---
activesupport/lib/active_support/inflector/methods.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/activesupport/lib/active_support/inflector/methods.rb b/activesupport/lib/active_support/inflector/methods.rb
index 68a00d73f2..43abb9c4e1 100644
--- a/activesupport/lib/active_support/inflector/methods.rb
+++ b/activesupport/lib/active_support/inflector/methods.rb
@@ -97,7 +97,7 @@ def underscore(camel_cased_word)
return camel_cased_word.to_s unless /[A-Z-]|::/.match?(camel_cased_word)
word = camel_cased_word.to_s.gsub("::", "/")
word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
- word.gsub!(/([A-Z]+)(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
+ word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
word.tr!("-", "_")
word.downcase!
word
--
2.35.1

39
CVE-2023-38037-test.patch Normal file
View File

@ -0,0 +1,39 @@
From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
editing
Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions. This prevents other users on the same system from reading
the contents of those files while the user is editing them.
[CVE-2023-38037]
---
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
activesupport/test/encrypted_file_test.rb | 8 ++++++++
railties/lib/rails/secrets.rb | 18 ++++++++++--------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
index 9c4f289f7b1cf..92a3ecf972f1d 100644
--- a/activesupport/test/encrypted_file_test.rb
+++ b/activesupport/test/encrypted_file_test.rb
@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
assert_equal "#{@content} and went by the lake", @encrypted_file.read
end
+ test "change sets restricted permissions" do
+ @encrypted_file.write(@content)
+ @encrypted_file.change do |file|
+ assert_predicate file, :owned?
+ assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
+ end
+ end
+
test "raise MissingKeyError when key is missing" do
assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
encrypted_file(@content_path, key_path: "", env_key: "").read

58
CVE-2023-38037.patch Normal file
View File

@ -0,0 +1,58 @@
From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
editing
Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions. This prevents other users on the same system from reading
the contents of those files while the user is editing them.
[CVE-2023-38037]
---
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
activesupport/test/encrypted_file_test.rb | 8 ++++++++
railties/lib/rails/secrets.rb | 18 ++++++++++--------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/activesupport/lib/active_support/encrypted_file.rb b/activesupport/lib/active_support/encrypted_file.rb
index d2c9e624ccdbc..aac3dea4d8baa 100644
--- a/activesupport/lib/active_support/encrypted_file.rb
+++ b/activesupport/lib/active_support/encrypted_file.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
require "pathname"
-require "tmpdir"
+require "tempfile"
require "active_support/message_encryptor"
module ActiveSupport
@@ -81,17 +81,16 @@ def change(&block)
private
def writing(contents)
- tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
- tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
- tmp_path.binwrite contents
+ Tempfile.create(["", "-" + content_path.basename.to_s.chomp(".enc")]) do |tmp_file|
+ tmp_path = Pathname.new(tmp_file)
+ tmp_path.binwrite contents
- yield tmp_path
+ yield tmp_path
- updated_contents = tmp_path.binread
+ updated_contents = tmp_path.binread
- write(updated_contents) if updated_contents != contents
- ensure
- FileUtils.rm(tmp_path) if tmp_path&.exist?
+ write(updated_contents) if updated_contents != contents
+ end
end

BIN
activesupport-7.0.4.gem
View File

Binary file not shown.

BIN
activesupport-7.0.4-tests.txz → activesupport-7.0.7-tests.txz
View File

Binary file not shown.

BIN
activesupport-7.0.7.gem Normal file
View File

Binary file not shown.

BIN
rails-7.0.4-tools.txz → rails-7.0.7-tools.txz
View File

Binary file not shown.

22
rubygem-activesupport.spec
View File

@ -1,7 +1,7 @@
%global gem_name activesupport %global gem_name activesupport
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 7.0.4 Version: 7.0.7
Release: 2 Release: 2
Summary: A support libraries and Ruby core extensions extracted from the Rails framework Summary: A support libraries and Ruby core extensions extracted from the Rails framework
License: MIT License: MIT
@ -10,12 +10,12 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
# The activesupport gem doesn't ship with the test suite. # The activesupport gem doesn't ship with the test suite.
# You may check it out like so # You may check it out like so
# git clone http://github.com/rails/rails.git # git clone http://github.com/rails/rails.git
# cd rails/activesupport && git archive -v -o activesupport-7.0.4-tests.txz v7.0.4 test/ # cd rails/activesupport && git archive -v -o activesupport-7.0.7-tests.txz v7.0.7 test/
Source1: %{gem_name}-%{version}-tests.txz Source1: %{gem_name}-%{version}-tests.txz
# The tools are needed for the test suite, are however unpackaged in gem file. # The tools are needed for the test suite, are however unpackaged in gem file.
# You may get them like so # You may get them like so
# git clone http://github.com/rails/rails.git --no-checkout # git clone http://github.com/rails/rails.git --no-checkout
# cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/ # cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
Source2: rails-%{version}-tools.txz Source2: rails-%{version}-tools.txz
# Fixes for Minitest 5.16+ # Fixes for Minitest 5.16+
# https://github.com/rails/rails/pull/45380 # https://github.com/rails/rails/pull/45380
@ -23,7 +23,8 @@ Patch1: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_calle
Patch2: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with-test.patch Patch2: rubygem-activesupport-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with-test.patch
# https://github.com/rails/rails/pull/45370 # https://github.com/rails/rails/pull/45370
Patch3: rubygem-activesupport-7.0.2.3-Fix-tests-for-minitest-5.16.patch Patch3: rubygem-activesupport-7.0.2.3-Fix-tests-for-minitest-5.16.patch
Patch4: CVE-2023-22796.patch Patch4: CVE-2023-38037.patch
Patch5: CVE-2023-38037-test.patch
Requires: rubygem(bigdecimal) rubygem(json) Requires: rubygem(bigdecimal) rubygem(json)
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
@ -51,6 +52,7 @@ Documentation for %{name}.
pushd %{_builddir} pushd %{_builddir}
%patch2 -p2 %patch2 -p2
%patch5 -p2
popd popd
%build %build
@ -97,6 +99,18 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Mon Sep 11 2023 wangkai <13474090681@163.com> - 1:7.0.7-2
- Fix CVE-2023-38037
* Fri Aug 18 2023 wangkai <wang_kai001@hoperun.com> - 1:7.0.7-1
- Upgrade to version 7.0.7
* Thu Aug 17 2023 liqiuyu <liqiuyu@kylinos.cn> - 1:7.0.6-1
- Upgrade to version 7.0.6
* Mon Aug 14 2023 caiyuxin <caiyuxin@kylinos.cn> - 1:7.0.4-3
- Backport upstream fix for test failure with ruby3.2 wrt class_serial removal
* Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:7.0.4-2 * Tue Feb 21 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 1:7.0.4-2
- fix CVE-2023-22796 - fix CVE-2023-22796