packages/rubygem-puma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-23634

Browse Source
This commit is contained in:
starlet-dx 2023-12-19 21:34:31 +08:00
parent c562f67310
commit b1e085e204
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
CVE-2022-23634.patch Normal file
View File

@ -0,0 +1,44 @@
From b70f451fe8abc0cff192c065d549778452e155bb Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Fri, 11 Feb 2022 15:58:08 +0100
Subject: [PATCH] Ensure `close` is called on the response body no matter what
Another fallout from https://github.com/puma/puma/pull/2809 is that
in some cases the `res_body.close` wasn't called because some previous code
raised.
For Rails apps it means CurrentAttributes and a few other important
states aren't reset properly.
This is being improved on the Rails side too, but I believe it would
be good to harden this on the puma side as well.
---
lib/puma/request.rb | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/lib/puma/request.rb b/lib/puma/request.rb
index 10508c8d44..691ada424f 100644
--- a/lib/puma/request.rb
+++ b/lib/puma/request.rb
@@ -171,11 +171,16 @@ def handle_request(client, lines, requests)
end
ensure
- uncork_socket io
-
- body.close
- client.tempfile.unlink if client.tempfile
- res_body.close if res_body.respond_to? :close
+ begin
+ uncork_socket io
+
+ body.close
+ client.tempfile.unlink if client.tempfile
+ ensure
+ # Whatever happens, we MUST call `close` on the response body.
+ # Otherwise Rack::BodyProxy callbacks may not fire and lead to various state leaks
+ res_body.close if res_body.respond_to? :close
+ end
after_reply.each { |o| o.call }
end

8
rubygem-puma.spec
View File

@ -2,7 +2,7 @@
%bcond_with ragel %bcond_with ragel
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 5.5.2 Version: 5.5.2
Release: 2 Release: 3
Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server
License: BSD-3-Clause License: BSD-3-Clause
URL: http://puma.io URL: http://puma.io
@ -12,6 +12,8 @@ Source1: https://github.com/puma/%{gem_name}/archive/refs/tags/v%{ve
# https://fedoraproject.org/wiki/Packaging:CryptoPolicies # https://fedoraproject.org/wiki/Packaging:CryptoPolicies
Patch0: rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch Patch0: rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
Patch1: Support-for-cert_pem-and-key_pem-with-ssl_bind-DSL.patch Patch1: Support-for-cert_pem-and-key_pem-with-ssl_bind-DSL.patch
# https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
Patch2: CVE-2022-23634.patch
BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack) BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
BuildRequires: rubygem(minitest) rubygem(sd_notify) BuildRequires: rubygem(minitest) rubygem(sd_notify)
@ -35,6 +37,7 @@ Documentation for %{name}.
%setup -q -n %{gem_name}-%{version} -b 1 %setup -q -n %{gem_name}-%{version} -b 1
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
rm -rf test/test_thread_pool.rb rm -rf test/test_thread_pool.rb
%if %{with ragel} %if %{with ragel}
@ -119,6 +122,9 @@ ruby -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
%{gem_instdir}/tools %{gem_instdir}/tools
%changelog %changelog
* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 5.5.2-3
- Fix CVE-2022-23634
* Thu Sep 1 2022 liyanan <liyanan32@h-partners.com> - 5.5.2-2 * Thu Sep 1 2022 liyanan <liyanan32@h-partners.com> - 5.5.2-2
- Support for cert_pem and key_pem with ssl_bind DSL - Support for cert_pem and key_pem with ssl_bind DSL