Fix CVE-2022-23634
This commit is contained in:
starlet-dx
parent
c562f67310
commit
b1e085e204
44
CVE-2022-23634.patch
Normal file
44
CVE-2022-23634.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From b70f451fe8abc0cff192c065d549778452e155bb Mon Sep 17 00:00:00 2001
|
||||
From: Jean Boussier <jean.boussier@gmail.com>
|
||||
Date: Fri, 11 Feb 2022 15:58:08 +0100
|
||||
Subject: [PATCH] Ensure `close` is called on the response body no matter what
|
||||
|
||||
Another fallout from https://github.com/puma/puma/pull/2809 is that
|
||||
in some cases the `res_body.close` wasn't called because some previous code
|
||||
raised.
|
||||
|
||||
For Rails apps it means CurrentAttributes and a few other important
|
||||
states aren't reset properly.
|
||||
|
||||
This is being improved on the Rails side too, but I believe it would
|
||||
be good to harden this on the puma side as well.
|
||||
---
|
||||
lib/puma/request.rb | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/puma/request.rb b/lib/puma/request.rb
|
||||
index 10508c8d44..691ada424f 100644
|
||||
--- a/lib/puma/request.rb
|
||||
+++ b/lib/puma/request.rb
|
||||
@@ -171,11 +171,16 @@ def handle_request(client, lines, requests)
|
||||
end
|
||||
|
||||
ensure
|
||||
- uncork_socket io
|
||||
-
|
||||
- body.close
|
||||
- client.tempfile.unlink if client.tempfile
|
||||
- res_body.close if res_body.respond_to? :close
|
||||
+ begin
|
||||
+ uncork_socket io
|
||||
+
|
||||
+ body.close
|
||||
+ client.tempfile.unlink if client.tempfile
|
||||
+ ensure
|
||||
+ # Whatever happens, we MUST call `close` on the response body.
|
||||
+ # Otherwise Rack::BodyProxy callbacks may not fire and lead to various state leaks
|
||||
+ res_body.close if res_body.respond_to? :close
|
||||
+ end
|
||||
|
||||
after_reply.each { |o| o.call }
|
||||
end
|
||||
@ -2,7 +2,7 @@
|
||||
%bcond_with ragel
|
||||
Name: rubygem-%{gem_name}
|
||||
Version: 5.5.2
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server
|
||||
License: BSD-3-Clause
|
||||
URL: http://puma.io
|
||||
@ -12,6 +12,8 @@ Source1: https://github.com/puma/%{gem_name}/archive/refs/tags/v%{ve
|
||||
# https://fedoraproject.org/wiki/Packaging:CryptoPolicies
|
||||
Patch0: rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
|
||||
Patch1: Support-for-cert_pem-and-key_pem-with-ssl_bind-DSL.patch
|
||||
# https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
|
||||
Patch2: CVE-2022-23634.patch
|
||||
|
||||
BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
|
||||
BuildRequires: rubygem(minitest) rubygem(sd_notify)
|
||||
@ -35,6 +37,7 @@ Documentation for %{name}.
|
||||
%setup -q -n %{gem_name}-%{version} -b 1
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
rm -rf test/test_thread_pool.rb
|
||||
|
||||
%if %{with ragel}
|
||||
@ -119,6 +122,9 @@ ruby -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
|
||||
%{gem_instdir}/tools
|
||||
|
||||
%changelog
|
||||
* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 5.5.2-3
|
||||
- Fix CVE-2022-23634
|
||||
|
||||
* Thu Sep 1 2022 liyanan <liyanan32@h-partners.com> - 5.5.2-2
|
||||
- Support for cert_pem and key_pem with ssl_bind DSL
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user