!29 Fix CVE-2022-23634

From: @starlet-dx Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2023-12-20 01:17:01 +00:00 · 2023-12-20 01:17:01 +00:00 · c617c29a5e
commit c617c29a5e
parent c562f67310 b1e085e204
2 changed files with 51 additions and 1 deletions
--- a/CVE-2022-23634.patch
+++ b/CVE-2022-23634.patch
@ -0,0 +1,44 @@
+From b70f451fe8abc0cff192c065d549778452e155bb Mon Sep 17 00:00:00 2001
+From: Jean Boussier <jean.boussier@gmail.com>
+Date: Fri, 11 Feb 2022 15:58:08 +0100
+Subject: [PATCH] Ensure `close` is called on the response body no matter what
+
+Another fallout from https://github.com/puma/puma/pull/2809 is that
+in some cases the `res_body.close` wasn't called because some previous code
+raised.
+
+For Rails apps it means CurrentAttributes and a few other important
+states aren't reset properly.
+
+This is being improved on the Rails side too, but I believe it would
+be good to harden this on the puma side as well.
+---
+ lib/puma/request.rb | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/lib/puma/request.rb b/lib/puma/request.rb
+index 10508c8d44..691ada424f 100644
+--- a/lib/puma/request.rb
+++ b/lib/puma/request.rb
+@@ -171,11 +171,16 @@ def handle_request(client, lines, requests)
+         end
+ 
+       ensure
+-        uncork_socket io
+-
+-        body.close
+-        client.tempfile.unlink if client.tempfile
+-        res_body.close if res_body.respond_to? :close
+        begin
+          uncork_socket io
+
+          body.close
+          client.tempfile.unlink if client.tempfile
+        ensure
+          # Whatever happens, we MUST call `close` on the response body.
+          # Otherwise Rack::BodyProxy callbacks may not fire and lead to various state leaks
+          res_body.close if res_body.respond_to? :close
+        end
+ 
+         after_reply.each { |o| o.call }
+       end
--- a/rubygem-puma.spec
+++ b/rubygem-puma.spec
@ -2,7 +2,7 @@
 %bcond_with ragel
 Name:                rubygem-%{gem_name}
 Version:             5.5.2
-Release:             2
+Release:             3
 Summary:             A simple, fast, threaded, and highly concurrent HTTP 1.1 server
 License:             BSD-3-Clause
 URL:                 http://puma.io
@ -12,6 +12,8 @@ Source1:             https://github.com/puma/%{gem_name}/archive/refs/tags/v%{ve
 # https://fedoraproject.org/wiki/Packaging:CryptoPolicies
 Patch0:              rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
 Patch1:              Support-for-cert_pem-and-key_pem-with-ssl_bind-DSL.patch
+# https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
+Patch2:              CVE-2022-23634.patch

 BuildRequires:       openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
 BuildRequires:       rubygem(minitest) rubygem(sd_notify)
@ -35,6 +37,7 @@ Documentation for %{name}.
 %setup -q -n  %{gem_name}-%{version} -b 1
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 rm -rf test/test_thread_pool.rb

 %if %{with ragel}
@ -119,6 +122,9 @@ ruby -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
 %{gem_instdir}/tools

 %changelog
+* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 5.5.2-3
+- Fix CVE-2022-23634
+
 * Thu Sep 1 2022 liyanan <liyanan32@h-partners.com> - 5.5.2-2
 - Support for cert_pem and key_pem with ssl_bind DSL