packages/rubygem-railties
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-38037

Browse Source
This commit is contained in:
wk333 2023-09-11 11:35:28 +08:00
parent 7639ab1e0a
commit a58e7247e5
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
CVE-2023-38037.patch Normal file
View File

@ -0,0 +1,59 @@
From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
editing
Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions. This prevents other users on the same system from reading
the contents of those files while the user is editing them.
[CVE-2023-38037]
---
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
activesupport/test/encrypted_file_test.rb | 8 ++++++++
railties/lib/rails/secrets.rb | 18 ++++++++++--------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
index 54ba53c03b981..913d5e57c1bfb 100644
--- a/railties/lib/rails/secrets.rb
+++ b/railties/lib/rails/secrets.rb
@@ -1,6 +1,7 @@
# frozen_string_literal: true
require "yaml"
+require "tempfile"
require "active_support/message_encryptor"
module Rails
@@ -87,17 +88,18 @@ def preprocess(path)
end
def writing(contents)
- tmp_file = "#{File.basename(path)}.#{Process.pid}"
- tmp_path = File.join(Dir.tmpdir, tmp_file)
- IO.binwrite(tmp_path, contents)
+ file_name = "#{File.basename(path)}.#{Process.pid}"
- yield tmp_path
+ Tempfile.create(["", "-" + file_name]) do |tmp_file|
+ tmp_path = Pathname.new(tmp_file)
+ tmp_path.binwrite contents
- updated_contents = IO.binread(tmp_path)
+ yield tmp_path
- write(updated_contents) if updated_contents != contents
- ensure
- FileUtils.rm(tmp_path) if File.exist?(tmp_path)
+ updated_contents = tmp_path.binread
+
+ write(updated_contents) if updated_contents != contents
+ end
end
def encryptor

7
rubygem-railties.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 7.0.7 Version: 7.0.7
Release: 1 Release: 2
Summary: Tools for creating, working with, and running Rails applications Summary: Tools for creating, working with, and running Rails applications
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -21,6 +21,7 @@ Source2: rails-%{version}-tools.txz
# Fixes for Minitest 5.16+ # Fixes for Minitest 5.16+
# https://github.com/rails/rails/pull/45380 # https://github.com/rails/rails/pull/45380
Patch1: rubygem-railties-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with.patch Patch1: rubygem-railties-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with.patch
Patch2: CVE-2023-38037.patch
Recommends: ruby(irb) Recommends: ruby(irb)
Suggests: %{_bindir}/sqlite3 Suggests: %{_bindir}/sqlite3
@ -55,6 +56,7 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} -b1 -b2 %setup -q -n %{gem_name}-%{version} -b1 -b2
%patch2 -p2
pushd %{_builddir} pushd %{_builddir}
%patch1 -p2 %patch1 -p2
@ -208,6 +210,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Mon Sep 11 2023 wangkai <13474090681@163.com> - 7.0.7-2
- Fix CVE-2023-38037
* Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1 * Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
- Upgrade to version 7.0.7 - Upgrade to version 7.0.7