diff --git a/CVE-2023-22792.patch b/CVE-2023-22792.patch new file mode 100644 index 0000000000000000000000000000000000000000..1377d9ba1aca3ecb84d677bc5a3b30dd71e1e28c --- /dev/null +++ b/CVE-2023-22792.patch @@ -0,0 +1,80 @@ +From 7a7f37f146aa977350cf914eba20a95ce371485f Mon Sep 17 00:00:00 2001 +From: sabulikia +Date: Thu, 7 Jul 2022 16:10:20 -0400 +Subject: [PATCH] Use string#split instead of regex for domain parts + +[CVE-2023-22792] +--- + .../lib/action_dispatch/middleware/cookies.rb | 48 +++++++++++++---------- + 1 file changed, 28 insertions(+), 20 deletions(-) + +diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb +index 2188795..ed4a566 100644 +--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb ++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb +@@ -282,20 +282,6 @@ module ActionDispatch + class CookieJar #:nodoc: + include Enumerable, ChainedCookieJars + +- # This regular expression is used to split the levels of a domain. +- # The top level domain can be any string without a period or +- # **.**, ***.** style TLDs like co.uk or com.au +- # +- # www.example.co.uk gives: +- # $& => example.co.uk +- # +- # example.com gives: +- # $& => example.com +- # +- # lots.of.subdomains.example.local gives: +- # $& => example.local +- DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/ +- + def self.build(req, cookies) + new(req).tap do |hash| + hash.update(cookies) +@@ -365,13 +351,35 @@ module ActionDispatch + options[:path] ||= "/" + + if options[:domain] == :all || options[:domain] == "all" +- # If there is a provided tld length then we use it otherwise default domain regexp. +- domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP ++ cookie_domain = "" ++ dot_splitted_host = request.host.split('.', -1) ++ ++ # Case where request.host is not an IP address or it's an invalid domain ++ # (ip confirms to the domain structure we expect so we explicitly check for ip) ++ if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1 ++ options[:domain] = nil ++ return ++ end ++ ++ # If there is a provided tld length then we use it otherwise default domain. ++ if options[:tld_length].present? ++ # Case where the tld_length provided is valid ++ if dot_splitted_host.length >= options[:tld_length] ++ cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.') ++ end ++ # Case where tld_length is not provided ++ else ++ # Regular TLDs ++ if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host)) ++ cookie_domain = dot_splitted_host.last(2).join('.') ++ # **.**, ***.** style TLDs like co.uk and com.au ++ else ++ cookie_domain = dot_splitted_host.last(3).join('.') ++ end ++ end + +- # If host is not ip and matches domain regexp. +- # (ip confirms to domain regexp so we explicitly check for ip) +- options[:domain] = if (request.host !~ /^[\d.]+$/) && (request.host =~ domain_regexp) +- ".#{$&}" ++ options[:domain] = if cookie_domain.present? ++ ".#{cookie_domain}" + end + elsif options[:domain].is_a? Array + # If host matches one of the supplied domains without a dot in front of it. +-- +2.33.0 + diff --git a/CVE-2023-22795.patch b/CVE-2023-22795.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d780b1d14cded0d5fce994287b588729263a7f2 --- /dev/null +++ b/CVE-2023-22795.patch @@ -0,0 +1,23 @@ +From 484fc9185db6c6a6a49ab458b11f9366da02bab2 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Fri, 13 Jan 2023 15:54:40 -0800 +Subject: [PATCH] Avoid regex backtracking on If-None-Match header + +[CVE-2023-22795] +--- + .../lib/action_dispatch/http/cache.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb +index 9c46c5c8a4d81..d9d6f325342ea 100644 +--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb ++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb +@@ -18,7 +18,7 @@ def if_none_match + end + + def if_none_match_etags +- if_none_match ? if_none_match.split(/\s*,\s*/) : [] ++ if_none_match ? if_none_match.split(",").each(&:strip!) : [] + end + + def not_modified?(modified_at) diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index c6c664309630d5720dfead7ee512f3a5b4e48e19..70cda600d6464a56de06c858f8b5e6f0cde5abb7 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 5.2.4.4 -Release: 3 +Release: 4 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -12,6 +12,10 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Patch0: CVE-2021-22885.patch Patch1: CVE-2021-22904.patch +# https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f +Patch2: CVE-2023-22792.patch +# https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2 +Patch3: CVE-2023-22795.patch BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 %if ! 0%{?bootstrap} BuildRequires: rubygem(activemodel) = %{version} rubygem(activerecord) = %{version} @@ -37,6 +41,8 @@ Documentation for %{name}. %gem_install -n %{SOURCE0} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build @@ -68,6 +74,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Mon Feb 05 2024 yaoxin - 1:5.2.4.4-4 +- Fix CVE-2023-22792 and CVE-2023-22795 + * Mon Jun 28 2021 liwu - 5.2.4.4-3 * Fix CVE-2021-22904