From 2a6a446f35f8c2ccfd04ec6664b76c715955df65 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 6 Jun 2024 09:40:58 +0800 Subject: [PATCH] Fix CVE-2024-28103 (cherry picked from commit 57470a5c4761deb4a1edc7688c6aca2da9186b74) --- CVE-2024-28103-test.patch | 62 +++++++++++++++++++++++++++++++++++++++ CVE-2024-28103.patch | 43 +++++++++++++++++++++++++++ rubygem-actionpack.spec | 10 ++++++- 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-28103-test.patch create mode 100644 CVE-2024-28103.patch diff --git a/CVE-2024-28103-test.patch b/CVE-2024-28103-test.patch new file mode 100644 index 0000000..308047d --- /dev/null +++ b/CVE-2024-28103-test.patch @@ -0,0 +1,62 @@ +diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb +index 030e37942bd0e..533b59a55094d 100644 +--- a/actionpack/test/dispatch/permissions_policy_test.rb ++++ b/actionpack/test/dispatch/permissions_policy_test.rb +@@ -41,6 +41,57 @@ def test_invalid_directive_source + end + end + ++class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest ++ APP = ->(env) { [200, {}, []] } ++ ++ POLICY = ActionDispatch::PermissionsPolicy.new do |p| ++ p.gyroscope :self ++ end ++ ++ class PolicyConfigMiddleware ++ def initialize(app) ++ @app = app ++ end ++ ++ def call(env) ++ env["action_dispatch.permissions_policy"] = POLICY ++ env["action_dispatch.show_exceptions"] = :none ++ ++ @app.call(env) ++ end ++ end ++ ++ test "html requests will set a policy" do ++ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] }) ++ # Dummy CONTENT_TYPE to avoid including backport of the following commit in ++ # a security-related patch: ++ # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625 ++ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' } ++ ++ assert_equal "text/html", response.headers['Content-Type'] ++ assert_equal "gyroscope 'self'", response.headers['Feature-Policy'] ++ end ++ ++ test "non-html requests will set a policy" do ++ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] }) ++ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' } ++ ++ assert_equal "application/json", response.headers['Content-Type'] ++ assert_equal "gyroscope 'self'", response.headers['Feature-Policy'] ++ end ++ ++ private ++ def build_app(app) ++ PolicyConfigMiddleware.new( ++ Rack::Lint.new( ++ ActionDispatch::PermissionsPolicy::Middleware.new( ++ Rack::Lint.new(app), ++ ), ++ ), ++ ) ++ end ++end ++ + class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest + class PolicyController < ActionController::Base + permissions_policy only: :index do |f| diff --git a/CVE-2024-28103.patch b/CVE-2024-28103.patch new file mode 100644 index 0000000..387ecc0 --- /dev/null +++ b/CVE-2024-28103.patch @@ -0,0 +1,43 @@ +From b329b261dd32a61316f2831788d6078ca0563ab6 Mon Sep 17 00:00:00 2001 +From: Zack Deveau +Date: Wed, 28 Feb 2024 16:49:11 -0500 +Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types + +[CVE-2024-28103] +The application configurable Permissions-Policy is only +served on responses with an HTML related Content-Type. + +This change allows all Content-Types to serve the +configured Permissions-Policy as there are many non-HTML +Content-Types that would benefit from this header. +(examples include image/svg+xml and application/xml) +--- + .../http/permissions_policy.rb | 7 --- + .../test/dispatch/permissions_policy_test.rb | 51 +++++++++++++++++++ + 2 files changed, 51 insertions(+), 7 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb +index d1917a7193696..b190faa3e894f 100644 +--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb ++++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb +@@ -21,7 +21,6 @@ def call(env) + request = ActionDispatch::Request.new(env) + _, headers, _ = response = @app.call(env) + +- return response unless html_response?(headers) + return response if policy_present?(headers) + + if policy = request.permissions_policy +@@ -36,12 +35,6 @@ def call(env) + end + + private +- def html_response?(headers) +- if content_type = headers[CONTENT_TYPE] +- /html/.match?(content_type) +- end +- end +- + def policy_present?(headers) + headers[POLICY] + end diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index 6ddf643..7cd50b4 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 6.1.4.1 -Release: 4 +Release: 5 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -18,6 +18,9 @@ Patch2: CVE-2023-22792.patch Patch3: CVE-2023-22792-test.patch # https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2 Patch4: CVE-2023-22795.patch +# https://github.com/rails/rails/commit/b329b261dd32a61316f2831788d6078ca0563ab6 +Patch5: CVE-2024-28103.patch +Patch6: CVE-2024-28103-test.patch # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) @@ -58,9 +61,11 @@ Documentation for %{name}. %patch0 -p2 %patch2 -p2 %patch4 -p2 +%patch5 -p2 pushd %{_builddir} %patch1 -p2 %patch3 -p2 +%patch6 -p2 popd @@ -104,6 +109,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Thu Jun 06 2024 yaoxin - 1:6.1.4.1-5 +- Fix CVE-2024-28103 + * Mon Feb 05 2024 yaoxin - 1:6.1.4.1-4 - Fix CVE-2023-22792 and CVE-2023-22795 -- Gitee