diff --git a/backport-CVE-2024-41128.patch b/backport-CVE-2024-41128.patch new file mode 100644 index 0000000000000000000000000000000000000000..3566855c52d3c5a6f8fe5d05d2cce0b09e0fa50b --- /dev/null +++ b/backport-CVE-2024-41128.patch @@ -0,0 +1,38 @@ +From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Thu, 10 Oct 2024 20:41:33 -0700 +Subject: [PATCH] Avoid backtracking in filtered_query_string + +Thanks scyoon for the patch + +CVE-2024-41128 +--- + .../lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb +index d053fc0b9f781..0e2e771da104d 100644 +--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb ++++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb +@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc: + ActiveSupport::ParameterFilter.new(filters) + end + +- KV_RE = "[^&;=]+" +- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})} + def filtered_query_string # :doc: +- query_string.gsub(PAIR_RE) do |_| +- parameter_filter.filter($1 => $2).first.join("=") ++ parts = query_string.split(/([&;])/) ++ filtered_parts = parts.map do |part| ++ if part.include?("=") ++ key, value = part.split("=", 2) ++ parameter_filter.filter(key => value).first.join("=") ++ else ++ part ++ end + end ++ filtered_parts.join("") + end + end + end diff --git a/backport-CVE-2024-47887.patch b/backport-CVE-2024-47887.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7c71427ec087edada4fa0ba954a5721d2a9c3dd --- /dev/null +++ b/backport-CVE-2024-47887.patch @@ -0,0 +1,26 @@ +From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Thu, 10 Oct 2024 20:32:00 -0700 +Subject: [PATCH] Avoid backtracking in Token#raw_params + +Thanks to scyoon for the patch + +[CVE-2024-47887] +--- + actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb +index 439ffd5c99490..e42791bbc23d8 100644 +--- a/actionpack/lib/action_controller/metal/http_authentication.rb ++++ b/actionpack/lib/action_controller/metal/http_authentication.rb +@@ -506,7 +506,8 @@ def rewrite_param_values(array_params) + # pairs by the standardized :, ;, or \t + # delimiters defined in +AUTHN_PAIR_DELIMITERS+. + def raw_params(auth) +- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/) ++ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip) ++ _raw_params.reject!(&:empty?) + + if !_raw_params.first&.start_with?(TOKEN_KEY) + _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}" diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index c9bb6377f07062d035a896d9d1c6f28a2e6886f7..ad3115ca4ba16cc18e8660c6aec0d1759104971e 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.7 -Release: 3 +Release: 4 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -29,6 +29,9 @@ Patch2: CVE-2024-26143-test.patch Patch3: CVE-2024-28103.patch Patch4: CVE-2024-28103-test.patch +Patch3000: backport-CVE-2024-41128.patch +Patch3001: backport-CVE-2024-47887.patch + # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) BuildRequires: rubygems-devel @@ -68,6 +71,9 @@ Documentation for %{name}. %patch1 -p2 %patch3 -p2 +%patch3000 -p2 +%patch3001 -p2 + pushd %{_builddir} %patch0 -p2 %patch2 -p2 @@ -114,6 +120,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Fri Oct 18 2024 yaoxin - 1:7.0.7-4 +- Fix CVE-2024-41128 and CVE-2024-47887 + * Thu Jun 06 2024 yaoxin - 1:7.0.7-3 - Fix CVE-2024-28103