From fc01bb321da5b697165fd08e9aecdd1b03190da8 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Fri, 18 Oct 2024 09:19:54 +0800 Subject: [PATCH] Fix CVE-2024-41128 and CVE-2024-47887 --- backport-CVE-2024-41128.patch | 38 +++++++++++++++++++++++++++++++++++ backport-CVE-2024-47887.patch | 26 ++++++++++++++++++++++++ rubygem-actionpack.spec | 11 +++++++++- 3 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-41128.patch create mode 100644 backport-CVE-2024-47887.patch diff --git a/backport-CVE-2024-41128.patch b/backport-CVE-2024-41128.patch new file mode 100644 index 0000000..3566855 --- /dev/null +++ b/backport-CVE-2024-41128.patch @@ -0,0 +1,38 @@ +From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Thu, 10 Oct 2024 20:41:33 -0700 +Subject: [PATCH] Avoid backtracking in filtered_query_string + +Thanks scyoon for the patch + +CVE-2024-41128 +--- + .../lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb +index d053fc0b9f781..0e2e771da104d 100644 +--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb ++++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb +@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc: + ActiveSupport::ParameterFilter.new(filters) + end + +- KV_RE = "[^&;=]+" +- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})} + def filtered_query_string # :doc: +- query_string.gsub(PAIR_RE) do |_| +- parameter_filter.filter($1 => $2).first.join("=") ++ parts = query_string.split(/([&;])/) ++ filtered_parts = parts.map do |part| ++ if part.include?("=") ++ key, value = part.split("=", 2) ++ parameter_filter.filter(key => value).first.join("=") ++ else ++ part ++ end + end ++ filtered_parts.join("") + end + end + end diff --git a/backport-CVE-2024-47887.patch b/backport-CVE-2024-47887.patch new file mode 100644 index 0000000..f7c7142 --- /dev/null +++ b/backport-CVE-2024-47887.patch @@ -0,0 +1,26 @@ +From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Thu, 10 Oct 2024 20:32:00 -0700 +Subject: [PATCH] Avoid backtracking in Token#raw_params + +Thanks to scyoon for the patch + +[CVE-2024-47887] +--- + actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb +index 439ffd5c99490..e42791bbc23d8 100644 +--- a/actionpack/lib/action_controller/metal/http_authentication.rb ++++ b/actionpack/lib/action_controller/metal/http_authentication.rb +@@ -506,7 +506,8 @@ def rewrite_param_values(array_params) + # pairs by the standardized :, ;, or \t + # delimiters defined in +AUTHN_PAIR_DELIMITERS+. + def raw_params(auth) +- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/) ++ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip) ++ _raw_params.reject!(&:empty?) + + if !_raw_params.first&.start_with?(TOKEN_KEY) + _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}" diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index c9bb637..ad3115c 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.7 -Release: 3 +Release: 4 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -29,6 +29,9 @@ Patch2: CVE-2024-26143-test.patch Patch3: CVE-2024-28103.patch Patch4: CVE-2024-28103-test.patch +Patch3000: backport-CVE-2024-41128.patch +Patch3001: backport-CVE-2024-47887.patch + # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) BuildRequires: rubygems-devel @@ -68,6 +71,9 @@ Documentation for %{name}. %patch1 -p2 %patch3 -p2 +%patch3000 -p2 +%patch3001 -p2 + pushd %{_builddir} %patch0 -p2 %patch2 -p2 @@ -114,6 +120,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Fri Oct 18 2024 yaoxin - 1:7.0.7-4 +- Fix CVE-2024-41128 and CVE-2024-47887 + * Thu Jun 06 2024 yaoxin - 1:7.0.7-3 - Fix CVE-2024-28103 -- Gitee