diff --git a/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch new file mode 100644 index 0000000..67a0acf --- /dev/null +++ b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch @@ -0,0 +1,44 @@ +From 0de876c53fe9355f1e9a73e923519f2a2241f527 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Thu, 29 Oct 2015 10:42:44 -0700 +Subject: [PATCH] use secure string comparisons for basic auth username / + password + +this will avoid timing attacks against applications that use basic auth. + +Conflicts: + activesupport/lib/active_support/security_utils.rb + +CVE-2015-7576 +--- + .../action_controller/metal/http_authentication.rb | 7 +++++- + activesupport/lib/active_support/security_utils.rb | 27 ++++++++++++++++++++++ + 2 files changed, 33 insertions(+), 1 deletion(-) + create mode 100644 activesupport/lib/active_support/security_utils.rb + +diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb +index 167df2f..db93e20 100644 +--- a/actionpack/lib/action_controller/metal/http_authentication.rb ++++ b/actionpack/lib/action_controller/metal/http_authentication.rb +@@ -1,4 +1,5 @@ + require 'base64' ++require 'active_support/security_utils' + + module ActionController + # Makes it dead easy to do HTTP Basic, Digest and Token authentication. +@@ -70,7 +71,11 @@ module ActionController + def http_basic_authenticate_with(options = {}) + before_action(options.except(:name, :password, :realm)) do + authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| +- name == options[:name] && password == options[:password] ++ # This comparison uses & so that it doesn't short circuit and ++ # uses `variable_size_secure_compare` so that length information ++ # isn't leaked. ++ ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & ++ ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) + end + end + end +-- +2.2.1 + diff --git a/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2015-7581-fix-object-leak-vulnerability-for-wildcard-controller-routes.patch b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2015-7581-fix-object-leak-vulnerability-for-wildcard-controller-routes.patch new file mode 100644 index 0000000..f751feb --- /dev/null +++ b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2015-7581-fix-object-leak-vulnerability-for-wildcard-controller-routes.patch @@ -0,0 +1,52 @@ +From fb790341d0ea25ad91116c283d49a2c83a8ea299 Mon Sep 17 00:00:00 2001 +From: eileencodes +Date: Fri, 21 Aug 2015 11:26:19 -0400 +Subject: [PATCH] Remove unnecessary caching + +`ActiveSupport::Dependencies.constantize(const_name)` calls +`Reference.new` which is defined as +`ActiveSupport::Dependencies.constantize(const_name)` meaning this call +is already cached and we're doing caching that isn't necessary. + +Conflicts: + actionpack/lib/action_dispatch/routing/route_set.rb + +Conflicts: + actionpack/lib/action_dispatch/routing/route_set.rb + +CVE-2015-7581 +--- + actionpack/lib/action_dispatch/routing/route_set.rb | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb +index 51dd607..5f727fd 100644 +--- a/actionpack/lib/action_dispatch/routing/route_set.rb ++++ b/actionpack/lib/action_dispatch/routing/route_set.rb +@@ -1,6 +1,5 @@ + require 'action_dispatch/journey' + require 'forwardable' +-require 'thread_safe' + require 'active_support/concern' + require 'active_support/core_ext/object/to_query' + require 'active_support/core_ext/hash/slice' +@@ -24,7 +23,6 @@ module ActionDispatch + def initialize(options={}) + @defaults = options[:defaults] + @glob_param = options.delete(:glob) +- @controller_class_names = ThreadSafe::Cache.new + end + + def call(env) +@@ -74,7 +72,7 @@ module ActionDispatch + private + + def controller_reference(controller_param) +- const_name = @controller_class_names[controller_param] ||= "#{controller_param.camelize}Controller" ++ const_name = "#{controller_param.camelize}Controller" + ActiveSupport::Dependencies.constantize(const_name) + end + +-- +2.2.1 + diff --git a/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2016-0751-fix-possible-object-leak-and-denial-of-service-attack.patch b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2016-0751-fix-possible-object-leak-and-denial-of-service-attack.patch new file mode 100644 index 0000000..d0b2fb3 --- /dev/null +++ b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2016-0751-fix-possible-object-leak-and-denial-of-service-attack.patch @@ -0,0 +1,76 @@ +From 5756321cd9e3ca12cb2b8402704c6680b4d7ca2a Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Mon, 11 Jan 2016 14:36:49 -0800 +Subject: [PATCH] stop caching mime types globally + +Unknown mime types should not be cached globally. This global cache +leads to a memory leak and a denial of service vulnerability. + +CVE-2016-0751 +--- + actionpack/lib/action_dispatch/http/mime_type.rb | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb +index 9450be8..fc986f9 100644 +--- a/actionpack/lib/action_dispatch/http/mime_type.rb ++++ b/actionpack/lib/action_dispatch/http/mime_type.rb +@@ -23,7 +23,7 @@ module Mime + + SET = Mimes.new + EXTENSION_LOOKUP = {} +- LOOKUP = Hash.new { |h, k| h[k] = Type.new(k) unless k.blank? } ++ LOOKUP = {} + + class << self + def [](type) +@@ -146,7 +146,7 @@ module Mime + end + + def lookup(string) +- LOOKUP[string] ++ LOOKUP[string] || Type.new(string) + end + + def lookup_by_extension(extension) +@@ -225,9 +225,12 @@ module Mime + end + end + ++ attr_reader :hash ++ + def initialize(string, symbol = nil, synonyms = []) + @symbol, @synonyms = symbol, synonyms + @string = string ++ @hash = [@string, @synonyms, @symbol].hash + end + + def to_s +@@ -261,6 +264,13 @@ module Mime + end + end + ++ def eql?(other) ++ super || (self.class == other.class && ++ @string == other.string && ++ @synonyms == other.synonyms && ++ @symbol == other.symbol) ++ end ++ + def =~(mime_type) + return false if mime_type.blank? + regexp = Regexp.new(Regexp.quote(mime_type.to_s)) +@@ -274,6 +284,10 @@ module Mime + end + + ++ protected ++ ++ attr_reader :string, :synonyms ++ + private + + def to_ary; end +-- +2.2.1 + diff --git a/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2016-0752-fix-possible-information-leak-vulnerability.patch b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2016-0752-fix-possible-information-leak-vulnerability.patch new file mode 100644 index 0000000..d65e2cb --- /dev/null +++ b/SOURCES/rubygem-actionpack-4.1.14.1-CVE-2016-0752-fix-possible-information-leak-vulnerability.patch @@ -0,0 +1,87 @@ +From 5c656a271a890cca4b3d438cc1fc76ff98011cbe Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Wed, 20 Jan 2016 10:39:19 -0800 +Subject: [PATCH] allow :file to be outside rails root, but anything else must + be inside the rails view directory + +Conflicts: + actionpack/test/controller/render_test.rb + actionview/lib/action_view/template/resolver.rb + +CVE-2016-0752 +--- + actionpack/lib/abstract_controller/rendering.rb | 8 +++++- + actionpack/test/controller/render_test.rb | 31 ++++++++++++++++++++++ + actionview/lib/action_view/lookup_context.rb | 4 +++ + actionview/lib/action_view/path_set.rb | 26 +++++++++++++----- + .../lib/action_view/renderer/abstract_renderer.rb | 2 +- + .../lib/action_view/renderer/template_renderer.rb | 2 +- + actionview/lib/action_view/template/resolver.rb | 25 ++++++++++++++--- + actionview/lib/action_view/testing/resolvers.rb | 4 +-- + actionview/test/template/render_test.rb | 7 +++++ + 9 files changed, 93 insertions(+), 16 deletions(-) + +diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb +index 9d10140..e80d97f 100644 +--- a/actionpack/lib/abstract_controller/rendering.rb ++++ b/actionpack/lib/abstract_controller/rendering.rb +@@ -77,7 +77,13 @@ module AbstractController + # render "foo/bar" to render :file => "foo/bar". + # :api: plugin + def _normalize_args(action=nil, options={}) +- if action.is_a? Hash ++ case action ++ when ActionController::Parameters ++ unless action.permitted? ++ raise ArgumentError, "render parameters are not permitted" ++ end ++ action ++ when Hash + action + else + options +diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb +index 26806fb..17a019e 100644 +--- a/actionpack/test/controller/render_test.rb ++++ b/actionpack/test/controller/render_test.rb +@@ -52,6 +52,16 @@ class TestController < ActionController::Base + end + end + ++ def dynamic_render ++ render params[:id] # => String, AC:Params ++ end ++ ++ def dynamic_render_with_file ++ # This is extremely bad, but should be possible to do. ++ file = params[:id] # => String, AC:Params ++ render file: file ++ end ++ + def conditional_hello_with_public_header + if stale?(:last_modified => Time.now.utc.beginning_of_day, :etag => [:foo, 123], :public => true) + render :action => 'hello_world' +@@ -251,6 +261,20 @@ end + class ExpiresInRenderTest < ActionController::TestCase + tests TestController + ++ def test_dynamic_render_with_file ++ # This is extremely bad, but should be possible to do. ++ assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')) ++ response = get :dynamic_render_with_file, { id: '../\\../test/abstract_unit.rb' } ++ assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')), ++ response.body ++ end ++ ++ def test_dynamic_render_file_hash ++ assert_raises ArgumentError do ++ get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } } ++ end ++ end ++ + def test_expires_in_header + get :conditional_hello_with_expires_in + assert_equal "max-age=60, private", @response.headers["Cache-Control"] +-- +2.2.1 + diff --git a/SPECS/rubygem-actionpack.spec b/SPECS/rubygem-actionpack.spec index 0e8f65b..d6f868a 100644 --- a/SPECS/rubygem-actionpack.spec +++ b/SPECS/rubygem-actionpack.spec @@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: %{?scl_prefix}rubygem-%{gem_name} Epoch: 1 Version: 4.1.5 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -23,6 +23,19 @@ Source0: http://rubygems.org/downloads/actionpack-%{version}.gem # tar czvf actionpack-4.1.5-tests.tgz test/ Source2: actionpack-%{version}-tests.tgz +# Fix CVE-2015-7576 Timing attack vulnerability in basic authentication +# https://bugzilla.redhat.com/show_bug.cgi?id=1301933 +Patch0: rubygem-actionpack-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch +# Fix CVE-2016-0751 Possible Object Leak and Denial of Service attack +# https://bugzilla.redhat.com/show_bug.cgi?id=1301946 +Patch1: rubygem-actionpack-4.1.14.1-CVE-2016-0751-fix-possible-object-leak-and-denial-of-service-attack.patch +# Fix CVE-2016-0752 Possible Information Leak Vulnerability +# https://bugzilla.redhat.com/show_bug.cgi?id=1301963 +Patch2: rubygem-actionpack-4.1.14.1-CVE-2016-0752-fix-possible-information-leak-vulnerability.patch +# Fix CVE-2015-7581 Object leak vulnerability for wildcard controller routes +# https://bugzilla.redhat.com/show_bug.cgi?id=1301981 +Patch3: rubygem-actionpack-4.1.14.1-CVE-2015-7581-fix-object-leak-vulnerability-for-wildcard-controller-routes.patch + # Let's keep Requires and BuildRequires sorted alphabeticaly Requires: %{?scl_prefix_ruby}ruby(rubygems) Requires: %{?scl_prefix}rubygem(activesupport) = %{version} @@ -73,6 +86,13 @@ Documentation for %{pkg_name} # move the tests into place tar xzvf %{SOURCE2} -C .%{gem_instdir} +pushd .%{gem_instdir} +%patch0 -p2 +%patch1 -p2 +%patch2 -p2 +%patch3 -p2 +popd + # Remove backup files # No! these are needed for rake test # find ./%{gem_instdir} -type f -name "*~" -delete @@ -147,6 +167,16 @@ popd %{gem_instdir}/test/ %changelog +* Thu Feb 11 2016 Pavel Valena - 1:4.1.5-3 +- Fix Timing attack vulnerability in Action Controller - rhbz#1301933 + - Resolves: CVE-2015-7576 +- Fix Possible Object Leak and Denial of Service attack - rhbz#1301946 + - Resolves: CVE-2016-0751 +- Fix Possible Information Leak Vulnerability - rhbz#1301963 + - Resolves: CVE-2016-0752 +- Fix Object leak vulnerability for wildcard controller routes - rhbz#1301981 + - Resolves: CVE-2015-7581 + * Thu Feb 05 2015 Vít Ondruch - 1:4.1.5-2 - Remove obsolete patch.