diff --git a/SOURCES/rubygem-activesupport-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch b/SOURCES/rubygem-activesupport-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch new file mode 100644 index 0000000..cf45392 --- /dev/null +++ b/SOURCES/rubygem-activesupport-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch @@ -0,0 +1,54 @@ +From 0de876c53fe9355f1e9a73e923519f2a2241f527 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Thu, 29 Oct 2015 10:42:44 -0700 +Subject: [PATCH] use secure string comparisons for basic auth username / + password + +this will avoid timing attacks against applications that use basic auth. + +Conflicts: + activesupport/lib/active_support/security_utils.rb + +CVE-2015-7576 +--- + .../action_controller/metal/http_authentication.rb | 7 +++++- + activesupport/lib/active_support/security_utils.rb | 27 ++++++++++++++++++++++ + 2 files changed, 33 insertions(+), 1 deletion(-) + create mode 100644 activesupport/lib/active_support/security_utils.rb + +diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb +new file mode 100644 +index 0000000..bb22125 +--- /dev/null ++++ b/activesupport/lib/active_support/security_utils.rb +@@ -0,0 +1,27 @@ ++require 'digest' ++ ++module ActiveSupport ++ module SecurityUtils ++ # Constant time string comparison. ++ # ++ # The values compared should be of fixed length, such as strings ++ # that have already been processed by HMAC. This should not be used ++ # on variable length plaintext strings because it could leak length info ++ # via timing attacks. ++ def secure_compare(a, b) ++ return false unless a.bytesize == b.bytesize ++ ++ l = a.unpack "C#{a.bytesize}" ++ ++ res = 0 ++ b.each_byte { |byte| res |= byte ^ l.shift } ++ res == 0 ++ end ++ module_function :secure_compare ++ ++ def variable_size_secure_compare(a, b) # :nodoc: ++ secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) ++ end ++ module_function :variable_size_secure_compare ++ end ++end +-- +2.2.1 + diff --git a/SOURCES/rubygem-activesupport-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch b/SOURCES/rubygem-activesupport-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch new file mode 100644 index 0000000..5371957 --- /dev/null +++ b/SOURCES/rubygem-activesupport-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch @@ -0,0 +1,39 @@ +From 7a01874b75fdd62ab3626490cdf1c65c0ba659d0 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Mon, 18 Jan 2016 13:51:02 -0800 +Subject: [PATCH] Eliminate instance level writers for class accessors + +Instance level writers can have an impact on how the Active Model / +Record objects are saved. Specifically, they can be used to bypass +validations. This is a problem if mass assignment protection is +disabled and specific attributes are passed to the constructor. + +Conflicts: + activerecord/lib/active_record/scoping/default.rb + activesupport/lib/active_support/callbacks.rb + +CVE-2016-0753 +--- + activemodel/lib/active_model/serializers/json.rb | 2 +- + activemodel/lib/active_model/validations.rb | 3 ++- + activerecord/lib/active_record/enum.rb | 2 +- + activerecord/lib/active_record/reflection.rb | 4 ++-- + activesupport/lib/active_support/callbacks.rb | 2 +- + 5 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/activesupport/lib/active_support/callbacks.rb b/activesupport/lib/active_support/callbacks.rb +index 3265d11..3ba690b 100644 +--- a/activesupport/lib/active_support/callbacks.rb ++++ b/activesupport/lib/active_support/callbacks.rb +@@ -726,7 +768,7 @@ module ActiveSupport + end + + names.each do |name| +- class_attribute "_#{name}_callbacks" ++ class_attribute "_#{name}_callbacks", instance_writer: false + set_callbacks name, CallbackChain.new(name, options) + end + end +-- +2.2.1 + diff --git a/SPECS/rubygem-activesupport.spec b/SPECS/rubygem-activesupport.spec index 300a79d..c41bb6c 100644 --- a/SPECS/rubygem-activesupport.spec +++ b/SPECS/rubygem-activesupport.spec @@ -7,7 +7,7 @@ Summary: Support and utility classes used by the Rails framework Name: %{?scl_prefix}rubygem-%{gem_name} Epoch: 1 Version: 4.1.5 -Release: 1%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -25,6 +25,12 @@ Source2: activesupport-%{version}-tests.tgz # Removes code which breaks the test suite due to a # dependency on a file in the greater rails proj Patch1: activesupport-tests-fix.patch +# Fix CVE-2016-0753 Possible Input Validation Circumvention +# https://bugzilla.redhat.com/show_bug.cgi?id=1301973 +Patch2: rubygem-activesupport-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch +# Fix CVE-2015-7576 Timing attack vulnerability in basic authentication +# https://bugzilla.redhat.com/show_bug.cgi?id=1301933 +Patch3: rubygem-activesupport-4.1.14.1-CVE-2015-7576-fix-timing-attack-vulnerability.patch Requires: %{?scl_prefix_ruby}ruby(rubygems) Requires: %{?scl_prefix_ruby}ruby(release) @@ -77,6 +83,8 @@ tar xzvf %{SOURCE2} -C .%{gem_instdir} pushd .%{gem_instdir} %patch1 -p0 +%patch2 -p2 +%patch3 -p2 popd %build @@ -99,7 +107,8 @@ rm test/caching_test.rb %{?scl:scl enable %scl - << \EOF} # Failures/errors due to Minitest version, newer Minitest randomize running tests # and Rails are not ready for that -ruby -Ilib:test -e "Dir.glob('./test/**/*_test.rb').each {|t| require t}" | grep '2 failures, 5 errors' +# One failure due to test_partial_string_to_time that uses Zoneinfo's Moscow time (1 hour change) +ruby -Ilib:test -e "Dir.glob('./test/**/*_test.rb').each {|t| require t}" | grep '3 failures, 5 errors' %{?scl:EOF} popd @@ -115,6 +124,15 @@ popd %{gem_instdir}/test %changelog +* Tue Feb 16 2016 Pavel Valena - 1:4.1.5-3 +- Fix offset in patch for CVE-2016-0753 + +* Wed Feb 10 2016 Pavel Valena - 1:4.1.5-2 +- Fix possible input validation circumvention - rhbz#1301973 + - Resolves: CVE-2016-0753 +- Fix Timing attack vulnerability in basic authentication - rhbz#1301933 + - Resolves: CVE-2015-7576 + * Mon Jan 19 2015 Josef Stribny - 1:4.1.5-1 - Update to 4.1.5