diff --git a/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch new file mode 100644 index 0000000..d86d8e5 --- /dev/null +++ b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch @@ -0,0 +1,73 @@ +diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb +index 66d2fd7716..07ad0085fc 100644 +--- a/actionpack/test/controller/mime/respond_to_test.rb ++++ b/actionpack/test/controller/mime/respond_to_test.rb +@@ -87,9 +87,9 @@ class RespondToController < ActionController::Base + + def custom_type_handling + respond_to do |type| +- type.html { render :text => "HTML" } +- type.custom("application/crazy-xml") { render :text => "Crazy XML" } +- type.all { render :text => "Nothing" } ++ type.html { render text: "HTML" } ++ type.custom("application/fancy-xml") { render text: "Fancy XML" } ++ type.all { render text: "Nothing" } + end + end + +@@ -269,12 +269,14 @@ class RespondToControllerTest < ActionController::TestCase + @request.host = "www.example.com" + Mime::Type.register_alias("text/html", :iphone) + Mime::Type.register("text/x-mobile", :mobile) ++ Mime::Type.register("application/fancy-xml", :fancy_xml) + end + + def teardown + super + Mime::Type.unregister(:iphone) + Mime::Type.unregister(:mobile) ++ Mime::Type.unregister(:fancy_xml) + end + + def test_html +@@ -430,10 +432,10 @@ class RespondToControllerTest < ActionController::TestCase + end + + def test_custom_types +- @request.accept = "application/crazy-xml" ++ @request.accept = "application/fancy-xml" + get :custom_type_handling +- assert_equal "application/crazy-xml", @response.content_type +- assert_equal 'Crazy XML', @response.body ++ assert_equal "application/fancy-xml", @response.content_type ++ assert_equal "Fancy XML", @response.body + + @request.accept = "text/html" + get :custom_type_handling +diff --git a/actionpack/test/controller/new_base/content_negotiation_test.rb b/actionpack/test/controller/new_base/content_negotiation_test.rb +index 5fd5946619..57bf16ac9c 100644 +--- a/actionpack/test/controller/new_base/content_negotiation_test.rb ++++ b/actionpack/test/controller/new_base/content_negotiation_test.rb +@@ -19,9 +19,19 @@ module ContentNegotiation + assert_body "Hello world */*!" + end + +- test "Not all mimes are converted to symbol" do +- get "/content_negotiation/basic/all", {}, "HTTP_ACCEPT" => "text/plain, mime/another" +- assert_body '[:text, "mime/another"]' ++ test "A js or */* Accept header will return HTML" do ++ get "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" } ++ assert_body "Hello world text/html!" ++ end ++ ++ test "A js or */* Accept header on xhr will return HTML" do ++ xhr :get, "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" } ++ assert_body "Hello world text/javascript!" ++ end ++ ++ test "Unregistered mimes are ignored" do ++ get "/content_negotiation/basic/all", {}, { "HTTP_ACCEPT" => "text/plain, mime/another" } ++ assert_body '[:text]' + end + end + end diff --git a/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch new file mode 100644 index 0000000..e132ce2 --- /dev/null +++ b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch @@ -0,0 +1,24 @@ +diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +index 53a98c5d0a..00fd3d03df 100644 +--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb ++++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +@@ -61,7 +61,7 @@ module ActionDispatch + false + end + +- if params_readable ++ v = if params_readable + Array(Mime[parameters[:format]]) + elsif use_accept_header && valid_accept_header + accepts +@@ -70,6 +70,10 @@ module ActionDispatch + else + [Mime::HTML] + end ++ ++ v.select do |format| ++ format.symbol || format.ref == "*/*" ++ end + end + end + diff --git a/SPECS/rubygem-actionpack.spec b/SPECS/rubygem-actionpack.spec index c1445c1..b5dbaf3 100644 --- a/SPECS/rubygem-actionpack.spec +++ b/SPECS/rubygem-actionpack.spec @@ -15,7 +15,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: %{?scl_prefix}rubygem-%{gem_name} Epoch: 1 Version: 4.2.6 -Release: 3%{?dist} +Release: 5%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -32,6 +32,13 @@ Source2: actionpack-%{version}-tests.tgz # Fix CVE-2016-6317 unsafe query generation in Active Record # https://bugzilla.redhat.com/show_bug.cgi?id=1365017 Patch0: rubygem-actionpack-4.2.7.1-CVE-2016-6317-unsafe-query-tests.patch +# CVE-2019-5418: Render file directory traversal in Action View +# https://bugzilla.redhat.com/show_bug.cgi?id=1689159 +# CVE-2019-5419: Denial of service vulnerability in Action View +# https://bugzilla.redhat.com/show_bug.cgi?id=1689160 +# https://github.com/rails/rails/commit/58ed245e80a8710fbe31e91417bfd19f9f934cc4 +Patch1: rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch +Patch2: rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch # Let's keep Requires and BuildRequires sorted alphabeticaly Requires: %{?scl_prefix_ruby}ruby(release) @@ -70,6 +77,9 @@ BuildRequires: %{?scl_prefix}rubygem(uglifier) BuildArch: noarch Provides: %{?scl_prefix}rubygem(%{gem_name}) = %{version} +# Explicitly require runtime subpackage, as long as older scl-utils do not generate it +Requires: %{?scl_prefix}runtime + BuildRequires: %{?scl_prefix_nodejs}nodejs %description @@ -91,6 +101,10 @@ Documentation for %{pkg_name} %gem_install -n %{SOURCE0} %{?scl:EOF} +pushd .%{gem_instdir} +%patch1 -p2 -F 0 +popd + # move the tests into place tar xzvf %{SOURCE2} -C .%{gem_instdir} @@ -127,6 +141,7 @@ rm -rf %{buildroot} pushd .%{gem_instdir} patch -p2 < %{PATCH0} +patch -p2 < %{PATCH2} # load_path is not available, remove its require. sed -i '1,2d' test/abstract_unit.rb @@ -135,8 +150,10 @@ sed -i '1,2d' test/abstract_unit.rb sed -i "1i\require 'rack/test'" lib/action_controller/metal/strong_parameters.rb # One test is failing: DebugExceptionsTest#test_debug_exceptions_app_shows_user_code_that_caused_the_error_in_source_view +%if 0%{?rhel} >= 7 sed -i "/^ test 'debug exceptions app shows user code that caused the error in source view' do$/,/^ end$/ s/^/#/" \ test/dispatch/debug_exceptions_test.rb +%endif %{?scl:scl enable %{scl} %{scl_nodejs} - << \EOF} ruby -w -I.:lib:test -rtimeout -e 'Dir.glob("test/{abstract,controller,dispatch,template}/**/*_test.rb").each {|t| require t}' %{?scl:EOF} @@ -157,6 +174,12 @@ popd %{gem_instdir}/test/ %changelog +* Fri Mar 29 2019 Jun Aruga - 1:4.2.6-5 +- Fix a render file directory traversal in Action View + Resolves: CVE-2019-5418 +- Fix a denial of service vulnerability in Action View + Resolves: CVE-2019-5419 + * Thu Aug 18 2016 Jun Aruga - 1:4.2.6-3 - Fix for CVE-2016-6317 Resolves: rhbz#1365017