diff --git a/SOURCES/rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch b/SOURCES/rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch new file mode 100644 index 0000000..3303447 --- /dev/null +++ b/SOURCES/rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch @@ -0,0 +1,68 @@ +diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb +index 993f4001de..d113db8b76 100644 +--- a/actionpack/test/controller/mime/respond_to_test.rb ++++ b/actionpack/test/controller/mime/respond_to_test.rb +@@ -104,7 +104,7 @@ def made_for_content_type + def custom_type_handling + respond_to do |type| + type.html { render body: "HTML" } +- type.custom("application/crazy-xml") { render body: "Crazy XML" } ++ type.custom("application/fancy-xml") { render body: "Fancy XML" } + type.all { render body: "Nothing" } + end + end +@@ -294,12 +294,14 @@ def setup + @request.host = "www.example.com" + Mime::Type.register_alias("text/html", :iphone) + Mime::Type.register("text/x-mobile", :mobile) ++ Mime::Type.register("application/fancy-xml", :fancy_xml) + end + + def teardown + super + Mime::Type.unregister(:iphone) + Mime::Type.unregister(:mobile) ++ Mime::Type.unregister(:fancy_xml) + end + + def test_html +@@ -455,10 +457,10 @@ def test_synonyms + end + + def test_custom_types +- @request.accept = "application/crazy-xml" ++ @request.accept = "application/fancy-xml" + get :custom_type_handling +- assert_equal "application/crazy-xml", @response.content_type +- assert_equal 'Crazy XML', @response.body ++ assert_equal "application/fancy-xml", @response.content_type ++ assert_equal "Fancy XML", @response.body + + @request.accept = "text/html" + get :custom_type_handling +diff --git a/actionpack/test/controller/new_base/content_negotiation_test.rb b/actionpack/test/controller/new_base/content_negotiation_test.rb +index c0e92b3b05..b867bcd675 100644 +--- a/actionpack/test/controller/new_base/content_negotiation_test.rb ++++ b/actionpack/test/controller/new_base/content_negotiation_test.rb +@@ -19,9 +19,19 @@ class TestContentNegotiation < Rack::TestCase + assert_body "Hello world */*!" + end + +- test "Not all mimes are converted to symbol" do ++ test "A js or */* Accept header will return HTML" do ++ get "/content_negotiation/basic/hello", headers: { "HTTP_ACCEPT" => "text/javascript, */*" } ++ assert_body "Hello world text/html!" ++ end ++ ++ test "A js or */* Accept header on xhr will return HTML" do ++ get "/content_negotiation/basic/hello", headers: { "HTTP_ACCEPT" => "text/javascript, */*" }, xhr: true ++ assert_body "Hello world text/javascript!" ++ end ++ ++ test "Unregistered mimes are ignored" do + get "/content_negotiation/basic/all", headers: { "HTTP_ACCEPT" => "text/plain, mime/another" } +- assert_body '[:text, "mime/another"]' ++ assert_body '[:text]' + end + end + end diff --git a/SOURCES/rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file.patch b/SOURCES/rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file.patch new file mode 100644 index 0000000..0e7a283 --- /dev/null +++ b/SOURCES/rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file.patch @@ -0,0 +1,16 @@ +diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +index f17b93fad7..a39052e6f7 100644 +--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb ++++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +@@ -76,6 +76,11 @@ def formats + else + [Mime[:html]] + end ++ ++ v = v.select do |format| ++ format.symbol || format.ref == "*/*" ++ end ++ + set_header k, v + end + end diff --git a/SPECS/rubygem-actionpack.spec b/SPECS/rubygem-actionpack.spec index 0336506..56eeedf 100644 --- a/SPECS/rubygem-actionpack.spec +++ b/SPECS/rubygem-actionpack.spec @@ -16,7 +16,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Name: %{?scl_prefix}rubygem-%{gem_name} Epoch: 1 Version: 5.0.1 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Languages License: MIT URL: http://rubyonrails.org @@ -29,6 +29,14 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem # git checkout v5.0.1 && tar czvf actionpack-5.0.1-tests.tgz test/ Source1: actionpack-%{version}-tests.tgz +# CVE-2019-5418: Render file directory traversal in Action View +# https://bugzilla.redhat.com/show_bug.cgi?id=1689159 +# CVE-2019-5419: Denial of service vulnerability in Action View +# https://bugzilla.redhat.com/show_bug.cgi?id=1689160 +# https://github.com/rails/rails/commit/c79dcbce9bfd20fe7f72ca431c49965ee39bd645 +Patch0: rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file.patch +Patch1: rubygem-actionpack-5.0.7.2-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch + # Let's keep Requires and BuildRequires sorted alphabeticaly Requires: %{?scl_prefix_ruby}ruby(release) Requires: %{?scl_prefix_ruby}ruby(rubygems) @@ -82,6 +90,10 @@ Documentation for %{pkg_name}. %gem_install -n %{SOURCE0} %{?scl:EOF} +pushd .%{gem_instdir} +%patch0 -p2 -F 0 +popd + %build %install @@ -97,6 +109,8 @@ pushd .%{gem_instdir} # move the tests into place tar xzvf %{SOURCE1} +cat "%{PATCH1}" | patch -p2 + # Disable unstable tests. # https://github.com/rails/rails/issues/25774#issuecomment-233553924 sed -i '/PerFormTokensControllerTest/,/^end$/ s/^/#/' test/controller/request_forgery_protection_test.rb @@ -131,6 +145,12 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Mon Apr 01 2019 Jun Aruga - 1:5.0.1-2 +- Fix a render file directory traversal in Action View + Resolves: CVE-2019-5418 +- Fix a denial of service vulnerability in Action View + Resolves: CVE-2019-5419 + * Fri Jan 13 2017 Jun Aruga - 1:5.0.1-1 - Update to Action Pack 5.0.1.