diff --git a/SOURCES/rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch b/SOURCES/rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch new file mode 100644 index 0000000..d2ddf51 --- /dev/null +++ b/SOURCES/rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch @@ -0,0 +1,38 @@ +From 9c34fa05900b968d74f08ccf40917848a7be9441 Mon Sep 17 00:00:00 2001 +From: schneems +Date: Tue, 24 Apr 2018 16:32:22 -0500 +Subject: [PATCH] Do not respond to http requests asking for a `file://` + +Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed. + +A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to: + +```ruby +config.assets.compile = true # Your app is vulnerable +``` + +It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`. + +This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server. +--- + test/test_server.rb | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/test/test_server.rb b/test/test_server.rb +index 66429533..19921e19 100644 +--- a/test/test_server.rb ++++ b/test/test_server.rb +@@ -331,6 +331,13 @@ def app + assert_equal "", last_response.body + end + ++ test "illegal access of a file asset" do ++ absolute_path = fixture_path("server/app/javascripts") ++ ++ get "assets/file:%2f%2f//#{absolute_path}/foo.js" ++ assert_equal 403, last_response.status ++ end ++ + test "add new source to tree" do + filename = fixture_path("server/app/javascripts/baz.js") + diff --git a/SOURCES/rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch b/SOURCES/rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch new file mode 100644 index 0000000..6aca836 --- /dev/null +++ b/SOURCES/rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch @@ -0,0 +1,33 @@ +From 9c34fa05900b968d74f08ccf40917848a7be9441 Mon Sep 17 00:00:00 2001 +From: schneems +Date: Tue, 24 Apr 2018 16:32:22 -0500 +Subject: [PATCH] Do not respond to http requests asking for a `file://` + +Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed. + +A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to: + +```ruby +config.assets.compile = true # Your app is vulnerable +``` + +It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`. + +This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server. +--- + lib/sprockets/server.rb | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb +index 795bdec7..2ad2c9ab 100644 +--- a/lib/sprockets/server.rb ++++ b/lib/sprockets/server.rb +@@ -115,7 +115,7 @@ def forbidden_request?(path) + # + # http://example.org/assets/../../../etc/passwd + # +- path.include?("..") || absolute_path?(path) ++ path.include?("..") || absolute_path?(path) || path.include?("://") + end + + def head_request?(env) diff --git a/SPECS/rubygem-sprockets.spec b/SPECS/rubygem-sprockets.spec index 0983bf1..8b2946b 100644 --- a/SPECS/rubygem-sprockets.spec +++ b/SPECS/rubygem-sprockets.spec @@ -11,7 +11,7 @@ Name: %{?scl_prefix}rubygem-%{gem_name} Version: 3.7.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Rack-based asset packaging system Group: Development/Languages License: MIT @@ -22,6 +22,12 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem # git checkout v3.7.1 && tar czf sprockets-3.7.1-tests.tgz test/ Source1: sprockets-%{version}-tests.tgz +# Fix CVE-2018-3760: Path traversal in sprockets/server.rb:forbidden_request?() +# https://bugzilla.redhat.com/show_bug.cgi?id=1595901 +# https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441 +Patch0: rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch +Patch1: rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch + Requires: %{?scl_prefix_ruby}ruby(release) Requires: %{?scl_prefix_ruby}ruby(rubygems) Requires: %{?scl_prefix}rubygem(concurrent-ruby) @@ -67,6 +73,10 @@ Documentation for %{pkg_name}. %gem_install -n %{SOURCE0} %{?scl:EOF} +pushd .%{gem_instdir} +%patch0 -p1 +popd + %build %install @@ -87,6 +97,8 @@ find %{buildroot}%{gem_instdir}/bin -type f | xargs chmod a+x pushd .%{gem_instdir} tar xzf %{SOURCE1} +cat %{PATCH1} | patch -p1 -F 0 + # We don't enable rubygem(closure-compiler). # https://bugzilla.redhat.com/show_bug.cgi?id=1353473 mv test/test_closure_compressor.rb{,.disabled} @@ -132,6 +144,11 @@ popd %doc %{gem_instdir}/README.md %changelog +* Tue Jul 03 2018 Pavel Valena - 3.7.1-2 +- Fix: Path traversal in sprockets server +Resolves: rhbz#1595903 +Resolves: CVE-2018-3760 + * Fri Jan 13 2017 Jun Aruga - 3.7.1-1 - Update to Sprockets 3.7.1. - Update scl_prefix_nodejs declaration to build with no-SCL environment.