Hello community,
here is the log from the commit of package rubygem-actionview-5_1 for
openSUSE:Leap:15.2 checked in at 2020-05-07 19:28:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/rubygem-actionview-5_1 (Old)
and /work/SRC/openSUSE:Leap:15.2/.rubygem-actionview-5_1.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionview-5_1"
Thu May 7 19:28:30 2020 rev:11 rq:801123 version:5.1.4
Changes:
--------
---
/work/SRC/openSUSE:Leap:15.2/rubygem-actionview-5_1/rubygem-actionview-5_1.changes
2020-01-15 15:58:22.543765040 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.rubygem-actionview-5_1.new.2738/rubygem-actionview-5_1.changes
2020-05-07 19:34:00.422290387 +0200
@@ -1,0 +2,12 @@
+Mon Apr 27 10:51:59 UTC 2020 - Manuel Schnitzer <[email protected]>
+
+- Add patch to fix CVE-2020-5267 (bsc#1167240)
+
+ 0001-CVE-2020-5267.patch
+
+ In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS
+ vulnerability in ActionView's JavaScript literal escape helpers. Views that
use
+ the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The
+ issue is fixed in versions 6.0.2.2 and 5.2.4.2.
+
+-------------------------------------------------------------------
New:
----
0001-CVE-2020-5267.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionview-5_1.spec ++++++
--- /var/tmp/diff_new_pack.0oDK0m/_old 2020-05-07 19:34:01.142291828 +0200
+++ /var/tmp/diff_new_pack.0oDK0m/_new 2020-05-07 19:34:01.146291835 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-actionview-5_1
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -30,12 +30,15 @@
%define mod_full_name %{mod_name}-%{version}
%define mod_version_suffix -5_1
BuildRoot: %{_tmppath}/%{name}-%{version}-build
+BuildRequires: ruby-macros >= 5
BuildRequires: %{ruby >= 2.2.2}
BuildRequires: %{rubygem gem2rpm}
-BuildRequires: ruby-macros >= 5
Url: http://rubyonrails.org
Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: gem2rpm.yml
+# MANUAL
+Patch0: 0001-CVE-2020-5267.patch
+# /MANUAL
Summary: Rendering framework putting the V in MVC (part of Rails)
License: MIT
Group: Development/Languages/Ruby
@@ -44,6 +47,10 @@
Simple, battle-tested conventions and helpers for building web pages.
%prep
+%gem_unpack
+%patch0 -p1
+find -type f -print0 | xargs -0 touch -r %{S:0}
+%gem_build
%build
++++++ 0001-CVE-2020-5267.patch ++++++
--- actionview-5.1.4/lib/action_view/helpers/javascript_helper.rb.old
2020-04-27 13:11:28.515617314 +0200
+++ actionview-5.1.4/lib/action_view/helpers/javascript_helper.rb
2020-04-27 13:12:24.208034709 +0200
@@ -10,7 +10,9 @@
"\n" => '\n',
"\r" => '\n',
'"' => '\\"',
- "'" => "\\'"
+ "'" => "\\'",
+ "`" => "\\`",
+ "$" => "\\$"
}
JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] =
"
"
++++++ gem2rpm.yml ++++++
--- /var/tmp/diff_new_pack.0oDK0m/_old 2020-05-07 19:34:01.182291908 +0200
+++ /var/tmp/diff_new_pack.0oDK0m/_new 2020-05-07 19:34:01.182291908 +0200
@@ -1,2 +1,4 @@
---
:version_suffix: '-5_1'
+:patches:
+ 0001-CVE-2020-5267.patch: -p1
