commit rubygem-actionpack-6.0 for openSUSE:Factory

root Thu, 28 May 2020 00:19:09 -0700

Hello community,

here is the log from the commit of package rubygem-actionpack-6.0 for 
openSUSE:Factory checked in at 2020-05-28 09:18:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-6.0 (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.3606 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "rubygem-actionpack-6.0"

Thu May 28 09:18:53 2020 rev:7 rq:809481 version:6.0.3.1

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/rubygem-actionpack-6.0/rubygem-actionpack-6.0.changes
    2020-05-11 13:38:08.292713140 +0200
+++ 
/work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.3606/rubygem-actionpack-6.0.changes
  2020-05-28 09:18:53.825162413 +0200
@@ -1,0 +2,10 @@
+Wed May 27 10:55:04 UTC 2020 - Manuel Schnitzer <[email protected]>
+
+- updated to version 6.0.3.1
+
+  * CVE-2020-8166: HMAC raw CSRF token before masking it, so it
+    cannot be used to reconstruct a per-form token
+  * CVE-2020-8164: Return self when calling #each, #each_pair, and
+    #each_value instead of the raw @parameters hash
+
+-------------------------------------------------------------------

Old:
----
  actionpack-6.0.3.gem

New:
----
  actionpack-6.0.3.1.gem

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-actionpack-6.0.spec ++++++
--- /var/tmp/diff_new_pack.5h2E1C/_old  2020-05-28 09:18:54.385163439 +0200
+++ /var/tmp/diff_new_pack.5h2E1C/_new  2020-05-28 09:18:54.385163439 +0200
@@ -24,7 +24,7 @@
 #
 
 Name:           rubygem-actionpack-6.0
-Version:        6.0.3
+Version:        6.0.3.1
 Release:        0
 %define mod_name actionpack
 %define mod_full_name %{mod_name}-%{version}

++++++ actionpack-6.0.3.gem -> actionpack-6.0.3.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md    2020-05-06 20:00:05.000000000 +0200
+++ new/CHANGELOG.md    2020-05-18 17:45:55.000000000 +0200
@@ -1,3 +1,9 @@
+## Rails 6.0.3.1 (May 18, 2020) ##
+
+*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be 
used to reconstruct a per-form token
+
+*   [CVE-2020-8164] Return self when calling #each, #each_pair, and 
#each_value instead of the raw @parameters hash
+
 ## Rails 6.0.3 (May 06, 2020) ##
 
 *   Include child session assertion count in ActionDispatch::IntegrationTest
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/lib/action_controller/metal/request_forgery_protection.rb 
new/lib/action_controller/metal/request_forgery_protection.rb
--- old/lib/action_controller/metal/request_forgery_protection.rb       
2020-05-06 20:00:05.000000000 +0200
+++ new/lib/action_controller/metal/request_forgery_protection.rb       
2020-05-18 17:45:55.000000000 +0200
@@ -322,13 +322,10 @@
           action_path = normalize_action_path(action)
           per_form_csrf_token(session, action_path, method)
         else
-          real_csrf_token(session)
+          global_csrf_token(session)
         end
 
-        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
-        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
-        masked_token = one_time_pad + encrypted_csrf_token
-        Base64.strict_encode64(masked_token)
+        mask_token(raw_token)
       end
 
       # Checks the client's masked token to see if it matches the
@@ -358,7 +355,8 @@
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
           csrf_token = unmask_token(masked_token)
 
-          compare_with_real_token(csrf_token, session) ||
+          compare_with_global_token(csrf_token, session) ||
+            compare_with_real_token(csrf_token, session) ||
             valid_per_form_csrf_token?(csrf_token, session)
         else
           false # Token is malformed.
@@ -373,10 +371,21 @@
         xor_byte_strings(one_time_pad, encrypted_csrf_token)
       end
 
+      def mask_token(raw_token) # :doc:
+        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
+        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
+        masked_token = one_time_pad + encrypted_csrf_token
+        Base64.strict_encode64(masked_token)
+      end
+
       def compare_with_real_token(token, session) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, 
real_csrf_token(session))
       end
 
+      def compare_with_global_token(token, session) # :doc:
+        ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, 
global_csrf_token(session))
+      end
+
       def valid_per_form_csrf_token?(token, session) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
@@ -397,10 +406,21 @@
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
+        csrf_token_hmac(session, [action_path, method.downcase].join("#"))
+      end
+
+      GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
+      private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
+
+      def global_csrf_token(session) # :doc:
+        csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
+      end
+
+      def csrf_token_hmac(session, identifier) # :doc:
         OpenSSL::HMAC.digest(
           OpenSSL::Digest::SHA256.new,
           real_csrf_token(session),
-          [action_path, method.downcase].join("#")
+          identifier
         )
       end
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/action_controller/metal/strong_parameters.rb 
new/lib/action_controller/metal/strong_parameters.rb
--- old/lib/action_controller/metal/strong_parameters.rb        2020-05-06 
20:00:05.000000000 +0200
+++ new/lib/action_controller/metal/strong_parameters.rb        2020-05-18 
17:45:55.000000000 +0200
@@ -344,6 +344,8 @@
       @parameters.each_pair do |key, value|
         yield [key, convert_hashes_to_parameters(key, value)]
       end
+
+      self
     end
     alias_method :each, :each_pair
 
@@ -353,6 +355,8 @@
       @parameters.each_pair do |key, value|
         yield convert_hashes_to_parameters(key, value)
       end
+
+      self
     end
 
     # Attribute that keeps track of converted arrays, if any, to avoid double
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb 
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb  2020-05-06 20:00:05.000000000 +0200
+++ new/lib/action_pack/gem_version.rb  2020-05-18 17:45:55.000000000 +0200
@@ -10,7 +10,7 @@
     MAJOR = 6
     MINOR = 0
     TINY  = 3
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata        2020-05-06 20:00:05.000000000 +0200
+++ new/metadata        2020-05-18 17:45:55.000000000 +0200
@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.0.3
+  version: 6.0.3.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-06 00:00:00.000000000 Z
+date: 2020-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3
+        version: 6.0.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3
+        version: 6.0.3.1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3
+        version: 6.0.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3
+        version: 6.0.3.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3
+        version: 6.0.3.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3
+        version: 6.0.3.1
 description: Web apps on Rails. Simple, battle-tested conventions for building 
and
   testing MVC web applications. Works with any Rack-compatible server.
 email: [email protected]
@@ -310,10 +310,10 @@
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: 
https://github.com/rails/rails/blob/v6.0.3/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.0.3/
+  changelog_uri: 
https://github.com/rails/rails/blob/v6.0.3.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.0.3.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.0.3/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.0.3.1/actionpack
 post_install_message: 
 rdoc_options: []
 require_paths:

commit rubygem-actionpack-6.0 for openSUSE:Factory

Reply via email to