Hello community, here is the log from the commit of package rubygem-actionview-5_1 for openSUSE:Leap:15.2 checked in at 2020-05-07 19:28:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/rubygem-actionview-5_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.rubygem-actionview-5_1.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionview-5_1" Thu May 7 19:28:30 2020 rev:11 rq:801123 version:5.1.4 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/rubygem-actionview-5_1/rubygem-actionview-5_1.changes 2020-01-15 15:58:22.543765040 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.rubygem-actionview-5_1.new.2738/rubygem-actionview-5_1.changes 2020-05-07 19:34:00.422290387 +0200 @@ -1,0 +2,12 @@ +Mon Apr 27 10:51:59 UTC 2020 - Manuel Schnitzer <mschnit...@suse.com> + +- Add patch to fix CVE-2020-5267 (bsc#1167240) + + 0001-CVE-2020-5267.patch + + In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS + vulnerability in ActionView's JavaScript literal escape helpers. Views that use + the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The + issue is fixed in versions 6.0.2.2 and 5.2.4.2. + +------------------------------------------------------------------- New: ---- 0001-CVE-2020-5267.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionview-5_1.spec ++++++ --- /var/tmp/diff_new_pack.0oDK0m/_old 2020-05-07 19:34:01.142291828 +0200 +++ /var/tmp/diff_new_pack.0oDK0m/_new 2020-05-07 19:34:01.146291835 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-actionview-5_1 # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,12 +30,15 @@ %define mod_full_name %{mod_name}-%{version} %define mod_version_suffix -5_1 BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: ruby-macros >= 5 BuildRequires: %{ruby >= 2.2.2} BuildRequires: %{rubygem gem2rpm} -BuildRequires: ruby-macros >= 5 Url: http://rubyonrails.org Source: https://rubygems.org/gems/%{mod_full_name}.gem Source1: gem2rpm.yml +# MANUAL +Patch0: 0001-CVE-2020-5267.patch +# /MANUAL Summary: Rendering framework putting the V in MVC (part of Rails) License: MIT Group: Development/Languages/Ruby @@ -44,6 +47,10 @@ Simple, battle-tested conventions and helpers for building web pages. %prep +%gem_unpack +%patch0 -p1 +find -type f -print0 | xargs -0 touch -r %{S:0} +%gem_build %build ++++++ 0001-CVE-2020-5267.patch ++++++ --- actionview-5.1.4/lib/action_view/helpers/javascript_helper.rb.old 2020-04-27 13:11:28.515617314 +0200 +++ actionview-5.1.4/lib/action_view/helpers/javascript_helper.rb 2020-04-27 13:12:24.208034709 +0200 @@ -10,7 +10,9 @@ "\n" => '\n', "\r" => '\n', '"' => '\\"', - "'" => "\\'" + "'" => "\\'", + "`" => "\\`", + "$" => "\\$" } JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = "
" ++++++ gem2rpm.yml ++++++ --- /var/tmp/diff_new_pack.0oDK0m/_old 2020-05-07 19:34:01.182291908 +0200 +++ /var/tmp/diff_new_pack.0oDK0m/_new 2020-05-07 19:34:01.182291908 +0200 @@ -1,2 +1,4 @@ --- :version_suffix: '-5_1' +:patches: + 0001-CVE-2020-5267.patch: -p1