Bug 1214807 (CVE-2023-38037)

Summary:	VUL-0: CVE-2023-38037: rubygem-activesupport-5.2: File Disclosure of Locally Encrypted Files
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Robert Frohl <rfrohl>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	dcermak, kstreitova, meissner, mrueckert, pgajdos, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/376780/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Robert Frohl 2023-08-31 07:15:25 UTC

CVE-2023-38037

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
http://localhost:5600/static/#/asm_ticket/98986

CVE(s): CVE-2023-38037   There is a possible file disclosure of locally encrypted files in Active Support.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.7.1, 6.1.7.5

# Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Releases
The fixed releases are available at the normal locations.

# Workarounds
To work around this issue, you can set your umask to be more restrictive like this:

```ruby
$ umask 0077
```

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38037
https://bugzilla.redhat.com/show_bug.cgi?id=2236261

Comment 2 Robert Frohl 2023-08-31 07:21:58 UTC

relevant for:

openSUSE:Factory/rubygem-activesupport-7.0
openSUSE:Backports:SLE-15-SP5/rubygem-activesupport-5.2
openSUSE:Backports:SLE-15-SP6/rubygem-activesupport-5.2

Comment 5 Petr Gajdos 2023-10-13 09:34:28 UTC

b15sp5:
https://build.opensuse.org/request/show/1117600
https://build.opensuse.org/request/show/1117601

Comment 6 Petr Gajdos 2023-10-13 10:02:00 UTC

b15sp5
https://build.opensuse.org/request/show/1117638
https://build.opensuse.org/request/show/1117639
b15sp6
https://build.opensuse.org/request/show/1117642
https://build.opensuse.org/request/show/1117643

Comment 7 Petr Gajdos 2023-10-13 10:06:57 UTC

b15sp5 submitted, b15sp6 declined because Factory first. 

I believe all fixed, except 15sp6 and Tubmleweed.

Let's let maintainers decide what to do for Factory and 15sp6.

Comment 8 Marcus Meissner 2023-11-03 20:05:13 UTC

openSUSE-RU-2023:0349-1: An update that fixes one vulnerability is now available.

Category: recommended (low)
Bug References: 1214807
CVE References: CVE-2023-38037
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    rubygem-railties-5.2-5.2.3-bp155.3.3.1

Comment 9 Marcus Meissner 2023-11-04 02:05:04 UTC

openSUSE-SU-2023:0350-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1214807
CVE References: CVE-2023-38037
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    rubygem-activesupport-5.2-5.2.3-bp155.3.5.1

Comment 10 Petr Gajdos 2023-12-04 11:47:01 UTC

Factory has 7.0.8, thus fixed there.

Comment 11 Petr Gajdos 2023-12-04 12:50:40 UTC

15sp6
https://build.opensuse.org/request/show/1130752

Comment 12 Andrea Mattiazzo 2024-05-29 12:06:33 UTC

All done, closing.