Bug 1214807 (CVE-2023-38037) - VUL-0: CVE-2023-38037: rubygem-activesupport-5.2: File Disclosure of Locally Encrypted Files
Summary: VUL-0: CVE-2023-38037: rubygem-activesupport-5.2: File Disclosure of Locally ...
Status: RESOLVED FIXED
Alias: CVE-2023-38037
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/376780/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-31 07:15 UTC by Robert Frohl
Modified: 2024-05-29 12:06 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-08-31 07:15:25 UTC 
CVE-2023-38037

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
http://localhost:5600/static/#/asm_ticket/98986

CVE(s): CVE-2023-38037   There is a possible file disclosure of locally encrypted files in Active Support.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.7.1, 6.1.7.5

# Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Releases
The fixed releases are available at the normal locations.

# Workarounds
To work around this issue, you can set your umask to be more restrictive like this:

```ruby
$ umask 0077
```

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38037
https://bugzilla.redhat.com/show_bug.cgi?id=2236261
Comment 2 Robert Frohl 2023-08-31 07:21:58 UTC 
relevant for:

openSUSE:Factory/rubygem-activesupport-7.0
openSUSE:Backports:SLE-15-SP5/rubygem-activesupport-5.2
openSUSE:Backports:SLE-15-SP6/rubygem-activesupport-5.2
Comment 7 Petr Gajdos 2023-10-13 10:06:57 UTC 
b15sp5 submitted, b15sp6 declined because Factory first. 

I believe all fixed, except 15sp6 and Tubmleweed.

Let's let maintainers decide what to do for Factory and 15sp6.
Comment 8 Marcus Meissner 2023-11-03 20:05:13 UTC 
openSUSE-RU-2023:0349-1: An update that fixes one vulnerability is now available.

Category: recommended (low)
Bug References: 1214807
CVE References: CVE-2023-38037
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    rubygem-railties-5.2-5.2.3-bp155.3.3.1
Comment 9 Marcus Meissner 2023-11-04 02:05:04 UTC 
openSUSE-SU-2023:0350-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1214807
CVE References: CVE-2023-38037
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    rubygem-activesupport-5.2-5.2.3-bp155.3.5.1
Comment 10 Petr Gajdos 2023-12-04 11:47:01 UTC 
Factory has 7.0.8, thus fixed there.
Comment 11 Petr Gajdos 2023-12-04 12:50:40 UTC 
15sp6
https://build.opensuse.org/request/show/1130752
Comment 12 Andrea Mattiazzo 2024-05-29 12:06:33 UTC 
All done, closing.