packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:a802a8c29dd05ca7f4e2b5c4c9e0d117a3df2f31
Branches Tags
packages:main
..
compare: packages:df3704638cc9f55e5d8478ec5c19b6378cdeef84
Branches Tags
packages:main

No commits in common. "a802a8c29dd05ca7f4e2b5c4c9e0d117a3df2f31" and "df3704638cc9f55e5d8478ec5c19b6378cdeef84" have entirely different histories.
a802a8c29d ... df3704638c

5 changed files with 2 additions and 210 deletions
Show Stats Expand all files Collapse all files

44
Fix-CVE-2022-44570.patch
View File

@ -1,44 +0,0 @@
From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 17 Jan 2023 12:04:37 -0800
Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges
This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks
@ooooooo_q for the patch!
[CVE-2022-44570]
---
lib/rack/utils.rb | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index 34849ded..14d9e17d 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -348,17 +348,18 @@ module Rack
return nil unless http_range && http_range =~ /bytes=([^;]+)/
ranges = []
$1.split(/,\s*/).each do |range_spec|
- return nil unless range_spec =~ /(\d*)-(\d*)/
- r0, r1 = $1, $2
- if r0.empty?
- return nil if r1.empty?
+ return nil unless range_spec.include?('-')
+ range = range_spec.split('-')
+ r0, r1 = range[0], range[1]
+ if r0.nil? || r0.empty?
+ return nil if r1.nil?
# suffix-byte-range-spec, represents trailing suffix of file
r0 = size - r1.to_i
r0 = 0 if r0 < 0
r1 = size - 1
else
r0 = r0.to_i
- if r1.empty?
+ if r1.nil?
r1 = size - 1
else
r1 = r1.to_i
--
2.25.1

31
Fix-CVE-2022-44571.patch
View File

@ -1,31 +0,0 @@
From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 17 Jan 2023 12:14:29 -0800
Subject: [PATCH] Fix ReDoS vulnerability in multipart parser
This commit fixes a ReDoS vulnerability when parsing the
Content-Disposition field in multipart attachments
Thanks to @ooooooo_q for the patch!
[CVE-2022-44571]
---
lib/rack/multipart.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
index 7695fe76..fdae808a 100644
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -18,7 +18,7 @@ module Rack
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
--
2.25.1

48
Fix-CVE-2022-44572.patch
View File

@ -1,48 +0,0 @@
From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 3 Aug 2022 00:19:56 -0700
Subject: [PATCH] Forbid control characters in attributes
This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.
This also now should fully follow the RFCs.
RFC 2231, Section 7 specifies:
attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
"*", "'", "%", or tspecials>
RFC 2045, Appendix A specifies:
tspecials := "(" / ")" / "<" / ">" / "@" /
"," / ";" / ":" / "\" / <">
"/" / "[" / "]" / "?" / "="
RFC 822, Section 3.3 specifies:
CTL = <any ASCII control ; ( 0- 37, 0.- 31.)
character and DEL> ; ( 177, 127.)
SPACE = <ASCII SP, space> ; ( 40, 32.)
[CVE-2022-44572]
---
lib/rack/multipart.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
index 10f8e5fa..7695fe76 100644
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -21,7 +21,7 @@ module Rack
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
SECTION = /\*[0-9]+/
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
--
2.25.1

51
Fix-CVE-2024-25126.patch
View File

@ -1,51 +0,0 @@
From d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Wed, 6 Dec 2023 18:32:19 +0100
Subject: [PATCH] Avoid 2nd degree polynomial regexp in MediaType
---
lib/rack/media_type.rb | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
index 41937c99..7fc1e39d 100644
--- a/lib/rack/media_type.rb
+++ b/lib/rack/media_type.rb
@@ -4,7 +4,7 @@ module Rack
# Rack::MediaType parse media type and parameters out of content_type string
class MediaType
- SPLIT_PATTERN = %r{\s*[;,]\s*}
+ SPLIT_PATTERN = /[;,]/
class << self
# The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -15,7 +15,11 @@ module Rack
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
def type(content_type)
return nil unless content_type
- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
+ if type = content_type.split(SPLIT_PATTERN, 2).first
+ type.rstrip!
+ type.downcase!
+ type
+ end
end
# The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -27,9 +31,10 @@ module Rack
return {} if content_type.nil?
content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
+ s.strip!
k, v = s.split('=', 2)
-
- hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
+ k.downcase!
+ hsh[k] = strip_doublequotes(v)
end
end
--
2.25.1

38
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name}
Version: 2.2.4
Epoch: 1
Release: 8
Release: 3
Summary: A modular Ruby webserver interface
License: MIT and BSD
URL: https://rack.github.io/
@ -13,11 +13,7 @@ Patch0: 2-2-multipart-dos.patch
Patch1: 2-2-header-redos.patch
Patch2: Fix-CVE-2024-26141.patch
Patch3: Fix-CVE-2024-26146.patch
Patch4: Fix-CVE-2024-25126.patch
Patch5: Fix-CVE-2022-44570.patch
Patch6: Fix-CVE-2022-44571.patch
Patch7: Fix-CVE-2022-44572.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client)
BuildRequires: rubygem(minitest)
@ -105,36 +101,6 @@ popd
%doc %{gem_instdir}/contrib
%changelog
* Thu Apr 11 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-8
- Type:CVES
- ID:CVE-2022-44572
- SUG:NA
- DESC:CVE-2022-44572
* Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7
- Type:CVES
- ID:CVE-2022-44571
- SUG:NA
- DESC:CVE-2022-44571
* Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6
- Type:CVES
- ID:CVE-2022-44570
- SUG:NA
- DESC:CVE-2022-44570
* Sun Apr 07 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1:2.2.4-5
- Type: Bugfix
- ID:NA
- SUG:NA
- DESC:add BuildRequires: git
* Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-4
- Type:CVES
- ID:CVE-2024-25126
- SUG:NA
- DESC:CVE-2024-25126
* Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-3
- Type:CVES
- ID:CVE-2024-26146