!63 [sync] PR-47: Fix CVE-2022-44572

From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git
Fix CVE-2022-44572
2024-07-05 08:29:07 +00:00 · 2024-07-05 16:16:27 +08:00 · 2024-07-05 08:15:31 +00:00 · 2024-07-05 16:06:03 +08:00 · 2024-07-05 08:02:57 +00:00 · 2024-07-05 15:23:11 +08:00
5 changed files with 210 additions and 2 deletions
--- a/Fix-CVE-2022-44570.patch
+++ b/Fix-CVE-2022-44570.patch
@ -0,0 +1,44 @@
 From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001
 From: Aaron Patterson <tenderlove@ruby-lang.org>
 Date: Tue, 17 Jan 2023 12:04:37 -0800
 Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges
 This commit fixes a ReDoS problem in `get_byte_ranges`.  Thanks
@ooooooo_q for the patch!
 [CVE-2022-44570]
 ---
 lib/rack/utils.rb | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)
 diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
 index 34849ded..14d9e17d 100644
 --- a/lib/rack/utils.rb
 +++ b/lib/rack/utils.rb
@@ -348,17 +348,18 @@ module Rack
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
 -        return nil  unless range_spec =~ /(\d*)-(\d*)/
 -        r0, r1 = $1, $2
 -        if r0.empty?
 -          return nil  if r1.empty?
 +        return nil unless range_spec.include?('-')
 +        range = range_spec.split('-')
 +        r0, r1 = range[0], range[1]
 +        if r0.nil? || r0.empty?
 +          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
 -          if r1.empty?
 +          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i
 -- 
 2.25.1
--- a/Fix-CVE-2022-44571.patch
+++ b/Fix-CVE-2022-44571.patch
@ -0,0 +1,31 @@
 From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001
 From: Aaron Patterson <tenderlove@ruby-lang.org>
 Date: Tue, 17 Jan 2023 12:14:29 -0800
 Subject: [PATCH] Fix ReDoS vulnerability in multipart parser
 This commit fixes a ReDoS vulnerability when parsing the
 Content-Disposition field in multipart attachments
 Thanks to @ooooooo_q for the patch!
 [CVE-2022-44571]
 ---
 lib/rack/multipart.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
 index 7695fe76..fdae808a 100644
 --- a/lib/rack/multipart.rb
 +++ b/lib/rack/multipart.rb
@@ -18,7 +18,7 @@ module Rack
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
 -    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
 +    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
     ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
 -- 
 2.25.1
--- a/Fix-CVE-2022-44572.patch
+++ b/Fix-CVE-2022-44572.patch
@ -0,0 +1,48 @@
 From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
 From: John Hawthorn <john@hawthorn.email>
 Date: Wed, 3 Aug 2022 00:19:56 -0700
 Subject: [PATCH] Forbid control characters in attributes
 This commit restricts the characters accepted in ATTRIBUTE_CHAR,
 forbidding control characters and fixing a ReDOS vulnerability.
 This also now should fully follow the RFCs.
 RFC 2231, Section 7 specifies:
    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
                         "*", "'", "%", or tspecials>
 RFC 2045, Appendix A specifies:
    tspecials :=  "(" / ")" / "<" / ">" / "@" /
                  "," / ";" / ":" / "\" / <">
                  "/" / "[" / "]" / "?" / "="
 RFC 822, Section 3.3 specifies:
    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
                    character and DEL>          ; (    177,     127.)
    SPACE       =  <ASCII SP, space>            ; (     40,      32.)
 [CVE-2022-44572]
 ---
 lib/rack/multipart.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
 index 10f8e5fa..7695fe76 100644
 --- a/lib/rack/multipart.rb
 +++ b/lib/rack/multipart.rb
@@ -21,7 +21,7 @@ module Rack
     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
 -    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
 +    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
 -- 
 2.25.1
--- a/Fix-CVE-2024-25126.patch
+++ b/Fix-CVE-2024-25126.patch
@ -0,0 +1,51 @@
 From d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 Mon Sep 17 00:00:00 2001
 From: Jean Boussier <jean.boussier@gmail.com>
 Date: Wed, 6 Dec 2023 18:32:19 +0100
 Subject: [PATCH] Avoid 2nd degree polynomial regexp in MediaType
 ---
 lib/rack/media_type.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)
 diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
 index 41937c99..7fc1e39d 100644
 --- a/lib/rack/media_type.rb
 +++ b/lib/rack/media_type.rb
@@ -4,7 +4,7 @@ module Rack
   # Rack::MediaType parse media type and parameters out of content_type string
   class MediaType
 -    SPLIT_PATTERN = %r{\s*[;,]\s*}
 +    SPLIT_PATTERN = /[;,]/
     class << self
       # The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -15,7 +15,11 @@ module Rack
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
       def type(content_type)
         return nil unless content_type
 -        content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
 +        if type = content_type.split(SPLIT_PATTERN, 2).first
 +          type.rstrip!
 +          type.downcase!
 +          type
 +        end
       end
       # The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -27,9 +31,10 @@ module Rack
         return {} if content_type.nil?
         content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
 +          s.strip!
           k, v = s.split('=', 2)
 -
 -          hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
 +          k.downcase!
 +          hsh[k] = strip_doublequotes(v)
         end
       end
 -- 
 2.25.1
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@ -4,7 +4,7 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.4
 Epoch:   1
-Release: 3
+Release: 8
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
@ -13,7 +13,11 @@ Patch0: 2-2-multipart-dos.patch
 Patch1: 2-2-header-redos.patch
 Patch2: Fix-CVE-2024-26141.patch
 Patch3: Fix-CVE-2024-26146.patch
-BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
+Patch4: Fix-CVE-2024-25126.patch
 Patch5: Fix-CVE-2022-44570.patch
 Patch6: Fix-CVE-2022-44571.patch
 Patch7: Fix-CVE-2022-44572.patch
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
 BuildRequires: rubygem(memcache-client)
 BuildRequires: rubygem(minitest)
@ -101,6 +105,36 @@ popd
 %doc %{gem_instdir}/contrib
 %changelog
 * Thu Apr 11 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-8
 - Type:CVES
 - ID:CVE-2022-44572
 - SUG:NA
 - DESC:CVE-2022-44572
 * Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7
 - Type:CVES
 - ID:CVE-2022-44571
 - SUG:NA
 - DESC:CVE-2022-44571
 * Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6
 - Type:CVES
 - ID:CVE-2022-44570
 - SUG:NA
 - DESC:CVE-2022-44570
 * Sun Apr 07 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1:2.2.4-5
 - Type: Bugfix
 - ID:NA
 - SUG:NA
 - DESC:add BuildRequires: git
 * Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-4
 - Type:CVES
 - ID:CVE-2024-25126
 - SUG:NA
 - DESC:CVE-2024-25126
 * Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-3
 - Type:CVES
 - ID:CVE-2024-26146
Author	SHA1	Message	Date
openeuler-ci-bot	a802a8c29d	!63 [sync] PR-47: Fix CVE-2022-44572 From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2024-07-05 08:29:07 +00:00
zouzhimin	7dcd0a0a1b	Fix CVE-2022-44572 (cherry picked from commit b0d364e5deb9f05f2d8bd76afa365c7ee167ff7e)	2024-07-05 16:16:27 +08:00
openeuler-ci-bot	4cf48b3983	!61 [sync] PR-46: Fix CVE-2022-44571 From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2024-07-05 08:15:31 +00:00
zouzhimin	3a0523c45e	Fix CVE-2022-44571 (cherry picked from commit 76b078b2b9078cda68868260c2707e7d52f1af82)	2024-07-05 16:06:03 +08:00
openeuler-ci-bot	6973808638	!59 [sync] PR-45: Fix CVE-2022-44570 From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2024-07-05 08:02:57 +00:00
zouzhimin	1fd9b25f8b	Fix CVE-2022-44570 (cherry picked from commit 5de9014905bf9a04855c54a03662d34c84b6f02c)	2024-07-05 15:23:11 +08:00
openeuler-ci-bot	4d4a07b8b7	!44 sync some patchs form 24.03 From: @panchenbo Reviewed-by: @small_leek Signed-off-by: @small_leek	2024-04-09 06:07:06 +00:00
panchenbo	45a92e6cc7	add BuildRequires: git	2024-04-07 14:33:10 +08:00
openeuler-ci-bot	89a016480a	!39 [sync] PR-38: Fix CVE-2024-25126 From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2024-04-02 06:09:19 +00:00
zouzhimin	a386b69758	Fix CVE-2024-25126 (cherry picked from commit c4458441c9e78e84e2843ea84174abd6069108e1)	2024-04-02 11:35:15 +08:00