packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-27219 CVE-2025-27220 CVE-2025-27221

Browse Source 
(cherry picked from commit a0bcb149bc3b160257816b88676d339ae2cfe631)
This commit is contained in:
shixuantong 2025-02-28 15:49:57 +08:00 committed by openeuler-sync-bot
parent 557c8656d7
commit c9cf5be7ae
5 changed files with 244 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
backport-0001-CVE-2025-27221.patch Normal file
View File

@ -0,0 +1,55 @@
From 4263c0d15a582b46d75aac57cd26a47d33941a53 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 16:29:36 +0900
Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
Reference:https://github.com/ruby/uri/commit/4263c0d15a582b46d75aac57cd26a47d33941a53
Conflict:NA
---
lib/uri/generic.rb | 6 +++++-
test/uri/test_generic.rb | 11 +++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
index a4192c6..6b60873 100644
--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
@@ -1131,7 +1131,11 @@ module URI
end
# RFC2396, Section 5.2, 7)
- base.set_userinfo(rel.userinfo) if rel.userinfo
+ if rel.userinfo
+ base.set_userinfo(rel.userinfo)
+ else
+ base.set_userinfo(nil)
+ end
base.set_host(rel.host) if rel.host
base.set_port(rel.port) if rel.port
base.query = rel.query if rel.query
diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
index b449a0a..8a611e3 100644
--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
@@ -157,6 +157,17 @@ class URI::TestGeneric < Test::Unit::TestCase
assert_equal(nil, url.user)
assert_equal(nil, url.password)
assert_equal(nil, url.userinfo)
+
+ # sec-2957667
+ url = URI.parse('http://user:pass@example.com').merge('//example.net')
+ assert_equal('http://example.net', url.to_s)
+ assert_nil(url.userinfo)
+ url = URI.join('http://user:pass@example.com', '//example.net')
+ assert_equal('http://example.net', url.to_s)
+ assert_nil(url.userinfo)
+ url = URI.parse('http://user:pass@example.com') + '//example.net'
+ assert_equal('http://example.net', url.to_s)
+ assert_nil(url.userinfo)
end
def test_merge
--
2.33.0

71
backport-0002-CVE-2025-27221.patch Normal file
View File

@ -0,0 +1,71 @@
From 58adef476ef4b5e6deefaf92e7594ab29396c624 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 18:16:28 +0900
Subject: [PATCH] Fix merger of URI with authority component
Reference:https://github.com/ruby/uri/commit/58adef476ef4b5e6deefaf92e7594ab29396c624
Conflict:NA
https://hackerone.com/reports/2957667
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
---
lib/uri/generic.rb | 19 +++++++------------
test/uri/test_generic.rb | 7 +++++++
2 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
index 6b60873..3ca5831 100644
--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
@@ -1123,21 +1123,16 @@ module URI
base.fragment=(nil)
# RFC2396, Section 5.2, 4)
- if !authority
- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
- else
- # RFC2396, Section 5.2, 4)
- base.set_path(rel.path) if rel.path
+ if authority
+ base.set_userinfo(rel.userinfo)
+ base.set_host(rel.host)
+ base.set_port(rel.port || base.default_port)
+ base.set_path(rel.path)
+ elsif base.path && rel.path
+ base.set_path(merge_path(base.path, rel.path))
end
# RFC2396, Section 5.2, 7)
- if rel.userinfo
- base.set_userinfo(rel.userinfo)
- else
- base.set_userinfo(nil)
- end
- base.set_host(rel.host) if rel.host
- base.set_port(rel.port) if rel.port
base.query = rel.query if rel.query
base.fragment=(rel.fragment) if rel.fragment
diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
index 8a611e3..a365f10 100644
--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
@@ -253,6 +253,13 @@ class URI::TestGeneric < Test::Unit::TestCase
assert_equal(u0, u1)
end
+ def test_merge_authority
+ u = URI.parse('http://user:pass@example.com:8080')
+ u0 = URI.parse('http://new.example.org/path')
+ u1 = u.merge('//new.example.org/path')
+ assert_equal(u0, u1)
+ end
+
def test_route
url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
assert_equal('b.html', url.to_s)
--
2.33.0

35
backport-CVE-2025-27219.patch Normal file
View File

@ -0,0 +1,35 @@
From 2c2d89e7cce0c81d9e63bb29c0e65b0436885af1 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 16:01:17 +0900
Subject: [PATCH 1/2] Use String#concat instead of String#+ for reducing cpu
usage
Reference:https://github.com/ruby/cgi/commit/2c2d89e7cce0c81d9e63bb29c0e65b0436885af1
Conflict:NA
Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
---
lib/cgi/cookie.rb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
index 9498e2f..1c4ef6a 100644
--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
@@ -190,9 +190,10 @@ class CGI
values ||= ""
values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
if cookies.has_key?(name)
- values = cookies[name].value + values
+ cookies[name].concat(values)
+ else
+ cookies[name] = Cookie.new(name, *values)
end
- cookies[name] = Cookie.new(name, *values)
end
cookies
--
2.33.0

75
backport-CVE-2025-27220.patch Normal file
View File

@ -0,0 +1,75 @@
From da7aadf928d85ffdf594d7e77aed4a441f7c3ebb Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 15:53:31 +0900
Subject: [PATCH 2/2] Escape/unescape unclosed tags as well
Reference:https://github.com/ruby/cgi/commit/da7aadf928d85ffdf594d7e77aed4a441f7c3ebb
Conflict:NA
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
---
lib/cgi/util.rb | 4 ++--
test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
index aab8b00..5ff8ba5 100644
--- a/lib/cgi/util.rb
+++ b/lib/cgi/util.rb
@@ -140,7 +140,7 @@ module CGI::Util
def escapeElement(string, *elements)
elements = elements[0] if elements[0].kind_of?(Array)
unless elements.empty?
- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
+ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
CGI.escapeHTML($&)
end
else
@@ -160,7 +160,7 @@ module CGI::Util
def unescapeElement(string, *elements)
elements = elements[0] if elements[0].kind_of?(Array)
unless elements.empty?
- string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
+ string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
unescapeHTML($&)
end
else
diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
index b7bb7b8..e93be47 100644
--- a/test/cgi/test_cgi_util.rb
+++ b/test/cgi/test_cgi_util.rb
@@ -181,6 +181,14 @@ class CGIUtilTest < Test::Unit::TestCase
assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
+
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
+
+ assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', "A", "IMG"))
+ assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', ["A", "IMG"]))
end
@@ -189,5 +197,15 @@ class CGIUtilTest < Test::Unit::TestCase
assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+
+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+
+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
end
end
--
2.33.0

9
ruby.spec
View File

@ -33,7 +33,7 @@
Name: ruby
Version: %{ruby_version}
Release: 141
Release: 142
Summary: Object-oriented scripting language interpreter
License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
URL: https://www.ruby-lang.org/en/
@ -206,6 +206,10 @@ Patch6034: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.pat
Patch6035: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch
Patch6036: backport-CVE-2024-47220.patch
Patch6037: backport-CVE-2024-49761.patch
Patch6038: backport-CVE-2025-27219.patch
Patch6039: backport-CVE-2025-27220.patch
Patch6040: backport-0001-CVE-2025-27221.patch
Patch6041: backport-0002-CVE-2025-27221.patch
Provides: %{name}-libs = %{version}-%{release}
Obsoletes: %{name}-libs < %{version}-%{release}
@ -1204,6 +1208,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
%doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
%changelog
* Fri Feb 28 2025 shixuantong <shixuantong1@huawei.com> - 3.0.3-142
- fix CVE-2025-27219 CVE-2025-27220 CVE-2025-27221
* Tue Oct 29 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-141
- fix CVE-2024-49761