CVE-2022-44570 CVE-2022-44571 CVE-2022-44572

2024-06-13 03:38:57 +08:00 · 2024-06-13 03:38:57 +08:00 · 2262495d46
commit 2262495d46
parent abde956fca
4 changed files with 133 additions and 1 deletions
--- a/CVE-2022-44570.patch
+++ b/CVE-2022-44570.patch
@ -0,0 +1,44 @@
+From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 12:04:37 -0800
+Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges
+
+This commit fixes a ReDoS problem in `get_byte_ranges`.  Thanks
+@ooooooo_q for the patch!
+
+[CVE-2022-44570]
+---
+ lib/rack/utils.rb | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 34849ded..14d9e17d 100644
+--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
+@@ -348,17 +348,18 @@ module Rack
+       return nil unless http_range && http_range =~ /bytes=([^;]+)/
+       ranges = []
+       $1.split(/,\s*/).each do |range_spec|
+-        return nil  unless range_spec =~ /(\d*)-(\d*)/
+-        r0, r1 = $1, $2
+-        if r0.empty?
+-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
+           # suffix-byte-range-spec, represents trailing suffix of file
+           r0 = size - r1.to_i
+           r0 = 0  if r0 < 0
+           r1 = size - 1
+         else
+           r0 = r0.to_i
+-          if r1.empty?
+          if r1.nil?
+             r1 = size - 1
+           else
+             r1 = r1.to_i
+-- 
+2.25.1
+
--- a/CVE-2022-44571.patch
+++ b/CVE-2022-44571.patch
@ -0,0 +1,31 @@
+From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 12:14:29 -0800
+Subject: [PATCH] Fix ReDoS vulnerability in multipart parser
+
+This commit fixes a ReDoS vulnerability when parsing the
+Content-Disposition field in multipart attachments
+
+Thanks to @ooooooo_q for the patch!
+
+[CVE-2022-44571]
+---
+ lib/rack/multipart.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 7695fe76..fdae808a 100644
+--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
+@@ -18,7 +18,7 @@ module Rack
+     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
+     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
+     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
+-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+     # Updated definitions from RFC 2231
+     ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+-- 
+2.25.1
+
--- a/CVE-2022-44572.patch
+++ b/CVE-2022-44572.patch
@ -0,0 +1,48 @@
+From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Wed, 3 Aug 2022 00:19:56 -0700
+Subject: [PATCH] Forbid control characters in attributes
+
+This commit restricts the characters accepted in ATTRIBUTE_CHAR,
+forbidding control characters and fixing a ReDOS vulnerability.
+
+This also now should fully follow the RFCs.
+
+RFC 2231, Section 7 specifies:
+
+    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
+                         "*", "'", "%", or tspecials>
+
+RFC 2045, Appendix A specifies:
+
+    tspecials :=  "(" / ")" / "<" / ">" / "@" /
+                  "," / ";" / ":" / "\" / <">
+                  "/" / "[" / "]" / "?" / "="
+
+RFC 822, Section 3.3 specifies:
+
+    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
+                    character and DEL>          ; (    177,     127.)
+    SPACE       =  <ASCII SP, space>            ; (     40,      32.)
+
+[CVE-2022-44572]
+---
+ lib/rack/multipart.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 10f8e5fa..7695fe76 100644
+--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
+@@ -21,7 +21,7 @@ module Rack
+     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+     # Updated definitions from RFC 2231
+-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
+     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
+     SECTION = /\*[0-9]+/
+     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
+-- 
+2.25.1
+
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@ -4,7 +4,7 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.3.1
 Epoch:   1
-Release: 4
+Release: 5
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
@ -14,6 +14,9 @@ Patch0: CVE-2024-39316.patch
 Patch1: CVE-2024-26141.patch
 Patch2: CVE-2024-26146.patch
 Patch3: CVE-2024-25126.patch
+Patch4: CVE-2022-44570.patch
+Patch5: CVE-2022-44571.patch
+Patch6: CVE-2022-44572.patch

 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(concurrent-ruby)
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
@ -103,6 +106,12 @@ popd
 %doc %{gem_instdir}/contrib

 %changelog
+* Fri Jul 05 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.3.1-5
+- Type:CVES
+- ID:CVE-2022-44570 CVE-2022-44571 CVE-2022-44572
+- SUG:NA
+- DESC:CVE-2022-44570 CVE-2022-44571 CVE-2022-44572
+
 * Fri Jul 05 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.3.1-4
 - Type:CVES
 - ID:CVE-2024-26141 CVE-2024-26146 CVE-2024-25126