From 0acaca81be0e4b58a13344fb612d70ef4eee9eb9 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Fri, 14 Mar 2025 23:03:34 +0530 Subject: [PATCH] Patch `ruby` CVE-2025-27219, CVE-2025-27220, CVE-2025-27221 [Medium] (#12867) Co-authored-by: jslobodzian (cherry picked from commit 8623b2e54ad87a4d9dd02bd07e4dbaf3a00f7027) --- SPECS/ruby/CVE-2025-27219.patch | 29 ++++++++++++ SPECS/ruby/CVE-2025-27220.patch | 70 +++++++++++++++++++++++++++++ SPECS/ruby/CVE-2025-27221.patch | 79 +++++++++++++++++++++++++++++++++ SPECS/ruby/ruby.spec | 8 +++- 4 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 SPECS/ruby/CVE-2025-27219.patch create mode 100644 SPECS/ruby/CVE-2025-27220.patch create mode 100644 SPECS/ruby/CVE-2025-27221.patch diff --git a/SPECS/ruby/CVE-2025-27219.patch b/SPECS/ruby/CVE-2025-27219.patch new file mode 100644 index 00000000000..4d50c627d14 --- /dev/null +++ b/SPECS/ruby/CVE-2025-27219.patch @@ -0,0 +1,29 @@ +From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 16:01:17 +0900 +Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage + +Upstream Reference : https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab + +Co-authored-by: "Yusuke Endoh" +--- + lib/cgi/cookie.rb | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb +index 9498e2f..1c4ef6a 100644 +--- a/lib/cgi/cookie.rb ++++ b/lib/cgi/cookie.rb +@@ -190,9 +190,10 @@ def self.parse(raw_cookie) + values ||= "" + values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } + if cookies.has_key?(name) +- values = cookies[name].value + values ++ cookies[name].concat(values) ++ else ++ cookies[name] = Cookie.new(name, *values) + end +- cookies[name] = Cookie.new(name, *values) + end + + cookies diff --git a/SPECS/ruby/CVE-2025-27220.patch b/SPECS/ruby/CVE-2025-27220.patch new file mode 100644 index 00000000000..2e23967c5a5 --- /dev/null +++ b/SPECS/ruby/CVE-2025-27220.patch @@ -0,0 +1,70 @@ +From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 15:53:31 +0900 +Subject: [PATCH] Escape/unescape unclosed tags as well +Upstream Reference : https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6 + +Co-authored-by: Nobuyoshi Nakada +--- + lib/cgi/util.rb | 4 ++-- + test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb +index 4986e54..5f12eae 100644 +--- a/lib/cgi/util.rb ++++ b/lib/cgi/util.rb +@@ -184,7 +184,7 @@ def unescapeHTML(string) + def escapeElement(string, *elements) + elements = elements[0] if elements[0].kind_of?(Array) + unless elements.empty? +- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do ++ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do + CGI.escapeHTML($&) + end + else +@@ -204,7 +204,7 @@ def escapeElement(string, *elements) + def unescapeElement(string, *elements) + elements = elements[0] if elements[0].kind_of?(Array) + unless elements.empty? +- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do ++ string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do + unescapeHTML($&) + end + else +diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb +index b0612fc..bff77f7 100644 +--- a/test/cgi/test_cgi_util.rb ++++ b/test/cgi/test_cgi_util.rb +@@ -269,6 +269,14 @@ def test_cgi_escapeElement + assert_equal("
<A HREF="url"></A>", escapeElement('
', ["A", "IMG"])) + assert_equal("
<A HREF="url"></A>", escape_element('
', "A", "IMG")) + assert_equal("
<A HREF="url"></A>", escape_element('
', ["A", "IMG"])) ++ ++ assert_equal("<A <A HREF="url"></A>", escapeElement('', "A", "IMG")) ++ assert_equal("<A <A HREF="url"></A>", escapeElement('', ["A", "IMG"])) ++ assert_equal("<A <A HREF="url"></A>", escape_element('', "A", "IMG")) ++ assert_equal("<A <A HREF="url"></A>", escape_element('', ["A", "IMG"])) ++ ++ assert_equal("<A <A ", escapeElement('', unescapeElement(escapeHTML('
'), ["A", "IMG"])) + assert_equal('<BR>', unescape_element(escapeHTML('
'), "A", "IMG")) + assert_equal('<BR>', unescape_element(escapeHTML('
'), ["A", "IMG"])) ++ ++ assert_equal('', unescapeElement(escapeHTML(''), "A", "IMG")) ++ assert_equal('', unescapeElement(escapeHTML(''), ["A", "IMG"])) ++ assert_equal('', unescape_element(escapeHTML(''), "A", "IMG")) ++ assert_equal('', unescape_element(escapeHTML(''), ["A", "IMG"])) ++ ++ assert_equal(' +Date: Mon, 10 Mar 2025 05:51:28 +0000 +Subject: [PATCH] CVE-2025-27221 + +Upstream Reference : https://github.com/ruby/uri/pull/155 +--- + lib/uri/generic.rb | 15 +++++++-------- + test/uri/test_generic.rb | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb +index f3540a2..2c0a88d 100644 +--- a/lib/uri/generic.rb ++++ b/lib/uri/generic.rb +@@ -1133,17 +1133,16 @@ module URI + base.fragment=(nil) + + # RFC2396, Section 5.2, 4) +- if !authority +- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path +- else +- # RFC2396, Section 5.2, 4) +- base.set_path(rel.path) if rel.path ++ if authority ++ base.set_userinfo(rel.userinfo) ++ base.set_host(rel.host) ++ base.set_port(rel.port || base.default_port) ++ base.set_path(rel.path) ++ elsif base.path && rel.path ++ base.set_path(merge_path(base.path, rel.path)) + end + + # RFC2396, Section 5.2, 7) +- base.set_userinfo(rel.userinfo) if rel.userinfo +- base.set_host(rel.host) if rel.host +- base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query + base.fragment=(rel.fragment) if rel.fragment + +diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb +index e661937..1a70dd4 100644 +--- a/test/uri/test_generic.rb ++++ b/test/uri/test_generic.rb +@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase + # must be empty string to identify as path-abempty, not path-absolute + assert_equal('', url.host) + assert_equal('http:////example.com', url.to_s) ++ ++ # sec-2957667 ++ url = URI.parse('http://user:pass@example.com').merge('//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.join('http://user:pass@example.com', '//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.parse('http://user:pass@example.com') + '//example.net' ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) + end + + def test_parse_scheme_with_symbols +@@ -256,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase + assert_equal(u0, u1) + end + ++ def test_merge_authority ++ u = URI.parse('http://user:pass@example.com:8080') ++ u0 = URI.parse('http://new.example.org/path') ++ u1 = u.merge('//new.example.org/path') ++ assert_equal(u0, u1) ++ end ++ + def test_route + url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html') + assert_equal('b.html', url.to_s) +-- +2.45.2 + diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index 3ef3be440b3..88bd8c80ba1 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -83,7 +83,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: 3.1.4 -Release: 8%{?dist} +Release: 9%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Mariner @@ -108,6 +108,9 @@ Patch4: CVE-2024-35176.patch Patch5: CVE-2024-41946.patch # Patch no longer needed if REXML gem is 3.3.9 or later. Now is 3.2.5 Patch6: CVE-2024-49761.patch +Patch7: CVE-2025-27219.patch +Patch8: CVE-2025-27220.patch +Patch9: CVE-2025-27221.patch BuildRequires: openssl-devel BuildRequires: readline BuildRequires: readline-devel @@ -410,6 +413,9 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog +* Mon Mar 10 2025 Kanishk Bansal - 3.1.4-9 +- Patch CVE-2025-27219, CVE-2025-27220, CVE-2025-27221 + * Mon Nov 04 2024 Saul Paredes - 3.1.4-8 - Patch CVE-2024-49761