Skip to content

[AUTO-CHERRYPICK] Patch ruby CVE-2025-27219, CVE-2025-27220, CVE-2025-27221 [Medium] - branch main #12951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jslobodzian merged 1 commit into from
Mar 19, 2025
Merged

[AUTO-CHERRYPICK] Patch ruby CVE-2025-27219, CVE-2025-27220, CVE-2025-27221 [Medium] - branch main #12951

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions SPECS/ruby/CVE-2025-27219.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 16:01:17 +0900
Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage

Upstream Reference : https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab

Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
---
lib/cgi/cookie.rb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
index 9498e2f..1c4ef6a 100644
--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
values ||= ""
values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
if cookies.has_key?(name)
- values = cookies[name].value + values
+ cookies[name].concat(values)
+ else
+ cookies[name] = Cookie.new(name, *values)
end
- cookies[name] = Cookie.new(name, *values)
end

cookies
70 changes: 70 additions & 0 deletions SPECS/ruby/CVE-2025-27220.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 15:53:31 +0900
Subject: [PATCH] Escape/unescape unclosed tags as well
Upstream Reference : https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6

Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
---
lib/cgi/util.rb | 4 ++--
test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
index 4986e54..5f12eae 100644
--- a/lib/cgi/util.rb
+++ b/lib/cgi/util.rb
@@ -184,7 +184,7 @@ def unescapeHTML(string)
def escapeElement(string, *elements)
elements = elements[0] if elements[0].kind_of?(Array)
unless elements.empty?
- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
+ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
CGI.escapeHTML($&)
end
else
@@ -204,7 +204,7 @@ def escapeElement(string, *elements)
def unescapeElement(string, *elements)
elements = elements[0] if elements[0].kind_of?(Array)
unless elements.empty?
- string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
+ string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
unescapeHTML($&)
end
else
diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
index b0612fc..bff77f7 100644
--- a/test/cgi/test_cgi_util.rb
+++ b/test/cgi/test_cgi_util.rb
@@ -269,6 +269,14 @@ def test_cgi_escapeElement
assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
+
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
+ assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
+
+ assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', "A", "IMG"))
+ assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', ["A", "IMG"]))
end


@@ -277,6 +285,16 @@ def test_cgi_unescapeElement
assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+
+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+
+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
end
end

79 changes: 79 additions & 0 deletions SPECS/ruby/CVE-2025-27221.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
From b810324045d68969f1a7fb2113a0eeba6bcb5e34 Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <kbkanishk975@gmail.com>
Date: Mon, 10 Mar 2025 05:51:28 +0000
Subject: [PATCH] CVE-2025-27221

Upstream Reference : https://github.com/ruby/uri/pull/155
---
lib/uri/generic.rb | 15 +++++++--------
test/uri/test_generic.rb | 18 ++++++++++++++++++
2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
index f3540a2..2c0a88d 100644
--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
@@ -1133,17 +1133,16 @@ module URI
base.fragment=(nil)

# RFC2396, Section 5.2, 4)
- if !authority
- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
- else
- # RFC2396, Section 5.2, 4)
- base.set_path(rel.path) if rel.path
+ if authority
+ base.set_userinfo(rel.userinfo)
+ base.set_host(rel.host)
+ base.set_port(rel.port || base.default_port)
+ base.set_path(rel.path)
+ elsif base.path && rel.path
+ base.set_path(merge_path(base.path, rel.path))
end

# RFC2396, Section 5.2, 7)
- base.set_userinfo(rel.userinfo) if rel.userinfo
- base.set_host(rel.host) if rel.host
- base.set_port(rel.port) if rel.port
base.query = rel.query if rel.query
base.fragment=(rel.fragment) if rel.fragment

diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
index e661937..1a70dd4 100644
--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase
# must be empty string to identify as path-abempty, not path-absolute
assert_equal('', url.host)
assert_equal('http:////example.com', url.to_s)
+
+ # sec-2957667
+ url = URI.parse('http://user:pass@example.com').merge('//example.net')
+ assert_equal('http://example.net', url.to_s)
+ assert_nil(url.userinfo)
+ url = URI.join('http://user:pass@example.com', '//example.net')
+ assert_equal('http://example.net', url.to_s)
+ assert_nil(url.userinfo)
+ url = URI.parse('http://user:pass@example.com') + '//example.net'
+ assert_equal('http://example.net', url.to_s)
+ assert_nil(url.userinfo)
end

def test_parse_scheme_with_symbols
@@ -256,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase
assert_equal(u0, u1)
end

+ def test_merge_authority
+ u = URI.parse('http://user:pass@example.com:8080')
+ u0 = URI.parse('http://new.example.org/path')
+ u1 = u.merge('//new.example.org/path')
+ assert_equal(u0, u1)
+ end
+
def test_route
url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
assert_equal('b.html', url.to_s)
--
2.45.2

8 changes: 7 additions & 1 deletion SPECS/ruby/ruby.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ Name: ruby
# provides should be versioned according to the ruby version.
# More info: https://stdgems.org/
Version: 3.1.4
Release: 8%{?dist}
Release: 9%{?dist}
License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -108,6 +108,9 @@ Patch4: CVE-2024-35176.patch
Patch5: CVE-2024-41946.patch
# Patch no longer needed if REXML gem is 3.3.9 or later. Now is 3.2.5
Patch6: CVE-2024-49761.patch
Patch7: CVE-2025-27219.patch
Patch8: CVE-2025-27220.patch
Patch9: CVE-2025-27221.patch
BuildRequires: openssl-devel
BuildRequires: readline
BuildRequires: readline-devel
Expand Down Expand Up @@ -410,6 +413,9 @@ sudo -u test make test TESTS="-v"
%{_rpmconfigdir}/rubygems.con

%changelog
* Mon Mar 10 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.1.4-9
- Patch CVE-2025-27219, CVE-2025-27220, CVE-2025-27221

* Mon Nov 04 2024 Saul Paredes <saulparedes@microsoft.com> - 3.1.4-8
- Patch CVE-2024-49761

Expand Down