diff --git a/CVE-2024-45614.patch b/CVE-2024-45614.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ce964c9bbcdaedfd031809037b19b72509857fa --- /dev/null +++ b/CVE-2024-45614.patch @@ -0,0 +1,95 @@ +From f196b23be24712fb8fb16051cc124798cc84f70e Mon Sep 17 00:00:00 2001 +From: Evan Phoenix +Date: Wed, 18 Sep 2024 21:56:07 -0700 +Subject: [PATCH] Merge commit from fork + +Refer: +https://bugzilla.suse.com/attachment.cgi?id=877575 +https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e + +* Prevent underscores from clobbering hyphen headers + +* Special case encoding headers to prevent app confusion + +* Handle _ as , in jruby as well + +* Silence RuboCop offense + +--------- + +Co-authored-by: Patrik Ragnarsson + +--- + ext/puma_http11/org/jruby/puma/Http11.java | 2 ++ + lib/puma/const.rb | 5 +++++ + lib/puma/server.rb | 11 +++++++++-- + 3 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/ext/puma_http11/org/jruby/puma/Http11.java b/ext/puma_http11/org/jruby/puma/Http11.java +index 59dde37..25573ad 100644 +--- a/ext/puma_http11/org/jruby/puma/Http11.java ++++ b/ext/puma_http11/org/jruby/puma/Http11.java +@@ -91,6 +91,8 @@ public class Http11 extends RubyObject { + for(int i = 0,j = b.length();i true, ++ "HTTP_CONTENT,LENGTH" => true, ++ } + end + end +diff --git a/lib/puma/server.rb b/lib/puma/server.rb +index 7871c91..35b4099 100644 +--- a/lib/puma/server.rb ++++ b/lib/puma/server.rb +@@ -681,23 +681,30 @@ module Puma + to_add = nil + + env.each do |k,v| +- if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING" ++ if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k) + if to_delete + to_delete << k + else + to_delete = [k] + end + ++ new_k = k.gsub(",", "_") ++ if env.key?(new_k) ++ next ++ end ++ + unless to_add + to_add = {} + end + +- to_add[k.gsub(",", "_")] = v ++ to_add[new_k] = v + end + end + + if to_delete + to_delete.each { |k| env.delete(k) } ++ end ++ if to_add + env.merge! to_add + end + +-- +2.46.0 + diff --git a/rubygem-puma.spec b/rubygem-puma.spec index 0440dfa2df0f9783a6d32ec13fc718835d672efe..1cf4571027ee17cde47e69e2a40a405005171d8a 100644 --- a/rubygem-puma.spec +++ b/rubygem-puma.spec @@ -2,7 +2,7 @@ %bcond_with ragel Name: rubygem-%{gem_name} Version: 3.12.6 -Release: 3 +Release: 4 Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server License: BSD URL: http://puma.io @@ -16,6 +16,7 @@ Patch1: CVE-2021-29509.patch Patch2: CVE-2021-41136.patch # https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb Patch3: CVE-2022-23634.patch +Patch4: CVE-2024-45614.patch BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack) BuildRequires: rubygem(minitest) @@ -40,6 +41,7 @@ Documentation for %{name}. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %if %{with ragel} rm -f ext/puma_http11/http11_parser.c @@ -106,6 +108,9 @@ popd %{gem_instdir}/tools %changelog +* Fri Sep 27 2024 wangkai <13474090681@163.com> - 3.12.6-4 +- Fix CVE-2024-45614 + * Tue Dec 19 2023 yaoxin - 3.12.6-3 - Fix CVE-2021-41136 and CVE-2022-23634