diff --git a/CVE-2025-59830.patch b/CVE-2025-59830.patch new file mode 100644 index 0000000000000000000000000000000000000000..9206a49994fee7434da8cf3196960cd836700513 --- /dev/null +++ b/CVE-2025-59830.patch @@ -0,0 +1,41 @@ +From 54e4ffdd5affebcb0c015cc6ae74635c0831ed71 Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Thu, 25 Sep 2025 17:51:18 +0900 +Subject: [PATCH] Unbounded parameter parsing in `Rack::QueryParser`. + +--- + CHANGELOG.md | 4 ++++ + lib/rack/query_parser.rb | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG.md b/CHANGELOG.md +index 80f57c9..d99af35 100644 +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -2,6 +2,10 @@ + + All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/). + +++## [2.2.18] - 2025-09-25 ++ ++- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters. ++ + ## [2.2.3.1] - 2022-05-27 + + - [CVE-2022-30123] Fix shell escaping issue in Common Logger +diff --git a/lib/rack/query_parser.rb b/lib/rack/query_parser.rb +index 4a02e37..f28d5be 100644 +--- a/lib/rack/query_parser.rb ++++ b/lib/rack/query_parser.rb +@@ -187,7 +187,7 @@ module Rack + raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})" + end + +- if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit ++ if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit + raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})" + end + +-- +2.46.0 + diff --git a/CVE-2025-61919.patch b/CVE-2025-61919.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab7672b77c61c13fc3191f5c98b7d8079ec11edf --- /dev/null +++ b/CVE-2025-61919.patch @@ -0,0 +1,67 @@ +From 4e2c903991a790ee211a3021808ff4fd6fe82881 Mon Sep 17 00:00:00 2001 +From: Samuel Williams +Date: Thu, 9 Oct 2025 20:38:58 +1300 +Subject: [PATCH] Unbounded read in `Rack::Request` form parsing can lead to + memory exhaustion. + +- Limit read to `query_parser.bytesize_limit`. +--- + CHANGELOG.md | 2 ++ + lib/rack/query_parser.rb | 4 +++- + lib/rack/request.rb | 5 ++++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG.md b/CHANGELOG.md +index d99af35..336ca2a 100644 +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file. For info on + + - [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters. + ++- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion. ++ + ## [2.2.3.1] - 2022-05-27 + + - [CVE-2022-30123] Fix shell escaping issue in Common Logger +diff --git a/lib/rack/query_parser.rb b/lib/rack/query_parser.rb +index f28d5be..4afe023 100644 +--- a/lib/rack/query_parser.rb ++++ b/lib/rack/query_parser.rb +@@ -50,6 +50,8 @@ module Rack + PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096) + private_constant :PARAMS_LIMIT + ++ attr_reader :bytesize_limit ++ + def initialize(params_class, key_space_limit, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT) + @params_class = params_class + @key_space_limit = key_space_limit +@@ -184,7 +186,7 @@ module Rack + def check_query_string(qs, sep) + if qs + if qs.bytesize > @bytesize_limit +- raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})" ++ raise QueryLimitError, "total query size exceeds limit (#{@bytesize_limit})" + end + + if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit +diff --git a/lib/rack/request.rb b/lib/rack/request.rb +index cb715f6..630843a 100644 +--- a/lib/rack/request.rb ++++ b/lib/rack/request.rb +@@ -444,7 +444,10 @@ module Rack + get_header(RACK_REQUEST_FORM_HASH) + elsif form_data? || parseable_data? + unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart) +- form_vars = get_header(RACK_INPUT).read ++ # Add 2 bytes. One to check whether it is over the limit, and a second ++ # in case the slice! call below removes the last byte ++ # If read returns nil, use the empty string ++ form_vars = get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || '' + + # Fix for Safari Ajax postings that always append \0 + # form_vars.sub!(/\0\z/, '') # performance replacement: +-- +2.46.0 + diff --git a/rubygem-rack.spec b/rubygem-rack.spec index cab16689c49d4f3dcd012f9cbcae0adec19da8b0..74b6139f61c0c71b3416a21e50c70b44a6f7a0ab 100644 --- a/rubygem-rack.spec +++ b/rubygem-rack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Version: 2.2.3.1 Epoch: 1 -Release: 9 +Release: 10 Summary: A modular Ruby webserver interface License: MIT and BSD URL: https://rack.github.io/ @@ -21,6 +21,8 @@ Patch7: CVE-2025-27610.patch Patch8: CVE-2025-27111.patch Patch9: CVE-2025-25184.patch Patch10: CVE-2025-46727.patch +Patch11: CVE-2025-59830.patch +Patch12: CVE-2025-61919.patch BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(concurrent-ruby) BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) @@ -110,6 +112,12 @@ popd %doc %{gem_instdir}/contrib %changelog +* Sun Sep 28 2025 changtao - 1:2.2.3.1-10 +- Type:CVES +- ID:CVE-2025-59830 CVE-2025-61919 +- SUG:NA +- DESC:CVE-2025-59830 CVE-2025-61919 + * Wed Aug 20 2025 zouzhimin - 1:2.2.3.1-9 - Type:CVES - ID:CVE-2025-46727