From 6eb2fc3d09da6d34df1092441c7a85b86e769308 Mon Sep 17 00:00:00 2001
From: mengwenhua <mengwenhua@xfusion.com>
Date: Thu, 21 Dec 2023 20:45:59 +0800
Subject: [PATCH] fix CVE-2022-44570

Signed-off-by: mengwenhua <mengwenhua@xfusion.com>
---
 backport-CVE-2022-44570.patch | 44 +++++++++++++++++++++++++++++++++++
 rubygem-rack.spec             |  9 ++++++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-44570.patch

diff --git a/backport-CVE-2022-44570.patch b/backport-CVE-2022-44570.patch
new file mode 100644
index 0000000..ce73b35
--- /dev/null
+++ b/backport-CVE-2022-44570.patch
@@ -0,0 +1,44 @@
+From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 12:04:37 -0800
+Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges
+
+This commit fixes a ReDoS problem in `get_byte_ranges`.  Thanks
+@ooooooo_q for the patch!
+
+[CVE-2022-44570]
+---
+ lib/rack/utils.rb | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 34849ded..14d9e17d 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -348,17 +348,18 @@ module Rack
+       return nil unless http_range && http_range =~ /bytes=([^;]+)/
+       ranges = []
+       $1.split(/,\s*/).each do |range_spec|
+-        return nil  unless range_spec =~ /(\d*)-(\d*)/
+-        r0, r1 = $1, $2
+-        if r0.empty?
+-          return nil  if r1.empty?
++        return nil unless range_spec.include?('-')
++        range = range_spec.split('-')
++        r0, r1 = range[0], range[1]
++        if r0.nil? || r0.empty?
++          return nil if r1.nil?
+           # suffix-byte-range-spec, represents trailing suffix of file
+           r0 = size - r1.to_i
+           r0 = 0  if r0 < 0
+           r1 = size - 1
+         else
+           r0 = r0.to_i
+-          if r1.empty?
++          if r1.nil?
+             r1 = size - 1
+           else
+             r1 = r1.to_i
+-- 
+2.39.0.windows.2
+
diff --git a/rubygem-rack.spec b/rubygem-rack.spec
index 9e40b05..23d26e9 100644
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@@ -3,11 +3,14 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.3.1
 Epoch:   1
-Release: 1
+Release: 2
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
 Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem
+
+Patch6000: backport-CVE-2022-44570.patch
+
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 memcached
 BuildArch: noarch
 
@@ -33,6 +36,7 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}
+%patch6000 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -90,6 +94,9 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Thu Dec 21 2023 mengwenhua <mengwenhua@xfusion.com> - 1:2.2.3.1-2
+- fix CVE-2022-44570
+
 * Tue Jun 28 2022 wangkai <wangkai385@h-partners.com> - 1:2.2.3.1-1
 - Upgrade to 2.2.3.1 for fix CVE-2020-8184 CVE-2022-30122 CVE-2022-30123
 
-- 
Gitee