diff --git a/Fix-CVE-2024-25126.patch b/Fix-CVE-2024-25126.patch new file mode 100644 index 0000000000000000000000000000000000000000..4acac33533ada62535fb8048a3e42b6e21df6de5 --- /dev/null +++ b/Fix-CVE-2024-25126.patch @@ -0,0 +1,51 @@ +From d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 Mon Sep 17 00:00:00 2001 +From: Jean Boussier +Date: Wed, 6 Dec 2023 18:32:19 +0100 +Subject: [PATCH] Avoid 2nd degree polynomial regexp in MediaType + +--- + lib/rack/media_type.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb +index 41937c99..7fc1e39d 100644 +--- a/lib/rack/media_type.rb ++++ b/lib/rack/media_type.rb +@@ -4,7 +4,7 @@ module Rack + # Rack::MediaType parse media type and parameters out of content_type string + + class MediaType +- SPLIT_PATTERN = %r{\s*[;,]\s*} ++ SPLIT_PATTERN = /[;,]/ + + class << self + # The media type (type/subtype) portion of the CONTENT_TYPE header +@@ -15,7 +15,11 @@ module Rack + # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 + def type(content_type) + return nil unless content_type +- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase! ++ if type = content_type.split(SPLIT_PATTERN, 2).first ++ type.rstrip! ++ type.downcase! ++ type ++ end + end + + # The media type parameters provided in CONTENT_TYPE as a Hash, or +@@ -27,9 +31,10 @@ module Rack + return {} if content_type.nil? + + content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| ++ s.strip! + k, v = s.split('=', 2) +- +- hsh[k.tap(&:downcase!)] = strip_doublequotes(v) ++ k.downcase! ++ hsh[k] = strip_doublequotes(v) + end + end + +-- +2.25.1 + diff --git a/Fix-CVE-2024-26141.patch b/Fix-CVE-2024-26141.patch new file mode 100644 index 0000000000000000000000000000000000000000..c388ec35d2bf3b2626f39c9912df10cff5b90f0c --- /dev/null +++ b/Fix-CVE-2024-26141.patch @@ -0,0 +1,30 @@ +From 72ecb3f4e05b2fc0a5073d23fd178686818eb958 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 13 Feb 2024 13:34:34 -0800 +Subject: [PATCH] Return an empty array when ranges are too large + +If the sum of the requested ranges is larger than the file itself, +return an empty array. In other words, refuse to respond with any bytes. + +[CVE-2024-26141] +--- + lib/rack/utils.rb | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index ca6182c..199312f 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -379,6 +379,9 @@ module Rack + end + ranges << (r0..r1) if r0 <= r1 + end ++ ++ return [] if ranges.map(&:size).sum > size ++ + ranges + end + +-- +2.43.0 + diff --git a/Fix-CVE-2024-26146.patch b/Fix-CVE-2024-26146.patch new file mode 100644 index 0000000000000000000000000000000000000000..c1775b4e1e122f54a6b15f5ea874e20cb885540f --- /dev/null +++ b/Fix-CVE-2024-26146.patch @@ -0,0 +1,30 @@ +From e4c117749ba24a66f8ec5a08eddf68deeb425ccd Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Wed, 21 Feb 2024 11:05:06 -0800 +Subject: [PATCH] Fixing ReDoS in header parsing + +Thanks svalkanov + +[CVE-2024-26146] +--- + lib/rack/utils.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index c8e61ea1..0ed64b7a 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -142,8 +142,8 @@ module Rack + end + + def q_values(q_value_header) +- q_value_header.to_s.split(/\s*,\s*/).map do |part| +- value, parameters = part.split(/\s*;\s*/, 2) ++ q_value_header.to_s.split(',').map do |part| ++ value, parameters = part.split(';', 2).map(&:strip) + quality = 1.0 + if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) + quality = md[1].to_f +-- +2.25.1 + diff --git a/rubygem-rack.spec b/rubygem-rack.spec index 7bf9359341112510a4ef9a562917c331d5a3b4ed..20c60a7381163574a7fb2bca3c03ad8ca39ec2ef 100644 --- a/rubygem-rack.spec +++ b/rubygem-rack.spec @@ -4,14 +4,17 @@ Name: rubygem-%{gem_name} Version: 2.2.4 Epoch: 1 -Release: 1 +Release: 5 Summary: A modular Ruby webserver interface License: MIT and BSD URL: https://rack.github.io/ Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem Patch0: 2-2-multipart-dos.patch Patch1: 2-2-header-redos.patch -BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 +Patch2: Fix-CVE-2024-26141.patch +Patch3: Fix-CVE-2024-26146.patch +Patch4: Fix-CVE-2024-25126.patch +BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: rubygem(memcache-client) BuildRequires: rubygem(minitest) @@ -41,9 +44,7 @@ BuildArch: noarch Documentation for %{name}. %prep -%setup -q -n %{gem_name}-%{version} -%patch0 -p1 -%patch1 -p1 +%autosetup -n %{gem_name}-%{version} -p1 -S git %build gem build ../%{gem_name}-%{version}.gemspec @@ -101,6 +102,30 @@ popd %doc %{gem_instdir}/contrib %changelog +* Sun Apr 07 2024 panchenbo - 1:2.2.4-5 +- Type: Bugfix +- ID:NA +- SUG:NA +- DESC:add BuildRequires: git + +* Tue Apr 02 2024 zouzhimin - 1:2.2.4-4 +- Type:CVES +- ID:CVE-2024-25126 +- SUG:NA +- DESC:CVE-2024-25126 + +* Tue Apr 02 2024 zouzhimin - 1:2.2.4-3 +- Type:CVES +- ID:CVE-2024-26146 +- SUG:NA +- DESC:CVE-2024-26146 + +* Mon Apr 01 2024 zouzhimin - 1:2.2.4-2 +- Type:CVES +- ID:CVE-2024-26141 +- SUG:NA +- DESC:CVE-2024-26141 + * Thu Aug 17 2023 wulei - 1:2.2.4-1 - Upgrade to version 2.2.4