From 79b7e386309e7b8616b40c871095aab848504444 Mon Sep 17 00:00:00 2001
From: zouzhimin <zouzhimin@kylinos.cn>
Date: Mon, 8 Apr 2024 22:30:08 +0800
Subject: [PATCH] Fix CVE-2022-44572

(cherry picked from commit b0d364e5deb9f05f2d8bd76afa365c7ee167ff7e)
---
 Fix-CVE-2022-44572.patch | 48 ++++++++++++++++++++++++++++++++++++++++
 rubygem-rack.spec        |  9 +++++++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 Fix-CVE-2022-44572.patch

diff --git a/Fix-CVE-2022-44572.patch b/Fix-CVE-2022-44572.patch
new file mode 100644
index 0000000..03ea363
--- /dev/null
+++ b/Fix-CVE-2022-44572.patch
@@ -0,0 +1,48 @@
+From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Wed, 3 Aug 2022 00:19:56 -0700
+Subject: [PATCH] Forbid control characters in attributes
+
+This commit restricts the characters accepted in ATTRIBUTE_CHAR,
+forbidding control characters and fixing a ReDOS vulnerability.
+
+This also now should fully follow the RFCs.
+
+RFC 2231, Section 7 specifies:
+
+    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
+                         "*", "'", "%", or tspecials>
+
+RFC 2045, Appendix A specifies:
+
+    tspecials :=  "(" / ")" / "<" / ">" / "@" /
+                  "," / ";" / ":" / "\" / <">
+                  "/" / "[" / "]" / "?" / "="
+
+RFC 822, Section 3.3 specifies:
+
+    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
+                    character and DEL>          ; (    177,     127.)
+    SPACE       =  <ASCII SP, space>            ; (     40,      32.)
+
+[CVE-2022-44572]
+---
+ lib/rack/multipart.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 10f8e5fa..7695fe76 100644
+--- a/lib/rack/multipart.rb
++++ b/lib/rack/multipart.rb
+@@ -21,7 +21,7 @@ module Rack
+     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+     # Updated definitions from RFC 2231
+-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
++    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
+     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
+     SECTION = /\*[0-9]+/
+     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
+-- 
+2.25.1
+
diff --git a/rubygem-rack.spec b/rubygem-rack.spec
index b61e34d..d948d8c 100644
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@@ -4,7 +4,7 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.4
 Epoch:   1
-Release: 7
+Release: 8
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
@@ -16,6 +16,7 @@ Patch3: Fix-CVE-2024-26146.patch
 Patch4: Fix-CVE-2024-25126.patch
 Patch5: Fix-CVE-2022-44570.patch
 Patch6: Fix-CVE-2022-44571.patch
+Patch7: Fix-CVE-2022-44572.patch
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
 BuildRequires: rubygem(memcache-client)
@@ -104,6 +105,12 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Thu Apr 11 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-8
+- Type:CVES
+- ID:CVE-2022-44572
+- SUG:NA
+- DESC:CVE-2022-44572
+
 * Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7
 - Type:CVES
 - ID:CVE-2022-44571
-- 
Gitee