diff --git a/CVE-2022-44570.patch b/CVE-2022-44570.patch new file mode 100644 index 0000000000000000000000000000000000000000..f05f1cfd9374da258028e63895dad74211d5e932 --- /dev/null +++ b/CVE-2022-44570.patch @@ -0,0 +1,44 @@ +From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 17 Jan 2023 12:04:37 -0800 +Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges + +This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks +@ooooooo_q for the patch! + +[CVE-2022-44570] +--- + lib/rack/utils.rb | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index 34849ded..14d9e17d 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -348,17 +348,18 @@ module Rack + return nil unless http_range && http_range =~ /bytes=([^;]+)/ + ranges = [] + $1.split(/,\s*/).each do |range_spec| +- return nil unless range_spec =~ /(\d*)-(\d*)/ +- r0, r1 = $1, $2 +- if r0.empty? +- return nil if r1.empty? ++ return nil unless range_spec.include?('-') ++ range = range_spec.split('-') ++ r0, r1 = range[0], range[1] ++ if r0.nil? || r0.empty? ++ return nil if r1.nil? + # suffix-byte-range-spec, represents trailing suffix of file + r0 = size - r1.to_i + r0 = 0 if r0 < 0 + r1 = size - 1 + else + r0 = r0.to_i +- if r1.empty? ++ if r1.nil? + r1 = size - 1 + else + r1 = r1.to_i +-- +2.25.1 + diff --git a/CVE-2022-44571.patch b/CVE-2022-44571.patch new file mode 100644 index 0000000000000000000000000000000000000000..a68eddbd8efd9516bde4b1ccf77ca47dc0346304 --- /dev/null +++ b/CVE-2022-44571.patch @@ -0,0 +1,31 @@ +From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 17 Jan 2023 12:14:29 -0800 +Subject: [PATCH] Fix ReDoS vulnerability in multipart parser + +This commit fixes a ReDoS vulnerability when parsing the +Content-Disposition field in multipart attachments + +Thanks to @ooooooo_q for the patch! + +[CVE-2022-44571] +--- + lib/rack/multipart.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb +index 7695fe76..fdae808a 100644 +--- a/lib/rack/multipart.rb ++++ b/lib/rack/multipart.rb +@@ -18,7 +18,7 @@ module Rack + VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/ + BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i + MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni +- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni ++ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni + MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni + # Updated definitions from RFC 2231 + ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} +-- +2.25.1 + diff --git a/CVE-2022-44572.patch b/CVE-2022-44572.patch new file mode 100644 index 0000000000000000000000000000000000000000..03ea363441db350a96f753a43a48ecd5b75c7505 --- /dev/null +++ b/CVE-2022-44572.patch @@ -0,0 +1,48 @@ +From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Wed, 3 Aug 2022 00:19:56 -0700 +Subject: [PATCH] Forbid control characters in attributes + +This commit restricts the characters accepted in ATTRIBUTE_CHAR, +forbidding control characters and fixing a ReDOS vulnerability. + +This also now should fully follow the RFCs. + +RFC 2231, Section 7 specifies: + + attribute-char := + +RFC 2045, Appendix A specifies: + + tspecials := "(" / ")" / "<" / ">" / "@" / + "," / ";" / ":" / "\" / <"> + "/" / "[" / "]" / "?" / "=" + +RFC 822, Section 3.3 specifies: + + CTL = ; ( 177, 127.) + SPACE = ; ( 40, 32.) + +[CVE-2022-44572] +--- + lib/rack/multipart.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb +index 10f8e5fa..7695fe76 100644 +--- a/lib/rack/multipart.rb ++++ b/lib/rack/multipart.rb +@@ -21,7 +21,7 @@ module Rack + MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni + MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni + # Updated definitions from RFC 2231 +- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} ++ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]} + ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/ + SECTION = /\*[0-9]+/ + REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/ +-- +2.25.1 + diff --git a/rubygem-rack.spec b/rubygem-rack.spec index 8c5bc14de19a0e4dd073725513e616cef389fd91..890567d15daded4f0dcab472289a016682052ca8 100644 --- a/rubygem-rack.spec +++ b/rubygem-rack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Version: 2.2.3.1 Epoch: 1 -Release: 3 +Release: 4 Summary: A modular Ruby webserver interface License: MIT and BSD URL: https://rack.github.io/ @@ -14,6 +14,9 @@ Patch0: CVE-2024-39316.patch Patch1: CVE-2024-26141.patch Patch2: CVE-2024-26146.patch Patch3: CVE-2024-25126.patch +Patch4: CVE-2022-44570.patch +Patch5: CVE-2022-44571.patch +Patch6: CVE-2022-44572.patch BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(concurrent-ruby) BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) @@ -103,6 +106,12 @@ popd %doc %{gem_instdir}/contrib %changelog +* Fri Jul 05 2024 zouzhimin - 1:2.2.3.1-4 +- Type:CVES +- ID:CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 +- SUG:NA +- DESC:CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 + * Fri Jul 05 2024 zouzhimin - 1:2.2.3.1-3 - Type:CVES - ID:CVE-2024-26141 CVE-2024-26146 CVE-2024-25126