From 209641562a1464db53ac33910bc131d26454bf6f Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Wed, 19 Feb 2025 00:09:05 +0800
Subject: [PATCH] fix CVE-2025-27111

(cherry picked from commit 2488b5c17b372c28ccd83d2c5549e55a62a08aa2)
---
 CVE-2025-27111.patch | 24 ++++++++++++++++++++++++
 rubygem-rack.spec    |  9 ++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-27111.patch

diff --git a/CVE-2025-27111.patch b/CVE-2025-27111.patch
new file mode 100644
index 0000000..06a91f0
--- /dev/null
+++ b/CVE-2025-27111.patch
@@ -0,0 +1,24 @@
+From 803aa221e8302719715e224f4476e438f2531a53 Mon Sep 17 00:00:00 2001
+From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
+Date: Sat, 22 Feb 2025 16:37:33 +1300
+Subject: [PATCH] Use `#inspect` to prevent log injection.
+---
+ lib/rack/sendfile.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/sendfile.rb b/lib/rack/sendfile.rb
+index 3d5e786..0b7b2f2 100644
+--- a/lib/rack/sendfile.rb
++++ b/lib/rack/sendfile.rb
+@@ -133,7 +133,7 @@ module Rack
+           end
+         when '', nil
+         else
+-          env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
++          env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
+         end
+       end
+       [status, headers, body]
+-- 
+2.46.0
+
diff --git a/rubygem-rack.spec b/rubygem-rack.spec
index f830351..732039e 100644
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@@ -3,7 +3,7 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.3.1
 Epoch:   1
-Release: 5
+Release: 6
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
@@ -17,6 +17,7 @@ Patch4: CVE-2022-44570.patch
 Patch5: CVE-2022-44571.patch
 Patch6: CVE-2022-44572.patch
 Patch7: CVE-2025-27610.patch
+Patch8: CVE-2025-27111.patch
 
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 memcached
 BuildArch: noarch
@@ -100,6 +101,12 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Thu Mar 13 2025 changtao <changtao@kylinos.cn> - 1:2.2.3.1-6
+- Type:CVE
+- CVE:CVE-2025-27111
+- SUG:NA
+- DESC:fix CVE-2025-27111
+
 * Wed Mar 12 2025 changtao <changtao@kylinos.cn> - 1:2.2.3.1-5
 - Type:CVE
 - CVE:CVE-2025-27610
-- 
Gitee