fix CVE-2021-32740

CVE-2021-32740.patch

@@ -0,0 +1,57 @@
+From b48ff03347a6d46e8dc674e242ce74c6381962a5 Mon Sep 17 00:00:00 2001
+From: Security Curious <security-curious@pm.me>
+Date: Fri, 2 Jul 2021 15:30:02 -0400
+Subject: [PATCH] Prevent ReDOS vuln on URI Template matching
+
+The regular expression used to match a template against a URL is
+vulnerable to a regular expression denial-of-service via catastrophic
+backtracking.
+
+This commit includes a test that demonstrates the failure without
+the fix as well as updates the regexp to remove the vulnerability.
+The vulnerability is removed by updating the grouping to be atomic.
+---
+ lib/addressable/template.rb       | 2 +-
+ spec/addressable/template_spec.rb | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb
+index 2696695..45967ce 100644
+--- a/lib/addressable/template.rb
++++ b/lib/addressable/template.rb
+@@ -37,7 +37,7 @@ class Template
+       Addressable::URI::CharacterClasses::DIGIT + '_'
+ 
+     var_char =
+-      "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
++      "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
+     RESERVED =
+       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
+     UNRESERVED =
+diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb
+index a019165..d47589a 100644
+--- a/spec/addressable/template_spec.rb
++++ b/spec/addressable/template_spec.rb
+@@ -19,6 +19,7 @@
+ require "spec_helper"
+ 
+ require "bigdecimal"
++require "timeout"
+ require "addressable/template"
+ 
+ shared_examples_for 'expands' do |tests|
+@@ -1340,6 +1341,14 @@ def self.match(name)
+         expect(subject).not_to match("foo_bar*")
+         expect(subject).not_to match("foo_bar:20")
+       end
++
++      it 'should parse in a reasonable time' do
++        expect do
++          Timeout.timeout(0.1) do
++            expect(subject).not_to match("0"*25 + "!")
++          end
++        end.not_to raise_error
++      end
+     end
+     context "VARIABLE_LIST" do
+       subject { Addressable::Template::VARIABLE_LIST }

rubygem-addressable.spec

@@ -1,7 +1,7 @@
 %global gem_name addressable
 Name:                rubygem-%{gem_name}
 Version:             2.5.2
-Release:             1
+Release:             2
 Summary:             URI Implementation
 License:             ASL 2.0
 URL:                 https://github.com/sporkmonger/addressable
@@ -13,6 +13,7 @@ BuildArch:           noarch
 Patch0:              no-rack-mount.patch
 # Comment out failing tests
 Patch1:              fix_addressable_tests.patch
+Patch2:              CVE-2021-32740.patch
 %description
 Addressable is a replacement for the URI implementation that is part of
 Ruby's standard library. It more closely conforms to the relevant RFCs and
@@ -31,6 +32,7 @@ gem unpack %{SOURCE0}
 gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
 %patch0
 %patch1
+%patch2 -p1
 
 %build
 gem build %{gem_name}.gemspec
@@ -68,5 +70,8 @@ popd
 %{gem_instdir}/spec
 
 %changelog
+* Wed Jul 14 2021 liwu <liwu13@huawei.com> - 2.5.2-2
+- fix CVE-2021-32740
+
 * Tue Aug 18 2020 shenleizhao <shenleizhao@huawei.com> - 2.5.2-1
 - package init