packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-44571

Browse Source 
(cherry picked from commit 76b078b2b9078cda68868260c2707e7d52f1af82)
This commit is contained in:
zouzhimin 2024-04-08 19:52:13 +08:00 committed by openeuler-sync-bot
parent b036d9d495
commit 47b1d076f5
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Fix-CVE-2022-44571.patch Normal file
View File

@ -0,0 +1,31 @@
From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 17 Jan 2023 12:14:29 -0800
Subject: [PATCH] Fix ReDoS vulnerability in multipart parser
This commit fixes a ReDoS vulnerability when parsing the
Content-Disposition field in multipart attachments
Thanks to @ooooooo_q for the patch!
[CVE-2022-44571]
---
lib/rack/multipart.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
index 7695fe76..fdae808a 100644
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -18,7 +18,7 @@ module Rack
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
--
2.25.1

9
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name}
Version: 2.2.4
Epoch: 1
Release: 6
Release: 7
Summary: A modular Ruby webserver interface
License: MIT and BSD
URL: https://rack.github.io/
@ -15,6 +15,7 @@ Patch2: Fix-CVE-2024-26141.patch
Patch3: Fix-CVE-2024-26146.patch
Patch4: Fix-CVE-2024-25126.patch
Patch5: Fix-CVE-2022-44570.patch
Patch6: Fix-CVE-2022-44571.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client)
@ -103,6 +104,12 @@ popd
%doc %{gem_instdir}/contrib
%changelog
* Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7
- Type:CVES
- ID:CVE-2022-44571
- SUG:NA
- DESC:CVE-2022-44571
* Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6
- Type:CVES
- ID:CVE-2022-44570