Fix CVE-2022-44570
(cherry picked from commit 5de9014905bf9a04855c54a03662d34c84b6f02c)
This commit is contained in:
zouzhimin
openeuler-sync-bot
parent
f4dd5b56b0
commit
506df6251b
44
Fix-CVE-2022-44570.patch
Normal file
44
Fix-CVE-2022-44570.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001
|
||||
From: Aaron Patterson <tenderlove@ruby-lang.org>
|
||||
Date: Tue, 17 Jan 2023 12:04:37 -0800
|
||||
Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges
|
||||
|
||||
This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks
|
||||
@ooooooo_q for the patch!
|
||||
|
||||
[CVE-2022-44570]
|
||||
---
|
||||
lib/rack/utils.rb | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
|
||||
index 34849ded..14d9e17d 100644
|
||||
--- a/lib/rack/utils.rb
|
||||
+++ b/lib/rack/utils.rb
|
||||
@@ -348,17 +348,18 @@ module Rack
|
||||
return nil unless http_range && http_range =~ /bytes=([^;]+)/
|
||||
ranges = []
|
||||
$1.split(/,\s*/).each do |range_spec|
|
||||
- return nil unless range_spec =~ /(\d*)-(\d*)/
|
||||
- r0, r1 = $1, $2
|
||||
- if r0.empty?
|
||||
- return nil if r1.empty?
|
||||
+ return nil unless range_spec.include?('-')
|
||||
+ range = range_spec.split('-')
|
||||
+ r0, r1 = range[0], range[1]
|
||||
+ if r0.nil? || r0.empty?
|
||||
+ return nil if r1.nil?
|
||||
# suffix-byte-range-spec, represents trailing suffix of file
|
||||
r0 = size - r1.to_i
|
||||
r0 = 0 if r0 < 0
|
||||
r1 = size - 1
|
||||
else
|
||||
r0 = r0.to_i
|
||||
- if r1.empty?
|
||||
+ if r1.nil?
|
||||
r1 = size - 1
|
||||
else
|
||||
r1 = r1.to_i
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
Name: rubygem-%{gem_name}
|
||||
Version: 2.2.4
|
||||
Epoch: 1
|
||||
Release: 5
|
||||
Release: 6
|
||||
Summary: A modular Ruby webserver interface
|
||||
License: MIT and BSD
|
||||
URL: https://rack.github.io/
|
||||
@ -14,6 +14,7 @@ Patch1: 2-2-header-redos.patch
|
||||
Patch2: Fix-CVE-2024-26141.patch
|
||||
Patch3: Fix-CVE-2024-26146.patch
|
||||
Patch4: Fix-CVE-2024-25126.patch
|
||||
Patch5: Fix-CVE-2022-44570.patch
|
||||
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
|
||||
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
|
||||
BuildRequires: rubygem(memcache-client)
|
||||
@ -102,6 +103,12 @@ popd
|
||||
%doc %{gem_instdir}/contrib
|
||||
|
||||
%changelog
|
||||
* Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6
|
||||
- Type:CVES
|
||||
- ID:CVE-2022-44570
|
||||
- SUG:NA
|
||||
- DESC:CVE-2022-44570
|
||||
|
||||
* Sun Apr 07 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1:2.2.4-5
|
||||
- Type: Bugfix
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user