FIX CVE-2024-26141

(cherry picked from commit b4ffc46500cfbe094648af93930658c0331d2188)

Fix-CVE-2024-26141.patch

@@ -0,0 +1,30 @@
+From 72ecb3f4e05b2fc0a5073d23fd178686818eb958 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 13 Feb 2024 13:34:34 -0800
+Subject: [PATCH] Return an empty array when ranges are too large
+
+If the sum of the requested ranges is larger than the file itself,
+return an empty array. In other words, refuse to respond with any bytes.
+
+[CVE-2024-26141]
+---
+ lib/rack/utils.rb | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index ca6182c..199312f 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -379,6 +379,9 @@ module Rack
+         end
+         ranges << (r0..r1)  if r0 <= r1
+       end
++
++      return [] if ranges.map(&:size).sum > size
++
+       ranges
+     end
+ 
+-- 
+2.43.0
+

rubygem-rack.spec

@@ -4,13 +4,14 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.4
 Epoch:   1
-Release: 1
+Release: 2
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
 Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem
 Patch0: 2-2-multipart-dos.patch 
 Patch1: 2-2-header-redos.patch
+Patch2: Fix-CVE-2024-26141.patch
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
 BuildRequires: rubygem(memcache-client)
@@ -41,9 +42,7 @@ BuildArch: noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%autosetup -n %{gem_name}-%{version} -p1 -S git
-%patch0 -p1
-%patch1 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -101,6 +100,12 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Mon Apr 01 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-2
+- Type:CVES
+- ID:CVE-2024-26141
+- SUG:NA
+- DESC:CVE-2024-26141
+
 * Thu Aug 17 2023 wulei <wu_lei@hoperun.com> - 1:2.2.4-1
 - Upgrade to version 2.2.4