!92 [sync] PR-87: fix CVE-2025-25184

From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2025-03-19 01:42:44 +00:00 · 2025-03-19 01:42:44 +00:00 · 6fba0b096a
commit 6fba0b096a
parent 6d6bc5d25a 36fac7f425
2 changed files with 42 additions and 1 deletions
--- a/Fix-CVE-2025-25184.patch
+++ b/Fix-CVE-2025-25184.patch
@ -0,0 +1,34 @@
+From 074ae244430cda05c27ca91cda699709cfb3ad8e Mon Sep 17 00:00:00 2001
+From: Jeremy Evans <code@jeremyevans.net>
+Date: Tue, 11 Feb 2025 19:10:05 -0800
+Subject: [PATCH] Escape non-printable characters when logging.
+---
+ lib/rack/common_logger.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/common_logger.rb b/lib/rack/common_logger.rb
+index 9c6f921..68399c7 100644
+--- a/lib/rack/common_logger.rb
+++ b/lib/rack/common_logger.rb
+@@ -15,7 +15,7 @@ module Rack
+     # The actual format is slightly different than the above due to the
+     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
+     # time in seconds is included at the end.
+-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
+ 
+     # +logger+ can be any object that supports the +write+ or +<<+ methods,
+     # which includes the standard library Logger.  These methods are called
+@@ -60,7 +60,8 @@ module Rack
+         length,
+         Utils.clock_time - began_at ]
+ 
+-      msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
+ 
+       logger = @logger || env[RACK_ERRORS]
+ 
+-- 
+2.46.0
+
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@ -4,7 +4,7 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.4
 Epoch:   1
-Release: 10
+Release: 11
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
@ -19,6 +19,7 @@ Patch6: Fix-CVE-2022-44571.patch
 Patch7: Fix-CVE-2022-44572.patch
 Patch8: Fix-CVE-2025-27610.patch
 Patch9: Fix-CVE-2025-27111.patch
+Patch10: Fix-CVE-2025-25184.patch
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
 BuildRequires: rubygem(memcache-client)
@ -107,6 +108,12 @@ popd
 %doc %{gem_instdir}/contrib

 %changelog
+* Tue Mar 18 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-11
+- Type:CVE
+- CVE:CVE-2025-25184
+- SUG:NA
+- DESC:fix CVE-2025-25184
+
 * Thu Mar 13 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-10
 - Type:CVE
 - CVE:CVE-2025-27111