packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-44572

Browse Source 
(cherry picked from commit b0d364e5deb9f05f2d8bd76afa365c7ee167ff7e)
This commit is contained in:
zouzhimin 2024-04-08 22:30:08 +08:00 committed by openeuler-sync-bot
parent 2928b69868
commit 79b7e38630
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Fix-CVE-2022-44572.patch Normal file
View File

@ -0,0 +1,48 @@
From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 3 Aug 2022 00:19:56 -0700
Subject: [PATCH] Forbid control characters in attributes
This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.
This also now should fully follow the RFCs.
RFC 2231, Section 7 specifies:
attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
"*", "'", "%", or tspecials>
RFC 2045, Appendix A specifies:
tspecials := "(" / ")" / "<" / ">" / "@" /
"," / ";" / ":" / "\" / <">
"/" / "[" / "]" / "?" / "="
RFC 822, Section 3.3 specifies:
CTL = <any ASCII control ; ( 0- 37, 0.- 31.)
character and DEL> ; ( 177, 127.)
SPACE = <ASCII SP, space> ; ( 40, 32.)
[CVE-2022-44572]
---
lib/rack/multipart.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
index 10f8e5fa..7695fe76 100644
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -21,7 +21,7 @@ module Rack
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
SECTION = /\*[0-9]+/
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
--
2.25.1

9
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.2.4 Version: 2.2.4
Epoch: 1 Epoch: 1
Release: 7 Release: 8
Summary: A modular Ruby webserver interface Summary: A modular Ruby webserver interface
License: MIT and BSD License: MIT and BSD
URL: https://rack.github.io/ URL: https://rack.github.io/
@ -16,6 +16,7 @@ Patch3: Fix-CVE-2024-26146.patch
Patch4: Fix-CVE-2024-25126.patch Patch4: Fix-CVE-2024-25126.patch
Patch5: Fix-CVE-2022-44570.patch Patch5: Fix-CVE-2022-44570.patch
Patch6: Fix-CVE-2022-44571.patch Patch6: Fix-CVE-2022-44571.patch
Patch7: Fix-CVE-2022-44572.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client) BuildRequires: rubygem(memcache-client)
@ -104,6 +105,12 @@ popd
%doc %{gem_instdir}/contrib %doc %{gem_instdir}/contrib
%changelog %changelog
* Thu Apr 11 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-8
- Type:CVES
- ID:CVE-2022-44572
- SUG:NA
- DESC:CVE-2022-44572
* Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7 * Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7
- Type:CVES - Type:CVES
- ID:CVE-2022-44571 - ID:CVE-2022-44571