packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!48 [sync] PR-45: Fix CVE-2022-44570

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @xiangbudaomz, @jxy_git 
Signed-off-by: @xiangbudaomz, @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-04-15 09:02:27 +00:00 committed by Gitee
commit b036d9d495
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Fix-CVE-2022-44570.patch Normal file
View File

@ -0,0 +1,44 @@
From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 17 Jan 2023 12:04:37 -0800
Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges
This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks
@ooooooo_q for the patch!
[CVE-2022-44570]
---
lib/rack/utils.rb | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index 34849ded..14d9e17d 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -348,17 +348,18 @@ module Rack
return nil unless http_range && http_range =~ /bytes=([^;]+)/
ranges = []
$1.split(/,\s*/).each do |range_spec|
- return nil unless range_spec =~ /(\d*)-(\d*)/
- r0, r1 = $1, $2
- if r0.empty?
- return nil if r1.empty?
+ return nil unless range_spec.include?('-')
+ range = range_spec.split('-')
+ r0, r1 = range[0], range[1]
+ if r0.nil? || r0.empty?
+ return nil if r1.nil?
# suffix-byte-range-spec, represents trailing suffix of file
r0 = size - r1.to_i
r0 = 0 if r0 < 0
r1 = size - 1
else
r0 = r0.to_i
- if r1.empty?
+ if r1.nil?
r1 = size - 1
else
r1 = r1.to_i
--
2.25.1

9
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.2.4 Version: 2.2.4
Epoch: 1 Epoch: 1
Release: 5 Release: 6
Summary: A modular Ruby webserver interface Summary: A modular Ruby webserver interface
License: MIT and BSD License: MIT and BSD
URL: https://rack.github.io/ URL: https://rack.github.io/
@ -14,6 +14,7 @@ Patch1: 2-2-header-redos.patch
Patch2: Fix-CVE-2024-26141.patch Patch2: Fix-CVE-2024-26141.patch
Patch3: Fix-CVE-2024-26146.patch Patch3: Fix-CVE-2024-26146.patch
Patch4: Fix-CVE-2024-25126.patch Patch4: Fix-CVE-2024-25126.patch
Patch5: Fix-CVE-2022-44570.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client) BuildRequires: rubygem(memcache-client)
@ -102,6 +103,12 @@ popd
%doc %{gem_instdir}/contrib %doc %{gem_instdir}/contrib
%changelog %changelog
* Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6
- Type:CVES
- ID:CVE-2022-44570
- SUG:NA
- DESC:CVE-2022-44570
* Sun Apr 07 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1:2.2.4-5 * Sun Apr 07 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1:2.2.4-5
- Type: Bugfix - Type: Bugfix
- ID:NA - ID:NA