!37 [sync] PR-36: Fix CVE-2024-26146

From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

Fix-CVE-2024-26146.patch

@@ -0,0 +1,30 @@
+From e4c117749ba24a66f8ec5a08eddf68deeb425ccd Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Wed, 21 Feb 2024 11:05:06 -0800
+Subject: [PATCH] Fixing ReDoS in header parsing
+
+Thanks svalkanov
+
+[CVE-2024-26146]
+---
+ lib/rack/utils.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index c8e61ea1..0ed64b7a 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -142,8 +142,8 @@ module Rack
+     end
+ 
+     def q_values(q_value_header)
+-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
+-        value, parameters = part.split(/\s*;\s*/, 2)
++      q_value_header.to_s.split(',').map do |part|
++        value, parameters = part.split(';', 2).map(&:strip)
+         quality = 1.0
+         if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
+           quality = md[1].to_f
+-- 
+2.25.1
+

rubygem-rack.spec

@@ -4,7 +4,7 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.4
 Epoch:   1
-Release: 2
+Release: 3
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
@@ -12,6 +12,7 @@ Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem
 Patch0: 2-2-multipart-dos.patch 
 Patch1: 2-2-header-redos.patch
 Patch2: Fix-CVE-2024-26141.patch
+Patch3: Fix-CVE-2024-26146.patch
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
 BuildRequires: rubygem(memcache-client)
@@ -100,6 +101,12 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-3
+- Type:CVES
+- ID:CVE-2024-26146
+- SUG:NA
+- DESC:CVE-2024-26146
+
 * Mon Apr 01 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-2
 - Type:CVES
 - ID:CVE-2024-26141