packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!37 [sync] PR-36: Fix CVE-2024-26146

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-04-02 02:19:11 +00:00 committed by Gitee
commit df3704638c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Fix-CVE-2024-26146.patch Normal file
View File

@ -0,0 +1,30 @@
From e4c117749ba24a66f8ec5a08eddf68deeb425ccd Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Wed, 21 Feb 2024 11:05:06 -0800
Subject: [PATCH] Fixing ReDoS in header parsing
Thanks svalkanov
[CVE-2024-26146]
---
lib/rack/utils.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index c8e61ea1..0ed64b7a 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -142,8 +142,8 @@ module Rack
end
def q_values(q_value_header)
- q_value_header.to_s.split(/\s*,\s*/).map do |part|
- value, parameters = part.split(/\s*;\s*/, 2)
+ q_value_header.to_s.split(',').map do |part|
+ value, parameters = part.split(';', 2).map(&:strip)
quality = 1.0
if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
quality = md[1].to_f
--
2.25.1

9
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name}
Version: 2.2.4
Epoch: 1
Release: 2
Release: 3
Summary: A modular Ruby webserver interface
License: MIT and BSD
URL: https://rack.github.io/
@ -12,6 +12,7 @@ Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem
Patch0: 2-2-multipart-dos.patch
Patch1: 2-2-header-redos.patch
Patch2: Fix-CVE-2024-26141.patch
Patch3: Fix-CVE-2024-26146.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client)
@ -100,6 +101,12 @@ popd
%doc %{gem_instdir}/contrib
%changelog
* Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-3
- Type:CVES
- ID:CVE-2024-26146
- SUG:NA
- DESC:CVE-2024-26146
* Mon Apr 01 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-2
- Type:CVES
- ID:CVE-2024-26141