packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:6fba0b096a963e86db88f5ec0f27fc3e667991cd
Branches Tags
packages:main
..
compare: packages:b036d9d4955cf2c1bfb130d85e73c7febcf20b0c
Branches Tags
packages:main

No commits in common. "6fba0b096a963e86db88f5ec0f27fc3e667991cd" and "b036d9d4955cf2c1bfb130d85e73c7febcf20b0c" have entirely different histories.
6fba0b096a ... b036d9d495

6 changed files with 1 additions and 201 deletions
Show Stats Expand all files Collapse all files

31
Fix-CVE-2022-44571.patch
View File

@ -1,31 +0,0 @@
From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 17 Jan 2023 12:14:29 -0800
Subject: [PATCH] Fix ReDoS vulnerability in multipart parser
This commit fixes a ReDoS vulnerability when parsing the
Content-Disposition field in multipart attachments
Thanks to @ooooooo_q for the patch!
[CVE-2022-44571]
---
lib/rack/multipart.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
index 7695fe76..fdae808a 100644
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -18,7 +18,7 @@ module Rack
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
--
2.25.1

48
Fix-CVE-2022-44572.patch
View File

@ -1,48 +0,0 @@
From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 3 Aug 2022 00:19:56 -0700
Subject: [PATCH] Forbid control characters in attributes
This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.
This also now should fully follow the RFCs.
RFC 2231, Section 7 specifies:
attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
"*", "'", "%", or tspecials>
RFC 2045, Appendix A specifies:
tspecials := "(" / ")" / "<" / ">" / "@" /
"," / ";" / ":" / "\" / <">
"/" / "[" / "]" / "?" / "="
RFC 822, Section 3.3 specifies:
CTL = <any ASCII control ; ( 0- 37, 0.- 31.)
character and DEL> ; ( 177, 127.)
SPACE = <ASCII SP, space> ; ( 40, 32.)
[CVE-2022-44572]
---
lib/rack/multipart.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
index 10f8e5fa..7695fe76 100644
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -21,7 +21,7 @@ module Rack
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
SECTION = /\*[0-9]+/
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
--
2.25.1

34
Fix-CVE-2025-25184.patch
View File

@ -1,34 +0,0 @@
From 074ae244430cda05c27ca91cda699709cfb3ad8e Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Tue, 11 Feb 2025 19:10:05 -0800
Subject: [PATCH] Escape non-printable characters when logging.
---
lib/rack/common_logger.rb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/rack/common_logger.rb b/lib/rack/common_logger.rb
index 9c6f921..68399c7 100644
--- a/lib/rack/common_logger.rb
+++ b/lib/rack/common_logger.rb
@@ -15,7 +15,7 @@ module Rack
# The actual format is slightly different than the above due to the
# separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
# time in seconds is included at the end.
- FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+ FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
# +logger+ can be any object that supports the +write+ or +<<+ methods,
# which includes the standard library Logger. These methods are called
@@ -60,7 +60,8 @@ module Rack
length,
Utils.clock_time - began_at ]
- msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+ msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+ msg[-1] = "\n"
logger = @logger || env[RACK_ERRORS]
--
2.46.0

24
Fix-CVE-2025-27111.patch
View File

@ -1,24 +0,0 @@
From 803aa221e8302719715e224f4476e438f2531a53 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 22 Feb 2025 16:37:33 +1300
Subject: [PATCH] Use `#inspect` to prevent log injection.
---
lib/rack/sendfile.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rack/sendfile.rb b/lib/rack/sendfile.rb
index 3d5e786..0b7b2f2 100644
--- a/lib/rack/sendfile.rb
+++ b/lib/rack/sendfile.rb
@@ -133,7 +133,7 @@ module Rack
end
when '', nil
else
- env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
+ env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
end
end
[status, headers, body]
--
2.46.0

28
Fix-CVE-2025-27610.patch
View File

@ -1,28 +0,0 @@
From 50caab74fa01ee8f5dbdee7bb2782126d20c6583 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 8 Mar 2025 11:13:39 +1300
Subject: [PATCH] Use a fully resolved file path when confirming if a file can
be served by `Rack::Static`.
---
lib/rack/static.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/rack/static.rb b/lib/rack/static.rb
index 8cb58b2..0ea78a1 100644
--- a/lib/rack/static.rb
+++ b/lib/rack/static.rb
@@ -122,8 +122,9 @@ module Rack
def call(env)
path = env[PATH_INFO]
+ actual_path = Utils.clean_path_info(Utils.unescape_path(path))
- if can_serve(path)
+ if can_serve(actual_path)
if overwrite_file_path(path)
env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
--
2.46.0

37
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.2.4 Version: 2.2.4
Epoch: 1 Epoch: 1
Release: 11 Release: 6
Summary: A modular Ruby webserver interface Summary: A modular Ruby webserver interface
License: MIT and BSD License: MIT and BSD
URL: https://rack.github.io/ URL: https://rack.github.io/
@ -15,11 +15,6 @@ Patch2: Fix-CVE-2024-26141.patch
Patch3: Fix-CVE-2024-26146.patch Patch3: Fix-CVE-2024-26146.patch
Patch4: Fix-CVE-2024-25126.patch Patch4: Fix-CVE-2024-25126.patch
Patch5: Fix-CVE-2022-44570.patch Patch5: Fix-CVE-2022-44570.patch
Patch6: Fix-CVE-2022-44571.patch
Patch7: Fix-CVE-2022-44572.patch
Patch8: Fix-CVE-2025-27610.patch
Patch9: Fix-CVE-2025-27111.patch
Patch10: Fix-CVE-2025-25184.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client) BuildRequires: rubygem(memcache-client)
@ -108,36 +103,6 @@ popd
%doc %{gem_instdir}/contrib %doc %{gem_instdir}/contrib
%changelog %changelog
* Tue Mar 18 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-11
- Type:CVE
- CVE:CVE-2025-25184
- SUG:NA
- DESC:fix CVE-2025-25184
* Thu Mar 13 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-10
- Type:CVE
- CVE:CVE-2025-27111
- SUG:NA
- DESC:fix CVE-2025-27111
* Wed Mar 12 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-9
- Type:CVE
- CVE:CVE-2025-27610
- SUG:NA
- DESC:fix CVE-2025-27610
* Thu Apr 11 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-8
- Type:CVES
- ID:CVE-2022-44572
- SUG:NA
- DESC:CVE-2022-44572
* Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7
- Type:CVES
- ID:CVE-2022-44571
- SUG:NA
- DESC:CVE-2022-44571
* Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6 * Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6
- Type:CVES - Type:CVES
- ID:CVE-2022-44570 - ID:CVE-2022-44570