!92 [sync] PR-87: fix CVE-2025-25184

From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

Fix-CVE-2022-44571.patch

@@ -0,0 +1,31 @@
+From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 12:14:29 -0800
+Subject: [PATCH] Fix ReDoS vulnerability in multipart parser
+
+This commit fixes a ReDoS vulnerability when parsing the
+Content-Disposition field in multipart attachments
+
+Thanks to @ooooooo_q for the patch!
+
+[CVE-2022-44571]
+---
+ lib/rack/multipart.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 7695fe76..fdae808a 100644
+--- a/lib/rack/multipart.rb
++++ b/lib/rack/multipart.rb
+@@ -18,7 +18,7 @@ module Rack
+     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
+     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
+     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
+-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
++    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+     # Updated definitions from RFC 2231
+     ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+-- 
+2.25.1
+

Fix-CVE-2022-44572.patch

@@ -0,0 +1,48 @@
+From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Wed, 3 Aug 2022 00:19:56 -0700
+Subject: [PATCH] Forbid control characters in attributes
+
+This commit restricts the characters accepted in ATTRIBUTE_CHAR,
+forbidding control characters and fixing a ReDOS vulnerability.
+
+This also now should fully follow the RFCs.
+
+RFC 2231, Section 7 specifies:
+
+    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
+                         "*", "'", "%", or tspecials>
+
+RFC 2045, Appendix A specifies:
+
+    tspecials :=  "(" / ")" / "<" / ">" / "@" /
+                  "," / ";" / ":" / "\" / <">
+                  "/" / "[" / "]" / "?" / "="
+
+RFC 822, Section 3.3 specifies:
+
+    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
+                    character and DEL>          ; (    177,     127.)
+    SPACE       =  <ASCII SP, space>            ; (     40,      32.)
+
+[CVE-2022-44572]
+---
+ lib/rack/multipart.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 10f8e5fa..7695fe76 100644
+--- a/lib/rack/multipart.rb
++++ b/lib/rack/multipart.rb
+@@ -21,7 +21,7 @@ module Rack
+     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+     # Updated definitions from RFC 2231
+-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
++    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
+     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
+     SECTION = /\*[0-9]+/
+     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
+-- 
+2.25.1
+

Fix-CVE-2025-25184.patch

@@ -0,0 +1,34 @@
+From 074ae244430cda05c27ca91cda699709cfb3ad8e Mon Sep 17 00:00:00 2001
+From: Jeremy Evans <code@jeremyevans.net>
+Date: Tue, 11 Feb 2025 19:10:05 -0800
+Subject: [PATCH] Escape non-printable characters when logging.
+---
+ lib/rack/common_logger.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/common_logger.rb b/lib/rack/common_logger.rb
+index 9c6f921..68399c7 100644
+--- a/lib/rack/common_logger.rb
++++ b/lib/rack/common_logger.rb
+@@ -15,7 +15,7 @@ module Rack
+     # The actual format is slightly different than the above due to the
+     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
+     # time in seconds is included at the end.
+-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
++    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
+ 
+     # +logger+ can be any object that supports the +write+ or +<<+ methods,
+     # which includes the standard library Logger.  These methods are called
+@@ -60,7 +60,8 @@ module Rack
+         length,
+         Utils.clock_time - began_at ]
+ 
+-      msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
++      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
++      msg[-1] = "\n"
+ 
+       logger = @logger || env[RACK_ERRORS]
+ 
+-- 
+2.46.0
+

Fix-CVE-2025-27111.patch

@@ -0,0 +1,24 @@
+From 803aa221e8302719715e224f4476e438f2531a53 Mon Sep 17 00:00:00 2001
+From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
+Date: Sat, 22 Feb 2025 16:37:33 +1300
+Subject: [PATCH] Use `#inspect` to prevent log injection.
+---
+ lib/rack/sendfile.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/sendfile.rb b/lib/rack/sendfile.rb
+index 3d5e786..0b7b2f2 100644
+--- a/lib/rack/sendfile.rb
++++ b/lib/rack/sendfile.rb
+@@ -133,7 +133,7 @@ module Rack
+           end
+         when '', nil
+         else
+-          env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
++          env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
+         end
+       end
+       [status, headers, body]
+-- 
+2.46.0
+

Fix-CVE-2025-27610.patch

@@ -0,0 +1,28 @@
+From 50caab74fa01ee8f5dbdee7bb2782126d20c6583 Mon Sep 17 00:00:00 2001
+From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
+Date: Sat, 8 Mar 2025 11:13:39 +1300
+Subject: [PATCH] Use a fully resolved file path when confirming if a file can
+ be served by `Rack::Static`.
+
+---
+ lib/rack/static.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/rack/static.rb b/lib/rack/static.rb
+index 8cb58b2..0ea78a1 100644
+--- a/lib/rack/static.rb
++++ b/lib/rack/static.rb
+@@ -122,8 +122,9 @@ module Rack
+ 
+     def call(env)
+       path = env[PATH_INFO]
++      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
+ 
+-      if can_serve(path)
++      if can_serve(actual_path)
+         if overwrite_file_path(path)
+           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
+         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
+-- 
+2.46.0
+

rubygem-rack.spec

@@ -4,7 +4,7 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.4
 Epoch:   1
-Release: 6
+Release: 11
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
@@ -15,6 +15,11 @@ Patch2: Fix-CVE-2024-26141.patch
 Patch3: Fix-CVE-2024-26146.patch
 Patch4: Fix-CVE-2024-25126.patch
 Patch5: Fix-CVE-2022-44570.patch
+Patch6: Fix-CVE-2022-44571.patch
+Patch7: Fix-CVE-2022-44572.patch
+Patch8: Fix-CVE-2025-27610.patch
+Patch9: Fix-CVE-2025-27111.patch
+Patch10: Fix-CVE-2025-25184.patch
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
 BuildRequires: rubygem(memcache-client)
@@ -103,6 +108,36 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Tue Mar 18 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-11
+- Type:CVE
+- CVE:CVE-2025-25184
+- SUG:NA
+- DESC:fix CVE-2025-25184
+
+* Thu Mar 13 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-10
+- Type:CVE
+- CVE:CVE-2025-27111
+- SUG:NA
+- DESC:fix CVE-2025-27111
+
+* Wed Mar 12 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-9
+- Type:CVE
+- CVE:CVE-2025-27610
+- SUG:NA
+- DESC:fix CVE-2025-27610
+
+* Thu Apr 11 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-8
+- Type:CVES
+- ID:CVE-2022-44572
+- SUG:NA
+- DESC:CVE-2022-44572
+
+* Wed Apr 10 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-7
+- Type:CVES
+- ID:CVE-2022-44571
+- SUG:NA
+- DESC:CVE-2022-44571
+
 * Tue Apr 09 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-6
 - Type:CVES
 - ID:CVE-2022-44570