rpms/ruby
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)

Browse Source 
Resolves: RHEL-86104
This commit is contained in:
Jarek Prokop 2025-04-11 15:23:47 +02:00
parent 50e278ea0a
commit 19da7dbf88
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ruby.spec
View File

@ -22,7 +22,7 @@
%endif %endif
%global release 164 %global release 165
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory tree, since the # The RubyGems library has to stay out of Ruby directory tree, since the
@ -333,6 +333,9 @@ Patch74: ruby-3.2.0-Detect-compaction-support-during-runtime.patch
# https://github.com/ruby/irb/pull/338 # https://github.com/ruby/irb/pull/338
# https://github.com/ruby/irb/commit/99d3aa979dffece1fab06a7d5ebff4ae5da50aae # https://github.com/ruby/irb/commit/99d3aa979dffece1fab06a7d5ebff4ae5da50aae
Patch75: rubygem-irb-1.4.2-Fix-already-initialized-constant-messages-from-require-in-scripts.patch Patch75: rubygem-irb-1.4.2-Fix-already-initialized-constant-messages-from-require-in-scripts.patch
# Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
# https://github.com/ruby/cgi/commit/2f8ec73bb3eb71c4cf13e735f2d696603de2f34b
Patch76: rubygem-cgi-0.3.5.1-Fix-DoS-in-CGI-Cookie-parse-CVE-2025-27219.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Suggests: rubypick Suggests: rubypick
@ -810,6 +813,7 @@ rm -rf ext/fiddle/libffi*
%patch73 -p1 %patch73 -p1
%patch74 -p1 %patch74 -p1
%patch75 -p1 %patch75 -p1
%patch76 -p1
# Instead of adjusting patch's directory, use the following form where # Instead of adjusting patch's directory, use the following form where
# we first enter the correct directory, this allows more general application # we first enter the correct directory, this allows more general application
@ -1592,6 +1596,10 @@ make runruby TESTRUN_SCRIPT=" \
%changelog %changelog
* Fri Apr 11 2025 Jarek Prokop <jprokop@redhat.com> - 3.0.7-165
- Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
Resolves: RHEL-86104
* Thu Mar 06 2025 Jarek Prokop <jprokop@redhat.com> - 3.0.7-164 * Thu Mar 06 2025 Jarek Prokop <jprokop@redhat.com> - 3.0.7-164
- Undefine GC compaction methods on ppc64le. - Undefine GC compaction methods on ppc64le.
Resolves: RHEL-83136 Resolves: RHEL-83136

27
rubygem-cgi-0.3.5.1-Fix-DoS-in-CGI-Cookie-parse-CVE-2025-27219.patch Normal file
View File

@ -0,0 +1,27 @@
From fd8162a42ff3e4004b940030cfe34ce7a44a7e23 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 16:01:17 +0900
Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
---
lib/cgi/cookie.rb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
index 1a9c1a82c1..7b8e761a94 100644
--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
values ||= ""
values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
if cookies.has_key?(name)
- values = cookies[name].value + values
+ cookies[name].concat(values)
+ else
+ cookies[name] = Cookie.new(name, *values)
end
- cookies[name] = Cookie.new(name, *values)
end
cookies