Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)

Resolves: RHEL-86104
2025-04-11 15:23:47 +02:00 · 2025-04-11 15:23:47 +02:00 · 19da7dbf88
commit 19da7dbf88
parent 50e278ea0a
2 changed files with 36 additions and 1 deletions
--- a/ruby.spec
+++ b/ruby.spec
@ -22,7 +22,7 @@
 %endif


-%global release 164
+%global release 165
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

 # The RubyGems library has to stay out of Ruby directory tree, since the
@ -333,6 +333,9 @@ Patch74: ruby-3.2.0-Detect-compaction-support-during-runtime.patch
 # https://github.com/ruby/irb/pull/338
 # https://github.com/ruby/irb/commit/99d3aa979dffece1fab06a7d5ebff4ae5da50aae
 Patch75: rubygem-irb-1.4.2-Fix-already-initialized-constant-messages-from-require-in-scripts.patch
+# Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
+# https://github.com/ruby/cgi/commit/2f8ec73bb3eb71c4cf13e735f2d696603de2f34b
+Patch76: rubygem-cgi-0.3.5.1-Fix-DoS-in-CGI-Cookie-parse-CVE-2025-27219.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@ -810,6 +813,7 @@ rm -rf ext/fiddle/libffi*
 %patch73 -p1
 %patch74 -p1
 %patch75 -p1
+%patch76 -p1

 # Instead of adjusting patch's directory, use the following form where
 # we first enter the correct directory, this allows more general application
@ -1592,6 +1596,10 @@ make runruby TESTRUN_SCRIPT=" \


 %changelog
+* Fri Apr 11 2025 Jarek Prokop <jprokop@redhat.com> - 3.0.7-165
+- Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
+  Resolves: RHEL-86104
+
 * Thu Mar 06 2025 Jarek Prokop <jprokop@redhat.com> - 3.0.7-164
 - Undefine GC compaction methods on ppc64le.
  Resolves: RHEL-83136
--- a/rubygem-cgi-0.3.5.1-Fix-DoS-in-CGI-Cookie-parse-CVE-2025-27219.patch
+++ b/rubygem-cgi-0.3.5.1-Fix-DoS-in-CGI-Cookie-parse-CVE-2025-27219.patch
@ -0,0 +1,27 @@
+From fd8162a42ff3e4004b940030cfe34ce7a44a7e23 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:01:17 +0900
+Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
+
+Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
+---
+ lib/cgi/cookie.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index 1a9c1a82c1..7b8e761a94 100644
+--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
+@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
+         values ||= ""
+         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+         if cookies.has_key?(name)
+-          values = cookies[name].value + values
+          cookies[name].concat(values)
+        else
+          cookies[name] = Cookie.new(name, *values)
+         end
+-        cookies[name] = Cookie.new(name, *values)
+       end
+ 
+       cookies