From fe38b856f0cda5b2c609bf5f0e83ffeb9a3e08b2 Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Wed, 2 Jul 2025 11:21:48 +0800 Subject: [PATCH] [CVE] CVE-2025-27221 to #19286 add patch to fix CVE-2025-27221 Project: TC2024080204 Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> --- 8-bugfix-for-CVE-2025-27221.patch | 53 ++++++++++++++++++++++++ 9-bugfix-for-CVE-2025-27221.patch | 68 +++++++++++++++++++++++++++++++ ruby.spec | 7 +++- 3 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 8-bugfix-for-CVE-2025-27221.patch create mode 100644 9-bugfix-for-CVE-2025-27221.patch diff --git a/8-bugfix-for-CVE-2025-27221.patch b/8-bugfix-for-CVE-2025-27221.patch new file mode 100644 index 0000000..d1c20a2 --- /dev/null +++ b/8-bugfix-for-CVE-2025-27221.patch @@ -0,0 +1,53 @@ +From 4263c0d15a582b46d75aac57cd26a47d33941a53 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 16:29:36 +0900 +Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+ + +--- + lib/uri/generic.rb | 6 +++++- + test/uri/test_generic.rb | 11 +++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb +index 69698c4..7d0b889 100644 +--- a/lib/uri/generic.rb ++++ b/lib/uri/generic.rb +@@ -1141,7 +1141,11 @@ module URI + end + + # RFC2396, Section 5.2, 7) +- base.set_userinfo(rel.userinfo) if rel.userinfo ++ if rel.userinfo ++ base.set_userinfo(rel.userinfo) ++ else ++ base.set_userinfo(nil) ++ end + base.set_host(rel.host) if rel.host + base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query +diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb +index 3897c3d..30f9cbf 100644 +--- a/test/uri/test_generic.rb ++++ b/test/uri/test_generic.rb +@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase + # must be empty string to identify as path-abempty, not path-absolute + assert_equal('', url.host) + assert_equal('http:////example.com', url.to_s) ++ ++ # sec-2957667 ++ url = URI.parse('http://user:pass@example.com').merge('//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.join('http://user:pass@example.com', '//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.parse('http://user:pass@example.com') + '//example.net' ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) + end + + def test_parse_scheme_with_symbols +-- +2.33.0 + + diff --git a/9-bugfix-for-CVE-2025-27221.patch b/9-bugfix-for-CVE-2025-27221.patch new file mode 100644 index 0000000..84996c8 --- /dev/null +++ b/9-bugfix-for-CVE-2025-27221.patch @@ -0,0 +1,68 @@ +From 58adef476ef4b5e6deefaf92e7594ab29396c624 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 18:16:28 +0900 +Subject: [PATCH] Fix merger of URI with authority component + +https://hackerone.com/reports/2957667 + +Co-authored-by: Nobuyoshi Nakada +--- + lib/uri/generic.rb | 19 +++++++------------ + test/uri/test_generic.rb | 7 +++++++ + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb +index 7d0b889..f7eed57 100644 +--- a/lib/uri/generic.rb ++++ b/lib/uri/generic.rb +@@ -1133,21 +1133,16 @@ module URI + base.fragment=(nil) + + # RFC2396, Section 5.2, 4) +- if !authority +- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path +- else +- # RFC2396, Section 5.2, 4) +- base.set_path(rel.path) if rel.path ++ if authority ++ base.set_userinfo(rel.userinfo) ++ base.set_host(rel.host) ++ base.set_port(rel.port || base.default_port) ++ base.set_path(rel.path) ++ elsif base.path && rel.path ++ base.set_path(merge_path(base.path, rel.path)) + end + + # RFC2396, Section 5.2, 7) +- if rel.userinfo +- base.set_userinfo(rel.userinfo) +- else +- base.set_userinfo(nil) +- end +- base.set_host(rel.host) if rel.host +- base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query + base.fragment=(rel.fragment) if rel.fragment + +diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb +index 30f9cbf..4b5e12c 100644 +--- a/test/uri/test_generic.rb ++++ b/test/uri/test_generic.rb +@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase + assert_equal(u0, u1) + end + ++ def test_merge_authority ++ u = URI.parse('http://user:pass@example.com:8080') ++ u0 = URI.parse('http://new.example.org/path') ++ u1 = u.merge('//new.example.org/path') ++ assert_equal(u0, u1) ++ end ++ + def test_route + url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html') + assert_equal('b.html', url.to_s) +-- +2.33.0 + + diff --git a/ruby.spec b/ruby.spec index a44d103..818ecac 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global major_version 3 %global minor_version 3 %global teeny_version 7 @@ -104,6 +104,8 @@ Patch4: %{name}-2.1.0-custom-rubygems-location.patch Patch5: %{name}-2.7.0-Initialize-ABRT-hook.patch Patch6: %{name}-3.1.0-Don-t-query-RubyVM-FrozenCore-for-class-path.patch Patch7: %{name}-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch +Patch8: 8-bugfix-for-CVE-2025-27221.patch +Patch9: 9-bugfix-for-CVE-2025-27221.patch Suggests: rubypick Requires: %{name}-libs = %{version}-%{release} @@ -1193,6 +1195,9 @@ rm -rf %{buildroot}%{gem_dir}/gems/rake-%{rake_version}/.github %{_datadir}/ri %changelog +* Wed Jul 02 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 3.3.7-3 +- Fix CVE-2025-27221 + * Mon Apr 07 2025 Xiaoping Liu - 3.3.7-2 - Fix ruby_version_dir macro error -- Gitee