Bug#1064516: ruby-rack: diff for NMU version 2.2.7-1.1

Adrian Bunk Thu, 02 May 2024 13:09:15 -0700

Control: tags 1064516 + patch
Control: tags 1064516 + pending

Dear maintainer,


I've prepared an NMU for ruby-rack (versioned as 2.2.7-1.1) and uploaded 
it to DELAYED/2. Please feel free to tell me if I should cancel it.

cu
Adrian

diffstat for ruby-rack-2.2.7 ruby-rack-2.2.7

 changelog                                                          |   10 +
 patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch |   51 ++++++++++
 patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch |   46 +++++++++
 patches/0003-Fixing-ReDoS-in-header-parsing.patch                  |   30 +++++
 patches/series                                                     |    3 
 5 files changed, 140 insertions(+)

diff -Nru ruby-rack-2.2.7/debian/changelog ruby-rack-2.2.7/debian/changelog
--- ruby-rack-2.2.7/debian/changelog	2023-07-10 17:32:41.000000000 +0300
+++ ruby-rack-2.2.7/debian/changelog	2024-05-02 22:55:26.000000000 +0300
@@ -1,3 +1,13 @@
+ruby-rack (2.2.7-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2024-25126: ReDoS in Content Type header parsing
+  * CVE-2024-26141: Reject Range headers which are too large
+  * CVE-2024-26146: ReDoS in Accept header parsing
+  * Closes: #1064516
+
+ -- Adrian Bunk <b...@debian.org>  Thu, 02 May 2024 22:55:26 +0300
+
 ruby-rack (2.2.7-1) unstable; urgency=medium
 
   * Team Upload
diff -Nru ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
--- ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch	1970-01-01 02:00:00.000000000 +0200
+++ ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch	2024-05-02 22:55:26.000000000 +0300
@@ -0,0 +1,51 @@
+From e5c0e03f70624433d7132a5eb039f5f04787d20c Mon Sep 17 00:00:00 2001
+From: Jean Boussier <jean.bouss...@gmail.com>
+Date: Wed, 6 Dec 2023 18:32:19 +0100
+Subject: Avoid 2nd degree polynomial regexp in MediaType
+
+---
+ lib/rack/media_type.rb | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
+index 41937c99..7fc1e39d 100644
+--- a/lib/rack/media_type.rb
++++ b/lib/rack/media_type.rb
+@@ -4,7 +4,7 @@ module Rack
+   # Rack::MediaType parse media type and parameters out of content_type string
+ 
+   class MediaType
+-    SPLIT_PATTERN = %r{\s*[;,]\s*}
++    SPLIT_PATTERN = /[;,]/
+ 
+     class << self
+       # The media type (type/subtype) portion of the CONTENT_TYPE header
+@@ -15,7 +15,11 @@ module Rack
+       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
+       def type(content_type)
+         return nil unless content_type
+-        content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
++        if type = content_type.split(SPLIT_PATTERN, 2).first
++          type.rstrip!
++          type.downcase!
++          type
++        end
+       end
+ 
+       # The media type parameters provided in CONTENT_TYPE as a Hash, or
+@@ -27,9 +31,10 @@ module Rack
+         return {} if content_type.nil?
+ 
+         content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
++          s.strip!
+           k, v = s.split('=', 2)
+-
+-          hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
++          k.downcase!
++          hsh[k] = strip_doublequotes(v)
+         end
+       end
+ 
+-- 
+2.30.2
+
diff -Nru ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
--- ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch	1970-01-01 02:00:00.000000000 +0200
+++ ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch	2024-05-02 22:55:26.000000000 +0300
@@ -0,0 +1,46 @@
+From e4a334bba45d1f66499973d65ba4db2679129153 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderl...@ruby-lang.org>
+Date: Tue, 13 Feb 2024 13:34:34 -0800
+Subject: Return an empty array when ranges are too large
+
+If the sum of the requested ranges is larger than the file itself,
+return an empty array. In other words, refuse to respond with any bytes.
+
+[CVE-2024-26141]
+---
+ lib/rack/utils.rb  | 3 +++
+ test/spec_utils.rb | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index c8e61ea1..72700503 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -380,6 +380,9 @@ module Rack
+         end
+         ranges << (r0..r1)  if r0 <= r1
+       end
++
++      return [] if ranges.map(&:size).sum > size
++
+       ranges
+     end
+ 
+diff --git a/test/spec_utils.rb b/test/spec_utils.rb
+index 90676258..6b069914 100644
+--- a/test/spec_utils.rb
++++ b/test/spec_utils.rb
+@@ -590,6 +590,10 @@ describe Rack::Utils, "cookies" do
+ end
+ 
+ describe Rack::Utils, "byte_range" do
++  it "returns an empty list if the sum of the ranges is too large" do
++    assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500)
++  end
++
+   it "ignore missing or syntactically invalid byte ranges" do
+     Rack::Utils.byte_ranges({}, 500).must_be_nil
+     Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil
+-- 
+2.30.2
+
diff -Nru ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
--- ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch	1970-01-01 02:00:00.000000000 +0200
+++ ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch	2024-05-02 22:55:26.000000000 +0300
@@ -0,0 +1,30 @@
+From 2ff4d1f73abd49d6d7ad20842bf6798aac4eb174 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderl...@ruby-lang.org>
+Date: Wed, 21 Feb 2024 11:05:06 -0800
+Subject: Fixing ReDoS in header parsing
+
+Thanks svalkanov
+
+[CVE-2024-26146]
+---
+ lib/rack/utils.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 72700503..ccf39e30 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -142,8 +142,8 @@ module Rack
+     end
+ 
+     def q_values(q_value_header)
+-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
+-        value, parameters = part.split(/\s*;\s*/, 2)
++      q_value_header.to_s.split(',').map do |part|
++        value, parameters = part.split(';', 2).map(&:strip)
+         quality = 1.0
+         if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
+           quality = md[1].to_f
+-- 
+2.30.2
+
diff -Nru ruby-rack-2.2.7/debian/patches/series ruby-rack-2.2.7/debian/patches/series
--- ruby-rack-2.2.7/debian/patches/series	2023-07-10 17:32:41.000000000 +0300
+++ ruby-rack-2.2.7/debian/patches/series	2024-05-02 22:55:26.000000000 +0300
@@ -1,3 +1,6 @@
 skip-random-failure.patch
 0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch
 skip-unreadable-dir-test.patch
+0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
+0002-Return-an-empty-array-when-ranges-are-too-large.patch
+0003-Fixing-ReDoS-in-header-parsing.patch

Bug#1064516: ruby-rack: diff for NMU version 2.2.7-1.1

Reply via email to