Hi,
attached are debdiffs for a ruby-rack DSA,
with the same fixes as in sid and buster.
cu
Adrian
diffstat for ruby-rack-2.1.4 ruby-rack-2.1.4
changelog | 10 +
patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51
++++++++++
patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46
+++++++++
patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30 +++++
patches/series | 3
5 files changed, 140 insertions(+)
diff -Nru ruby-rack-2.1.4/debian/changelog ruby-rack-2.1.4/debian/changelog
--- ruby-rack-2.1.4/debian/changelog 2023-06-08 00:52:23.000000000 +0300
+++ ruby-rack-2.1.4/debian/changelog 2024-05-02 23:46:12.000000000 +0300
@@ -1,3 +1,13 @@
+ruby-rack (2.1.4-3+deb11u2) bullseye-security; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-25126: ReDoS in Content Type header parsing
+ * CVE-2024-26141: Reject Range headers which are too large
+ * CVE-2024-26146: ReDoS in Accept header parsing
+ * Closes: #1064516
+
+ -- Adrian Bunk <b...@debian.org> Thu, 02 May 2024 23:46:12 +0300
+
ruby-rack (2.1.4-3+deb11u1) bullseye-security; urgency=high
* Add patch to restrict broken mime parsing.
diff -Nru
ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
---
ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
1970-01-01 02:00:00.000000000 +0200
+++
ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
2024-05-02 23:46:12.000000000 +0300
@@ -0,0 +1,51 @@
+From bad2b5be29349b285e08d343f060f7c18065d416 Mon Sep 17 00:00:00 2001
+From: Jean Boussier <jean.bouss...@gmail.com>
+Date: Wed, 6 Dec 2023 18:32:19 +0100
+Subject: Avoid 2nd degree polynomial regexp in MediaType
+
+---
+ lib/rack/media_type.rb | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
+index 41937c99..7fc1e39d 100644
+--- a/lib/rack/media_type.rb
++++ b/lib/rack/media_type.rb
+@@ -4,7 +4,7 @@ module Rack
+ # Rack::MediaType parse media type and parameters out of content_type string
+
+ class MediaType
+- SPLIT_PATTERN = %r{\s*[;,]\s*}
++ SPLIT_PATTERN = /[;,]/
+
+ class << self
+ # The media type (type/subtype) portion of the CONTENT_TYPE header
+@@ -15,7 +15,11 @@ module Rack
+ # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
+ def type(content_type)
+ return nil unless content_type
+- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
++ if type = content_type.split(SPLIT_PATTERN, 2).first
++ type.rstrip!
++ type.downcase!
++ type
++ end
+ end
+
+ # The media type parameters provided in CONTENT_TYPE as a Hash, or
+@@ -27,9 +31,10 @@ module Rack
+ return {} if content_type.nil?
+
+ content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s,
hsh|
++ s.strip!
+ k, v = s.split('=', 2)
+-
+- hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
++ k.downcase!
++ hsh[k] = strip_doublequotes(v)
+ end
+ end
+
+--
+2.30.2
+
diff -Nru
ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
---
ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
1970-01-01 02:00:00.000000000 +0200
+++
ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
2024-05-02 23:46:12.000000000 +0300
@@ -0,0 +1,46 @@
+From ef52af28b6ac43789fd8fc05df098b56f220f0fa Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderl...@ruby-lang.org>
+Date: Tue, 13 Feb 2024 13:34:34 -0800
+Subject: Return an empty array when ranges are too large
+
+If the sum of the requested ranges is larger than the file itself,
+return an empty array. In other words, refuse to respond with any bytes.
+
+[CVE-2024-26141]
+---
+ lib/rack/utils.rb | 3 +++
+ test/spec_utils.rb | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 16457f90..87c2a946 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -382,6 +382,9 @@ module Rack
+ end
+ ranges << (r0..r1) if r0 <= r1
+ end
++
++ return [] if ranges.map(&:size).sum > size
++
+ ranges
+ end
+ module_function :get_byte_ranges
+diff --git a/test/spec_utils.rb b/test/spec_utils.rb
+index 5fd92241..67b77b0d 100644
+--- a/test/spec_utils.rb
++++ b/test/spec_utils.rb
+@@ -548,6 +548,10 @@ describe Rack::Utils, "cookies" do
+ end
+
+ describe Rack::Utils, "byte_range" do
++ it "returns an empty list if the sum of the ranges is too large" do
++ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" =>
"bytes=0-20,0-500" }, 500)
++ end
++
+ it "ignore missing or syntactically invalid byte ranges" do
+ Rack::Utils.byte_ranges({}, 500).must_be_nil
+ Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil
+--
+2.30.2
+
diff -Nru
ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
--- ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
1970-01-01 02:00:00.000000000 +0200
+++ ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
2024-05-02 23:46:12.000000000 +0300
@@ -0,0 +1,30 @@
+From 78db2437b784e86027fe332bd61534fbde7040a6 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderl...@ruby-lang.org>
+Date: Wed, 21 Feb 2024 11:05:06 -0800
+Subject: Fixing ReDoS in header parsing
+
+Thanks svalkanov
+
+[CVE-2024-26146]
+---
+ lib/rack/utils.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 87c2a946..900eaf60 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -146,8 +146,8 @@ module Rack
+ module_function :build_nested_query
+
+ def q_values(q_value_header)
+- q_value_header.to_s.split(/\s*,\s*/).map do |part|
+- value, parameters = part.split(/\s*;\s*/, 2)
++ q_value_header.to_s.split(',').map do |part|
++ value, parameters = part.split(';', 2).map(&:strip)
+ quality = 1.0
+ if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
+ quality = md[1].to_f
+--
+2.30.2
+
diff -Nru ruby-rack-2.1.4/debian/patches/series
ruby-rack-2.1.4/debian/patches/series
--- ruby-rack-2.1.4/debian/patches/series 2023-06-08 00:51:57.000000000
+0300
+++ ruby-rack-2.1.4/debian/patches/series 2024-05-02 23:46:12.000000000
+0300
@@ -7,3 +7,6 @@
CVE-2022-44572.patch
CVE-2023-27530.patch
CVE-2023-27539.patch
+0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
+0002-Return-an-empty-array-when-ranges-are-too-large.patch
+0003-Fixing-ReDoS-in-header-parsing.patch
diffstat for ruby-rack-2.2.6.4 ruby-rack-2.2.6.4
changelog | 10 +
patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51
++++++++++
patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46
+++++++++
patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30 +++++
patches/series | 3
5 files changed, 140 insertions(+)
diff -Nru ruby-rack-2.2.6.4/debian/changelog ruby-rack-2.2.6.4/debian/changelog
--- ruby-rack-2.2.6.4/debian/changelog 2023-03-23 22:02:43.000000000 +0200
+++ ruby-rack-2.2.6.4/debian/changelog 2024-05-02 23:39:36.000000000 +0300
@@ -1,3 +1,13 @@
+ruby-rack (2.2.6.4-1+deb12u1) bookworm-security; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-25126: ReDoS in Content Type header parsing
+ * CVE-2024-26141: Reject Range headers which are too large
+ * CVE-2024-26146: ReDoS in Accept header parsing
+ * Closes: #1064516
+
+ -- Adrian Bunk <b...@debian.org> Thu, 02 May 2024 23:39:36 +0300
+
ruby-rack (2.2.6.4-1) unstable; urgency=medium
* Team Upload
diff -Nru
ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
---
ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
1970-01-01 02:00:00.000000000 +0200
+++
ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
2024-05-02 23:11:55.000000000 +0300
@@ -0,0 +1,51 @@
+From 0dd2a6314a1677ba38d2f94b18ecf21a5fbfaa1d Mon Sep 17 00:00:00 2001
+From: Jean Boussier <jean.bouss...@gmail.com>
+Date: Wed, 6 Dec 2023 18:32:19 +0100
+Subject: Avoid 2nd degree polynomial regexp in MediaType
+
+---
+ lib/rack/media_type.rb | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
+index 41937c99..7fc1e39d 100644
+--- a/lib/rack/media_type.rb
++++ b/lib/rack/media_type.rb
+@@ -4,7 +4,7 @@ module Rack
+ # Rack::MediaType parse media type and parameters out of content_type string
+
+ class MediaType
+- SPLIT_PATTERN = %r{\s*[;,]\s*}
++ SPLIT_PATTERN = /[;,]/
+
+ class << self
+ # The media type (type/subtype) portion of the CONTENT_TYPE header
+@@ -15,7 +15,11 @@ module Rack
+ # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
+ def type(content_type)
+ return nil unless content_type
+- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
++ if type = content_type.split(SPLIT_PATTERN, 2).first
++ type.rstrip!
++ type.downcase!
++ type
++ end
+ end
+
+ # The media type parameters provided in CONTENT_TYPE as a Hash, or
+@@ -27,9 +31,10 @@ module Rack
+ return {} if content_type.nil?
+
+ content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s,
hsh|
++ s.strip!
+ k, v = s.split('=', 2)
+-
+- hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
++ k.downcase!
++ hsh[k] = strip_doublequotes(v)
+ end
+ end
+
+--
+2.30.2
+
diff -Nru
ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
---
ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
1970-01-01 02:00:00.000000000 +0200
+++
ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
2024-05-02 23:11:55.000000000 +0300
@@ -0,0 +1,46 @@
+From ca18315cb37dffb378b56a64a6e0cefcb1df8fc0 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderl...@ruby-lang.org>
+Date: Tue, 13 Feb 2024 13:34:34 -0800
+Subject: Return an empty array when ranges are too large
+
+If the sum of the requested ranges is larger than the file itself,
+return an empty array. In other words, refuse to respond with any bytes.
+
+[CVE-2024-26141]
+---
+ lib/rack/utils.rb | 3 +++
+ test/spec_utils.rb | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index c8e61ea1..72700503 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -380,6 +380,9 @@ module Rack
+ end
+ ranges << (r0..r1) if r0 <= r1
+ end
++
++ return [] if ranges.map(&:size).sum > size
++
+ ranges
+ end
+
+diff --git a/test/spec_utils.rb b/test/spec_utils.rb
+index 90676258..6b069914 100644
+--- a/test/spec_utils.rb
++++ b/test/spec_utils.rb
+@@ -590,6 +590,10 @@ describe Rack::Utils, "cookies" do
+ end
+
+ describe Rack::Utils, "byte_range" do
++ it "returns an empty list if the sum of the ranges is too large" do
++ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" =>
"bytes=0-20,0-500" }, 500)
++ end
++
+ it "ignore missing or syntactically invalid byte ranges" do
+ Rack::Utils.byte_ranges({}, 500).must_be_nil
+ Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil
+--
+2.30.2
+
diff -Nru
ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
--- ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
1970-01-01 02:00:00.000000000 +0200
+++ ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
2024-05-02 23:11:55.000000000 +0300
@@ -0,0 +1,30 @@
+From 3f0a5391ed7118f10bae56b369b2c525942f26c6 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderl...@ruby-lang.org>
+Date: Wed, 21 Feb 2024 11:05:06 -0800
+Subject: Fixing ReDoS in header parsing
+
+Thanks svalkanov
+
+[CVE-2024-26146]
+---
+ lib/rack/utils.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 72700503..ccf39e30 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -142,8 +142,8 @@ module Rack
+ end
+
+ def q_values(q_value_header)
+- q_value_header.to_s.split(/\s*,\s*/).map do |part|
+- value, parameters = part.split(/\s*;\s*/, 2)
++ q_value_header.to_s.split(',').map do |part|
++ value, parameters = part.split(';', 2).map(&:strip)
+ quality = 1.0
+ if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
+ quality = md[1].to_f
+--
+2.30.2
+
diff -Nru ruby-rack-2.2.6.4/debian/patches/series
ruby-rack-2.2.6.4/debian/patches/series
--- ruby-rack-2.2.6.4/debian/patches/series 2023-03-23 22:02:43.000000000
+0200
+++ ruby-rack-2.2.6.4/debian/patches/series 2024-05-02 23:39:36.000000000
+0300
@@ -1,3 +1,6 @@
skip-random-failure.patch
0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch
skip-unreadable-dir-test.patch
+0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
+0002-Return-an-empty-array-when-ranges-are-too-large.patch
+0003-Fixing-ReDoS-in-header-parsing.patch
