Control: tags 1064516 + patch Control: tags 1064516 + pending Dear maintainer,
I've prepared an NMU for ruby-rack (versioned as 2.2.7-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for ruby-rack-2.2.7 ruby-rack-2.2.7 changelog | 10 + patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51 ++++++++++ patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46 +++++++++ patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30 +++++ patches/series | 3 5 files changed, 140 insertions(+) diff -Nru ruby-rack-2.2.7/debian/changelog ruby-rack-2.2.7/debian/changelog --- ruby-rack-2.2.7/debian/changelog 2023-07-10 17:32:41.000000000 +0300 +++ ruby-rack-2.2.7/debian/changelog 2024-05-02 22:55:26.000000000 +0300 @@ -1,3 +1,13 @@ +ruby-rack (2.2.7-1.1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2024-25126: ReDoS in Content Type header parsing + * CVE-2024-26141: Reject Range headers which are too large + * CVE-2024-26146: ReDoS in Accept header parsing + * Closes: #1064516 + + -- Adrian Bunk <b...@debian.org> Thu, 02 May 2024 22:55:26 +0300 + ruby-rack (2.2.7-1) unstable; urgency=medium * Team Upload diff -Nru ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch --- ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.2.7/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 2024-05-02 22:55:26.000000000 +0300 @@ -0,0 +1,51 @@ +From e5c0e03f70624433d7132a5eb039f5f04787d20c Mon Sep 17 00:00:00 2001 +From: Jean Boussier <jean.bouss...@gmail.com> +Date: Wed, 6 Dec 2023 18:32:19 +0100 +Subject: Avoid 2nd degree polynomial regexp in MediaType + +--- + lib/rack/media_type.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb +index 41937c99..7fc1e39d 100644 +--- a/lib/rack/media_type.rb ++++ b/lib/rack/media_type.rb +@@ -4,7 +4,7 @@ module Rack + # Rack::MediaType parse media type and parameters out of content_type string + + class MediaType +- SPLIT_PATTERN = %r{\s*[;,]\s*} ++ SPLIT_PATTERN = /[;,]/ + + class << self + # The media type (type/subtype) portion of the CONTENT_TYPE header +@@ -15,7 +15,11 @@ module Rack + # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 + def type(content_type) + return nil unless content_type +- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase! ++ if type = content_type.split(SPLIT_PATTERN, 2).first ++ type.rstrip! ++ type.downcase! ++ type ++ end + end + + # The media type parameters provided in CONTENT_TYPE as a Hash, or +@@ -27,9 +31,10 @@ module Rack + return {} if content_type.nil? + + content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| ++ s.strip! + k, v = s.split('=', 2) +- +- hsh[k.tap(&:downcase!)] = strip_doublequotes(v) ++ k.downcase! ++ hsh[k] = strip_doublequotes(v) + end + end + +-- +2.30.2 + diff -Nru ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch --- ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.2.7/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 2024-05-02 22:55:26.000000000 +0300 @@ -0,0 +1,46 @@ +From e4a334bba45d1f66499973d65ba4db2679129153 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <tenderl...@ruby-lang.org> +Date: Tue, 13 Feb 2024 13:34:34 -0800 +Subject: Return an empty array when ranges are too large + +If the sum of the requested ranges is larger than the file itself, +return an empty array. In other words, refuse to respond with any bytes. + +[CVE-2024-26141] +--- + lib/rack/utils.rb | 3 +++ + test/spec_utils.rb | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index c8e61ea1..72700503 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -380,6 +380,9 @@ module Rack + end + ranges << (r0..r1) if r0 <= r1 + end ++ ++ return [] if ranges.map(&:size).sum > size ++ + ranges + end + +diff --git a/test/spec_utils.rb b/test/spec_utils.rb +index 90676258..6b069914 100644 +--- a/test/spec_utils.rb ++++ b/test/spec_utils.rb +@@ -590,6 +590,10 @@ describe Rack::Utils, "cookies" do + end + + describe Rack::Utils, "byte_range" do ++ it "returns an empty list if the sum of the ranges is too large" do ++ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500) ++ end ++ + it "ignore missing or syntactically invalid byte ranges" do + Rack::Utils.byte_ranges({}, 500).must_be_nil + Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil +-- +2.30.2 + diff -Nru ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch --- ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.2.7/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 2024-05-02 22:55:26.000000000 +0300 @@ -0,0 +1,30 @@ +From 2ff4d1f73abd49d6d7ad20842bf6798aac4eb174 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <tenderl...@ruby-lang.org> +Date: Wed, 21 Feb 2024 11:05:06 -0800 +Subject: Fixing ReDoS in header parsing + +Thanks svalkanov + +[CVE-2024-26146] +--- + lib/rack/utils.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index 72700503..ccf39e30 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -142,8 +142,8 @@ module Rack + end + + def q_values(q_value_header) +- q_value_header.to_s.split(/\s*,\s*/).map do |part| +- value, parameters = part.split(/\s*;\s*/, 2) ++ q_value_header.to_s.split(',').map do |part| ++ value, parameters = part.split(';', 2).map(&:strip) + quality = 1.0 + if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) + quality = md[1].to_f +-- +2.30.2 + diff -Nru ruby-rack-2.2.7/debian/patches/series ruby-rack-2.2.7/debian/patches/series --- ruby-rack-2.2.7/debian/patches/series 2023-07-10 17:32:41.000000000 +0300 +++ ruby-rack-2.2.7/debian/patches/series 2024-05-02 22:55:26.000000000 +0300 @@ -1,3 +1,6 @@ skip-random-failure.patch 0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch skip-unreadable-dir-test.patch +0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch +0002-Return-an-empty-array-when-ranges-are-too-large.patch +0003-Fixing-ReDoS-in-header-parsing.patch