!66 fix CVE-2022-44570 CVE-2022-44571 CVE-2022-44572

From: @xiangbudaomz 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2022-44570.patch

@@ -0,0 +1,44 @@
+From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 12:04:37 -0800
+Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges
+
+This commit fixes a ReDoS problem in `get_byte_ranges`.  Thanks
+@ooooooo_q for the patch!
+
+[CVE-2022-44570]
+---
+ lib/rack/utils.rb | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 34849ded..14d9e17d 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -348,17 +348,18 @@ module Rack
+       return nil unless http_range && http_range =~ /bytes=([^;]+)/
+       ranges = []
+       $1.split(/,\s*/).each do |range_spec|
+-        return nil  unless range_spec =~ /(\d*)-(\d*)/
+-        r0, r1 = $1, $2
+-        if r0.empty?
+-          return nil  if r1.empty?
++        return nil unless range_spec.include?('-')
++        range = range_spec.split('-')
++        r0, r1 = range[0], range[1]
++        if r0.nil? || r0.empty?
++          return nil if r1.nil?
+           # suffix-byte-range-spec, represents trailing suffix of file
+           r0 = size - r1.to_i
+           r0 = 0  if r0 < 0
+           r1 = size - 1
+         else
+           r0 = r0.to_i
+-          if r1.empty?
++          if r1.nil?
+             r1 = size - 1
+           else
+             r1 = r1.to_i
+-- 
+2.25.1
+

CVE-2022-44571.patch

@@ -0,0 +1,31 @@
+From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 12:14:29 -0800
+Subject: [PATCH] Fix ReDoS vulnerability in multipart parser
+
+This commit fixes a ReDoS vulnerability when parsing the
+Content-Disposition field in multipart attachments
+
+Thanks to @ooooooo_q for the patch!
+
+[CVE-2022-44571]
+---
+ lib/rack/multipart.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 7695fe76..fdae808a 100644
+--- a/lib/rack/multipart.rb
++++ b/lib/rack/multipart.rb
+@@ -18,7 +18,7 @@ module Rack
+     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
+     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
+     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
+-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
++    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+     # Updated definitions from RFC 2231
+     ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+-- 
+2.25.1
+

CVE-2022-44572.patch

@@ -0,0 +1,48 @@
+From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Wed, 3 Aug 2022 00:19:56 -0700
+Subject: [PATCH] Forbid control characters in attributes
+
+This commit restricts the characters accepted in ATTRIBUTE_CHAR,
+forbidding control characters and fixing a ReDOS vulnerability.
+
+This also now should fully follow the RFCs.
+
+RFC 2231, Section 7 specifies:
+
+    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
+                         "*", "'", "%", or tspecials>
+
+RFC 2045, Appendix A specifies:
+
+    tspecials :=  "(" / ")" / "<" / ">" / "@" /
+                  "," / ";" / ":" / "\" / <">
+                  "/" / "[" / "]" / "?" / "="
+
+RFC 822, Section 3.3 specifies:
+
+    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
+                    character and DEL>          ; (    177,     127.)
+    SPACE       =  <ASCII SP, space>            ; (     40,      32.)
+
+[CVE-2022-44572]
+---
+ lib/rack/multipart.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 10f8e5fa..7695fe76 100644
+--- a/lib/rack/multipart.rb
++++ b/lib/rack/multipart.rb
+@@ -21,7 +21,7 @@ module Rack
+     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+     # Updated definitions from RFC 2231
+-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
++    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
+     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
+     SECTION = /\*[0-9]+/
+     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
+-- 
+2.25.1
+

CVE-2024-25126.patch

@@ -0,0 +1,51 @@
+From d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 Mon Sep 17 00:00:00 2001
+From: Jean Boussier <jean.boussier@gmail.com>
+Date: Wed, 6 Dec 2023 18:32:19 +0100
+Subject: [PATCH] Avoid 2nd degree polynomial regexp in MediaType
+
+---
+ lib/rack/media_type.rb | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
+index 41937c99..7fc1e39d 100644
+--- a/lib/rack/media_type.rb
++++ b/lib/rack/media_type.rb
+@@ -4,7 +4,7 @@ module Rack
+   # Rack::MediaType parse media type and parameters out of content_type string
+ 
+   class MediaType
+-    SPLIT_PATTERN = %r{\s*[;,]\s*}
++    SPLIT_PATTERN = /[;,]/
+ 
+     class << self
+       # The media type (type/subtype) portion of the CONTENT_TYPE header
+@@ -15,7 +15,11 @@ module Rack
+       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
+       def type(content_type)
+         return nil unless content_type
+-        content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
++        if type = content_type.split(SPLIT_PATTERN, 2).first
++          type.rstrip!
++          type.downcase!
++          type
++        end
+       end
+ 
+       # The media type parameters provided in CONTENT_TYPE as a Hash, or
+@@ -27,9 +31,10 @@ module Rack
+         return {} if content_type.nil?
+ 
+         content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
++          s.strip!
+           k, v = s.split('=', 2)
+-
+-          hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
++          k.downcase!
++          hsh[k] = strip_doublequotes(v)
+         end
+       end
+ 
+-- 
+2.25.1
+

CVE-2024-26141.patch

@@ -0,0 +1,30 @@
+From 72ecb3f4e05b2fc0a5073d23fd178686818eb958 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 13 Feb 2024 13:34:34 -0800
+Subject: [PATCH] Return an empty array when ranges are too large
+
+If the sum of the requested ranges is larger than the file itself,
+return an empty array. In other words, refuse to respond with any bytes.
+
+[CVE-2024-26141]
+---
+ lib/rack/utils.rb | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index ca6182c..199312f 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -379,6 +379,9 @@ module Rack
+         end
+         ranges << (r0..r1)  if r0 <= r1
+       end
++
++      return [] if ranges.map(&:size).sum > size
++
+       ranges
+     end
+ 
+-- 
+2.43.0
+

CVE-2024-26146.patch

@@ -0,0 +1,30 @@
+From e4c117749ba24a66f8ec5a08eddf68deeb425ccd Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Wed, 21 Feb 2024 11:05:06 -0800
+Subject: [PATCH] Fixing ReDoS in header parsing
+
+Thanks svalkanov
+
+[CVE-2024-26146]
+---
+ lib/rack/utils.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index c8e61ea1..0ed64b7a 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -142,8 +142,8 @@ module Rack
+     end
+ 
+     def q_values(q_value_header)
+-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
+-        value, parameters = part.split(/\s*;\s*/, 2)
++      q_value_header.to_s.split(',').map do |part|
++        value, parameters = part.split(';', 2).map(&:strip)
+         quality = 1.0
+         if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
+           quality = md[1].to_f
+-- 
+2.25.1
+

CVE-2024-39316.patch

@@ -0,0 +1,53 @@
+From 412c980450ca729ee37f90a2661f166a9665e058 Mon Sep 17 00:00:00 2001
+From: Dwi Siswanto <dwi.siswanto98@gmail.com>
+Date: Tue, 2 Jul 2024 11:29:28 +0700
+Subject: [PATCH] Merge pull request from GHSA-cj83-2ww7-mvq7
+
+* fix: ReDoS in the `parse_http_accept_header` method
+
+Signed-off-by: Dwi Siswanto <git@dw1.io>
+
+* fix: optimize HTTP Accept headers parsing
+
+by:
+
+* updated `parse_http_accept_header` method to
+  avoid unnecessary array allocation from `map`.
+* used `strip!` to modify strings in place,
+  avoiding additional string allocations.
+* plus, safe navigation for `parameters` to
+  handle nil cases.
+
+this improves memory efficiency in header parsing.
+
+Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
+Signed-off-by: Dwi Siswanto <git@dw1.io>
+
+---------
+
+Signed-off-by: Dwi Siswanto <git@dw1.io>
+Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
+---
+ lib/rack/request.rb | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/request.rb b/lib/rack/request.rb
+index b880b6ec..ccbd07da 100644
+--- a/lib/rack/request.rb
++++ b/lib/rack/request.rb
+@@ -642,8 +642,10 @@ module Rack
+       end
+ 
+       def parse_http_accept_header(header)
+-        header.to_s.split(/\s*,\s*/).map do |part|
+-          attribute, parameters = part.split(/\s*;\s*/, 2)
++        header.to_s.split(',').map do |part|
++          attribute, parameters = part.split(';', 2)
++          attribute.strip!
++          parameters&.strip!
+           quality = 1.0
+           if parameters and /\Aq=([\d.]+)/ =~ parameters
+             quality = $1.to_f
+-- 
+2.43.0.windows.1
+

rubygem-rack.spec

@@ -1,14 +1,23 @@
 %global gem_name rack
 
 Name:    rubygem-%{gem_name}
-Version: 2.2.2
+Version: 2.2.3.1
 Epoch:   1
-Release: 1
+Release: 4
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
 Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem
-BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
+
+Patch0:	CVE-2024-39316.patch
+Patch1: CVE-2024-26141.patch
+Patch2: CVE-2024-26146.patch
+Patch3: CVE-2024-25126.patch
+Patch4: CVE-2022-44570.patch
+Patch5: CVE-2022-44571.patch
+Patch6: CVE-2022-44572.patch
+
+BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 memcached
 BuildArch: noarch
 
 %global __brp_mangle_shebangs_exclude_from ^%{gem_instdir}/test/cgi/test.ru$
@@ -32,7 +41,7 @@ BuildArch: noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%autosetup -n %{gem_name}-%{version} -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -90,6 +99,27 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Fri Jul 05 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.3.1-4
+- Type:CVES
+- ID:CVE-2022-44570 CVE-2022-44571 CVE-2022-44572
+- SUG:NA
+- DESC:CVE-2022-44570 CVE-2022-44571 CVE-2022-44572
+
+* Fri Jul 05 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.3.1-3
+- Type:CVES
+- ID:CVE-2024-26141 CVE-2024-26146 CVE-2024-25126
+- SUG:NA
+- DESC:CVE-2024-26141 CVE-2024-26146 CVE-2024-25126
+
+* Fri Jul 5 2024 liningjie <liningjie@xfusion.com> - 1:2.2.3.1-2
+- Fix CVE-2024-39316
+
+* Tue Jun 28 2022 wangkai <wangkai385@h-partners.com> - 1:2.2.3.1-1
+- Upgrade to 2.2.3.1 for fix CVE-2020-8184 CVE-2022-30122 CVE-2022-30123
+
+* Mon May 17 2021 lingsheng <lingsheng@huawei.com> - 1:2.2.2-2
+- Add buildrequires memcached
+
 * Wed Mar 10 2021 zhanghua <zhanghua40@huawei.com>- 1:2.2.2-1
 - Upgrade to 2.2.2
 

rubygem-rack.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: rack/rack
+tag_prefix: ^v
+seperator: .