Version in base suite: 3.3.15-2 Base version: rubygems_3.3.15-2 Target version: rubygems_3.3.15-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rubygems/rubygems_3.3.15-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rubygems/rubygems_3.3.15-2+deb12u1.dsc changelog | 16 +++++++++++++ patches/CVE-2023-28755.patch | 26 ++++++++++++++++++++++ patches/CVE-2025-27221_1.patch | 28 +++++++++++++++++++++++ patches/CVE-2025-27221_2.patch | 48 +++++++++++++++++++++++++++++++++++++++++ patches/series | 3 ++ 5 files changed, 121 insertions(+) diff -Nru rubygems-3.3.15/debian/changelog rubygems-3.3.15/debian/changelog --- rubygems-3.3.15/debian/changelog 2023-01-01 08:50:51.000000000 +0000 +++ rubygems-3.3.15/debian/changelog 2025-04-18 01:54:07.000000000 +0000 @@ -1,3 +1,19 @@ +rubygems (3.3.15-2+deb12u1) bookworm; urgency=medium + + * Fix CVE-2025-27221. + The URI handling methods (URI.join, URI#merge, URI#+) have an + inadvertent leakage of authentication credentials because userinfo is + retained even after changing the host. + - d/p/CVE-2025-27221_*.patch + * Fix CVE-2023-28755. + A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby + through 3.2.1. The URI parser mishandles invalid URLs that have specific + characters. It causes an increase in execution time for parsing strings + to URI objects. + - d/p/CVE-2023-28755.patch + + -- Lucas Kanashiro Thu, 17 Apr 2025 22:54:07 -0300 + rubygems (3.3.15-2) unstable; urgency=medium * Team upload diff -Nru rubygems-3.3.15/debian/patches/CVE-2023-28755.patch rubygems-3.3.15/debian/patches/CVE-2023-28755.patch --- rubygems-3.3.15/debian/patches/CVE-2023-28755.patch 1970-01-01 00:00:00.000000000 +0000 +++ rubygems-3.3.15/debian/patches/CVE-2023-28755.patch 2025-04-18 01:54:07.000000000 +0000 @@ -0,0 +1,26 @@ +From: Nobuyoshi Nakada +Date: Mon, 10 Jan 2022 01:12:57 +0900 +Subject: Fix quadratic backtracking on invalid URI + +https://hackerone.com/reports/1444501 + +Origin: backport, https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d +--- + bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +index 2029cfd..2330a28 100644 +--- a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb ++++ b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +@@ -3,8 +3,8 @@ module Bundler::URI + class RFC3986_Parser # :nodoc: + # Bundler::URI defined in RFC3986 + # this regexp is modified not to host is not empty string +- RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?\g(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*+):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?\g(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ ++ RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ + attr_reader :regexp + + def initialize diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch --- rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch 2025-04-18 01:54:07.000000000 +0000 @@ -0,0 +1,28 @@ +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 16:29:36 +0900 +Subject: Truncate userinfo with URI#join, URI#merge and URI#+ + +Origin: backport, https://github.com/ruby/uri/commit/3675494839112b64d5f082 + +NOTE: test removed, the file is not preset nor executed. +--- + bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +index f29ba6c..998e808 100644 +--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb ++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +@@ -1131,7 +1131,11 @@ def merge(oth) + end + + # RFC2396, Section 5.2, 7) +- base.set_userinfo(rel.userinfo) if rel.userinfo ++ if rel.userinfo ++ base.set_userinfo(rel.userinfo) ++ else ++ base.set_userinfo(nil) ++ end + base.set_host(rel.host) if rel.host + base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch --- rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch 2025-04-18 01:54:07.000000000 +0000 @@ -0,0 +1,48 @@ +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 18:16:28 +0900 +Subject: Fix merger of URI with authority component + +https://hackerone.com/reports/2957667 + +Co-authored-by: Nobuyoshi Nakada + +Origin: backport, https://github.com/ruby/uri/commit/2789182478f42ccbb6 + +NOTES: test removed, the file is not preset nor executed. +--- + bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +index 998e808..efab83b 100644 +--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb ++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +@@ -1123,21 +1123,16 @@ def merge(oth) + base.fragment=(nil) + + # RFC2396, Section 5.2, 4) +- if !authority +- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path +- else +- # RFC2396, Section 5.2, 4) +- base.set_path(rel.path) if rel.path ++ if authority ++ base.set_userinfo(rel.userinfo) ++ base.set_host(rel.host) ++ base.set_port(rel.port || base.default_port) ++ base.set_path(rel.path) ++ elsif base.path && rel.path ++ base.set_path(merge_path(base.path, rel.path)) + end + + # RFC2396, Section 5.2, 7) +- if rel.userinfo +- base.set_userinfo(rel.userinfo) +- else +- base.set_userinfo(nil) +- end +- base.set_host(rel.host) if rel.host +- base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query + base.fragment=(rel.fragment) if rel.fragment + diff -Nru rubygems-3.3.15/debian/patches/series rubygems-3.3.15/debian/patches/series --- rubygems-3.3.15/debian/patches/series 2023-01-01 08:48:13.000000000 +0000 +++ rubygems-3.3.15/debian/patches/series 2025-04-18 01:54:07.000000000 +0000 @@ -1 +1,4 @@ 0001-Don-t-consider-gems-provided-by-Debian-packages-as-d.patch +CVE-2025-27221_1.patch +CVE-2025-27221_2.patch +CVE-2023-28755.patch