Version in base suite: 2.1.4-3 Base version: ruby-rack_2.1.4-3 Target version: ruby-rack_2.1.4-3+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ruby-rack/ruby-rack_2.1.4-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ruby-rack/ruby-rack_2.1.4-3+deb11u1.dsc changelog | 19 ++++ patches/CVE-2022-30122.patch | 82 ++++++++++++++++++ patches/CVE-2022-30123.patch | 81 ++++++++++++++++++ patches/CVE-2022-44570.patch | 39 +++++++++ patches/CVE-2022-44571.patch | 26 ++++++ patches/CVE-2022-44572.patch | 43 +++++++++ patches/CVE-2023-27530.patch | 186 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2023-27539.patch | 26 ++++++ patches/series | 7 + 9 files changed, 509 insertions(+) diff -Nru ruby-rack-2.1.4/debian/changelog ruby-rack-2.1.4/debian/changelog --- ruby-rack-2.1.4/debian/changelog 2021-02-27 12:30:57.000000000 +0000 +++ ruby-rack-2.1.4/debian/changelog 2023-06-07 21:52:23.000000000 +0000 @@ -1,3 +1,22 @@ +ruby-rack (2.1.4-3+deb11u1) bullseye-security; urgency=high + + * Add patch to restrict broken mime parsing. + (Fixes: CVE-2022-30122) + * Add patch to escape untrusted text when logging. + (Fixes: CVE-2022-30123) + * Add patch to fix ReDoS in Rack::Utils.get_byte_ranges. + (Fixes: CVE-2022-44570) (Closes: #1029832) + * Add patch to fix ReDoS vulnerability in multipart parser. + (Fixes: CVE-2022-44571) (Closes: #1029832) + * Add patch to forbid control characters in attributes. + (Fixes: CVE-2022-44572) (Closes: #1029832) + * Add patch to limit all multipart parts, not just files. + (Fixes: CVE-2023-27530) (Closes: #1032803) + * Add patch to avoid ReDoS problem. + (Fixes: CVE-2023-27539) (Closes: #1033264) + + -- Utkarsh Gupta Thu, 08 Jun 2023 03:22:23 +0530 + ruby-rack (2.1.4-3) unstable; urgency=medium * Team upload. diff -Nru ruby-rack-2.1.4/debian/patches/CVE-2022-30122.patch ruby-rack-2.1.4/debian/patches/CVE-2022-30122.patch --- ruby-rack-2.1.4/debian/patches/CVE-2022-30122.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/CVE-2022-30122.patch 2023-06-07 21:42:17.000000000 +0000 @@ -0,0 +1,82 @@ +From 41be3d7f3fd73ccf246ad97c3831d02f99d2ce84 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Thu, 26 May 2022 13:26:25 -0700 +Subject: [PATCH 1/3] Restrict broken mime parsing + +This commit restricts broken mime parsing to deal with a ReDOS +vulnerability. + +[CVE-2022-30122] +--- + lib/rack/multipart.rb | 3 +-- + lib/rack/multipart/parser.rb | 3 ++- + ...ame_with_escaped_quotes_and_modification_param | 2 +- + test/spec_multipart.rb | 15 +-------------- + 4 files changed, 5 insertions(+), 18 deletions(-) + +--- a/lib/rack/multipart.rb ++++ b/lib/rack/multipart.rb +@@ -16,8 +16,7 @@ + TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/ + CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i + VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/ +- BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i +- BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i ++ BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i + MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni + MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni + MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni +--- a/lib/rack/multipart/parser.rb ++++ b/lib/rack/multipart/parser.rb +@@ -309,8 +309,9 @@ + elsif filename = params['filename*'] + encoding, _, filename = filename.split("'", 3) + end +- when BROKEN_QUOTED, BROKEN_UNQUOTED ++ when BROKEN + filename = $1 ++ filename = $1 if filename =~ /^"(.*)"$/ + end + + return unless filename +--- a/test/multipart/filename_with_escaped_quotes_and_modification_param ++++ b/test/multipart/filename_with_escaped_quotes_and_modification_param +@@ -1,6 +1,6 @@ + --AaB03x + Content-Type: image/jpeg +-Content-Disposition: attachment; name="files"; filename=""human" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500"; ++Content-Disposition: attachment; name="files"; filename="\"human\" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500"; + Content-Description: a complete map of the human genome + + contents +--- a/test/spec_multipart.rb ++++ b/test/spec_multipart.rb +@@ -421,19 +421,6 @@ + params["files"][:tempfile].read.must_equal "contents" + end + +- it "parse filename with unescaped quotes" do +- env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_unescaped_quotes)) +- params = Rack::Multipart.parse_multipart(env) +- params["files"][:type].must_equal "application/octet-stream" +- params["files"][:filename].must_equal "escape \"quotes" +- params["files"][:head].must_equal "Content-Disposition: form-data; " + +- "name=\"files\"; " + +- "filename=\"escape \"quotes\"\r\n" + +- "Content-Type: application/octet-stream\r\n" +- params["files"][:name].must_equal "files" +- params["files"][:tempfile].read.must_equal "contents" +- end +- + it "parse filename with escaped quotes and modification param" do + env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_escaped_quotes_and_modification_param)) + params = Rack::Multipart.parse_multipart(env) +@@ -442,7 +429,7 @@ + params["files"][:head].must_equal "Content-Type: image/jpeg\r\n" + + "Content-Disposition: attachment; " + + "name=\"files\"; " + +- "filename=\"\"human\" genome.jpeg\"; " + ++ "filename=\"\\\"human\\\" genome.jpeg\"; " + + "modification-date=\"Wed, 12 Feb 1997 16:29:51 -0500\";\r\n" + + "Content-Description: a complete map of the human genome\r\n" + params["files"][:name].must_equal "files" diff -Nru ruby-rack-2.1.4/debian/patches/CVE-2022-30123.patch ruby-rack-2.1.4/debian/patches/CVE-2022-30123.patch --- ruby-rack-2.1.4/debian/patches/CVE-2022-30123.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/CVE-2022-30123.patch 2023-06-07 21:43:47.000000000 +0000 @@ -0,0 +1,81 @@ +From bbb1e855060b6a6885bbeb0c7c1465ab61f29e1c Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Thu, 26 May 2022 16:18:10 -0700 +Subject: [PATCH 2/3] Escape untrusted text when logging + +This fixes a shell escape issue + +[CVE-2022-30123] +--- + lib/rack/common_logger.rb | 3 +++ + lib/rack/lint.rb | 2 +- + test/spec_common_logger.rb | 12 ++++++++++++ + test/spec_lint.rb | 5 +++++ + 4 files changed, 21 insertions(+), 1 deletion(-) + +--- a/lib/rack/common_logger.rb ++++ b/lib/rack/common_logger.rb +@@ -55,7 +55,10 @@ + length, + Utils.clock_time - began_at ] + ++ msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" } ++ + logger = @logger || env[RACK_ERRORS] ++ + # Standard library logger doesn't support write but it supports << which actually + # calls to write on the log device without formatting + if logger.respond_to?(:write) +--- a/lib/rack/lint.rb ++++ b/lib/rack/lint.rb +@@ -296,7 +296,7 @@ + check_hijack env + + ## * The REQUEST_METHOD must be a valid token. +- assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") { ++ assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") { + env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/ + } + +--- a/test/spec_common_logger.rb ++++ b/test/spec_common_logger.rb +@@ -23,6 +23,10 @@ + [200, + { "Content-Type" => "text/html", "Content-Length" => "0" }, + []]} ++ app_without_lint = lambda { |env| ++ [200, ++ { "content-type" => "text/html", "content-length" => length.to_s }, ++ [obj]]} + + it "log to rack.errors by default" do + res = Rack::MockRequest.new(Rack::CommonLogger.new(app)).get("/") +@@ -87,6 +91,14 @@ + (0..1).must_include duration.to_f + end + ++ it "escapes non printable characters except newline" do ++ logdev = StringIO.new ++ log = Logger.new(logdev) ++ Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\b", "/hello") ++ ++ logdev.string.must_match(/GET\\x8 \/hello/) ++ end ++ + def length + 123 + end +--- a/test/spec_lint.rb ++++ b/test/spec_lint.rb +@@ -99,6 +99,11 @@ + message.must_match(/REQUEST_METHOD/) + + lambda { ++ Rack::Lint.new(nil).call(env("REQUEST_METHOD" => "OOPS?\b!")) ++ }.must_raise(Rack::Lint::LintError). ++ message.must_match(/OOPS\?\\/) ++ ++ lambda { + Rack::Lint.new(nil).call(env("SCRIPT_NAME" => "howdy")) + }.must_raise(Rack::Lint::LintError). + message.must_match(/must start with/) diff -Nru ruby-rack-2.1.4/debian/patches/CVE-2022-44570.patch ruby-rack-2.1.4/debian/patches/CVE-2022-44570.patch --- ruby-rack-2.1.4/debian/patches/CVE-2022-44570.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/CVE-2022-44570.patch 2023-06-07 21:45:21.000000000 +0000 @@ -0,0 +1,39 @@ +From f66ef5c8255dcea82c1b2665fc9ab948b76bb437 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 17 Jan 2023 12:04:37 -0800 +Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges + +This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks +@ooooooo_q for the patch! + +[CVE-2022-44570] +--- + lib/rack/utils.rb | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -350,17 +350,18 @@ + return nil unless http_range && http_range =~ /bytes=([^;]+)/ + ranges = [] + $1.split(/,\s*/).each do |range_spec| +- return nil unless range_spec =~ /(\d*)-(\d*)/ +- r0, r1 = $1, $2 +- if r0.empty? +- return nil if r1.empty? ++ return nil unless range_spec.include?('-') ++ range = range_spec.split('-') ++ r0, r1 = range[0], range[1] ++ if r0.nil? || r0.empty? ++ return nil if r1.nil? + # suffix-byte-range-spec, represents trailing suffix of file + r0 = size - r1.to_i + r0 = 0 if r0 < 0 + r1 = size - 1 + else + r0 = r0.to_i +- if r1.empty? ++ if r1.nil? + r1 = size - 1 + else + r1 = r1.to_i diff -Nru ruby-rack-2.1.4/debian/patches/CVE-2022-44571.patch ruby-rack-2.1.4/debian/patches/CVE-2022-44571.patch --- ruby-rack-2.1.4/debian/patches/CVE-2022-44571.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/CVE-2022-44571.patch 2023-06-07 21:46:33.000000000 +0000 @@ -0,0 +1,26 @@ +From 9b5fb5c7ef0e39b959a6c5c0005d9af44a29d6f8 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Tue, 17 Jan 2023 12:14:29 -0800 +Subject: [PATCH] Fix ReDoS vulnerability in multipart parser + +This commit fixes a ReDoS vulnerability when parsing the +Content-Disposition field in multipart attachments + +Thanks to @ooooooo_q for the patch! + +[CVE-2022-44571] +--- + lib/rack/multipart.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/rack/multipart.rb ++++ b/lib/rack/multipart.rb +@@ -18,7 +18,7 @@ + VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/ + BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i + MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni +- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni ++ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni + MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni + # Updated definitions from RFC 2231 + ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} diff -Nru ruby-rack-2.1.4/debian/patches/CVE-2022-44572.patch ruby-rack-2.1.4/debian/patches/CVE-2022-44572.patch --- ruby-rack-2.1.4/debian/patches/CVE-2022-44572.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/CVE-2022-44572.patch 2023-06-07 21:47:43.000000000 +0000 @@ -0,0 +1,43 @@ +From 8291f502b0e1dcf514cc25c34e4bf0beec7a92ae Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Wed, 3 Aug 2022 00:19:56 -0700 +Subject: [PATCH] Forbid control characters in attributes + +This commit restricts the characters accepted in ATTRIBUTE_CHAR, +forbidding control characters and fixing a ReDOS vulnerability. + +This also now should fully follow the RFCs. + +RFC 2231, Section 7 specifies: + + attribute-char := + +RFC 2045, Appendix A specifies: + + tspecials := "(" / ")" / "<" / ">" / "@" / + "," / ";" / ":" / "\" / <"> + "/" / "[" / "]" / "?" / "=" + +RFC 822, Section 3.3 specifies: + + CTL = ; ( 177, 127.) + SPACE = ; ( 40, 32.) + +[CVE-2022-44572] +--- + lib/rack/multipart.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/rack/multipart.rb ++++ b/lib/rack/multipart.rb +@@ -21,7 +21,7 @@ + MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni + MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni + # Updated definitions from RFC 2231 +- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} ++ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]} + ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/ + SECTION = /\*[0-9]+/ + REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/ diff -Nru ruby-rack-2.1.4/debian/patches/CVE-2023-27530.patch ruby-rack-2.1.4/debian/patches/CVE-2023-27530.patch --- ruby-rack-2.1.4/debian/patches/CVE-2023-27530.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/CVE-2023-27530.patch 2023-06-07 21:48:54.000000000 +0000 @@ -0,0 +1,186 @@ +From b632718265fa5ffa547b060331341a1e216b4ffa Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Thu, 8 Dec 2022 15:54:28 -0800 +Subject: [PATCH] Limit all multipart parts, not just files + +Previously we would limit the number of multipart parts which were +files, but not other parts. In some cases this could cause parsing of +maliciously crafted inputs to take longer than expected. + +[CVE-2023-27530] +--- + README.rdoc | 20 +++++++++++++++++--- + lib/rack/multipart/parser.rb | 19 +++++++++++++++---- + lib/rack/utils.rb | 19 +++++++++++++++---- + test/spec_multipart.rb | 12 ++++++++++++ + test/spec_request.rb | 18 +++++++++++++++++- + 5 files changed, 76 insertions(+), 12 deletions(-) + +--- a/README.rdoc ++++ b/README.rdoc +@@ -166,16 +166,30 @@ + + Default to 65536 characters (4 kiB in worst case). + +-=== multipart_part_limit ++=== multipart_file_limit + +-The maximum number of parts a request can contain. ++The maximum number of parts with a filename a request can contain. + Accepting too many part can lead to the server running out of file handles. + + The default is 128, which means that a single request can't upload more than 128 files at once. + + Set to 0 for no limit. + +-Can also be set via the +RACK_MULTIPART_PART_LIMIT+ environment variable. ++Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable. ++ ++(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility) ++ ++=== multipart_total_part_limit ++ ++The maximum total number of parts a request can contain of any type, including ++both file and non-file form fields. ++ ++The default is 4096, which means that a single request can't contain more than ++4096 parts. ++ ++Set to 0 for no limit. ++ ++Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable. + + == Changelog + +--- a/lib/rack/multipart/parser.rb ++++ b/lib/rack/multipart/parser.rb +@@ -7,6 +7,7 @@ + module Rack + module Multipart + class MultipartPartLimitError < Errno::EMFILE; end ++ class MultipartTotalPartLimitError < StandardError; end + + class Parser + using ::Rack::RegexpExtensions +@@ -148,7 +149,7 @@ + + @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name) + +- check_open_files ++ check_part_limits + end + + def on_mime_body mime_index, content +@@ -160,13 +161,23 @@ + + private + +- def check_open_files +- if Utils.multipart_part_limit > 0 +- if @open_files >= Utils.multipart_part_limit ++ def check_part_limits ++ file_limit = Utils.multipart_file_limit ++ part_limit = Utils.multipart_total_part_limit ++ ++ if file_limit && file_limit > 0 ++ if @open_files >= file_limit + @mime_parts.each(&:close) + raise MultipartPartLimitError, 'Maximum file multiparts in content reached' + end + end ++ ++ if part_limit && part_limit > 0 ++ if @mime_parts.size >= part_limit ++ @mime_parts.each(&:close) ++ raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached' ++ end ++ end + end + end + +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -59,13 +59,24 @@ + module_function :unescape + + class << self +- attr_accessor :multipart_part_limit ++ attr_accessor :multipart_total_part_limit ++ ++ attr_accessor :multipart_file_limit ++ ++ # multipart_part_limit is the original name of multipart_file_limit, but ++ # the limit only counts parts with filenames. ++ alias multipart_part_limit multipart_file_limit ++ alias multipart_part_limit= multipart_file_limit= + end + +- # The maximum number of parts a request can contain. Accepting too many part +- # can lead to the server running out of file handles. ++ # The maximum number of file parts a request can contain. Accepting too ++ # many parts can lead to the server running out of file handles. + # Set to `0` for no limit. +- self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i ++ self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i ++ ++ # The maximum total number of parts a request can contain. Accepting too ++ # many can lead to excessive memory use and parsing time. ++ self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i + + def self.param_depth_limit + default_query_parser.param_depth_limit +--- a/test/spec_multipart.rb ++++ b/test/spec_multipart.rb +@@ -588,6 +588,18 @@ + end + end + ++ it "reach a multipart total limit" do ++ begin ++ previous_limit = Rack::Utils.multipart_total_part_limit ++ Rack::Utils.multipart_total_part_limit = 5 ++ ++ env = Rack::MockRequest.env_for '/', multipart_fixture(:three_files_three_fields) ++ lambda { Rack::Multipart.parse_multipart(env) }.must_raise Rack::Multipart::MultipartTotalPartLimitError ++ ensure ++ Rack::Utils.multipart_total_part_limit = previous_limit ++ end ++ end ++ + it "return nil if no UploadedFiles were used" do + data = Rack::Multipart.build_multipart("people" => [{ "submit-name" => "Larry", "files" => "contents" }]) + data.must_be_nil +--- a/test/spec_request.rb ++++ b/test/spec_request.rb +@@ -913,7 +913,7 @@ + f[:tempfile].size.must_equal 76 + end + +- it "MultipartPartLimitError when request has too many multipart parts if limit set" do ++ it "MultipartPartLimitError when request has too many multipart file parts if limit set" do + begin + data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n") + data += "--AaB03x--\r" +@@ -929,6 +929,22 @@ + end + end + ++ it "MultipartPartLimitError when request has too many multipart total parts if limit set" do ++ begin ++ data = 10000.times.map { "--AaB03x\r\ncontent-type: text/plain\r\ncontent-disposition: attachment; name=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n") ++ data += "--AaB03x--\r" ++ ++ options = { ++ "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x", ++ "CONTENT_LENGTH" => data.length.to_s, ++ :input => StringIO.new(data) ++ } ++ ++ request = make_request Rack::MockRequest.env_for("/", options) ++ lambda { request.POST }.must_raise Rack::Multipart::MultipartTotalPartLimitError ++ end ++ end ++ + it 'closes tempfiles it created in the case of too many created' do + begin + data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n") diff -Nru ruby-rack-2.1.4/debian/patches/CVE-2023-27539.patch ruby-rack-2.1.4/debian/patches/CVE-2023-27539.patch --- ruby-rack-2.1.4/debian/patches/CVE-2023-27539.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/CVE-2023-27539.patch 2023-06-07 21:52:04.000000000 +0000 @@ -0,0 +1,26 @@ +From ee7919ea04303717858be1c3f16b406adc6d8cff Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Mon, 13 Mar 2023 10:58:13 -0700 +Subject: [PATCH] Avoid ReDoS problem + +Split headers on commas, then strip the strings in order to avoid ReDoS +issues. + +[CVE-2023-27539] +--- + lib/rack/request.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/rack/request.rb ++++ b/lib/rack/request.rb +@@ -472,8 +472,8 @@ + def default_session; {}; end + + def parse_http_accept_header(header) +- header.to_s.split(/\s*,\s*/).map do |part| +- attribute, parameters = part.split(/\s*;\s*/, 2) ++ header.to_s.split(",").each(&:strip!).map do |part| ++ attribute, parameters = part.split(";", 2).each(&:strip!) + quality = 1.0 + if parameters and /\Aq=([\d.]+)/ =~ parameters + quality = $1.to_f diff -Nru ruby-rack-2.1.4/debian/patches/series ruby-rack-2.1.4/debian/patches/series --- ruby-rack-2.1.4/debian/patches/series 2021-02-27 12:30:57.000000000 +0000 +++ ruby-rack-2.1.4/debian/patches/series 2023-06-07 21:51:57.000000000 +0000 @@ -1,2 +1,9 @@ skip-random-failure.patch 0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch +CVE-2022-30122.patch +CVE-2022-30123.patch +CVE-2022-44570.patch +CVE-2022-44571.patch +CVE-2022-44572.patch +CVE-2023-27530.patch +CVE-2023-27539.patch