[styhead,1/3] ruby :fix CVE-2025-27219

Message ID	20250507045805.1210982-1-divya.chellam@windriver.com
State	New
Headers	show Return-Path: <Divya.Chellam@windriver.com> ip: 205.220.178.238, mailfrom: prvs=72228a98f6=divya.chellam@windriver.com) From: dchellam <divya.chellam@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [OE-core][styhead][PATCH 1/3] ruby :fix CVE-2025-27219 Date: Wed, 7 May 2025 04:58:03 +0000 Message-ID: <20250507045805.1210982-1-divya.chellam@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[styhead,1/3] ruby :fix CVE-2025-27219 \| expand [styhead,1/3] ruby :fix CVE-2025-27219 [styhead,2/3] ruby :fix CVE-2025-27220 [styhead,3/3] libxml2: upgrade 2.13.6 -> 2.13.8

Message ID

20250507045805.1210982-1-divya.chellam@windriver.com

State

New

Headers

From: dchellam <divya.chellam@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [OE-core][styhead][PATCH 1/3] ruby :fix CVE-2025-27219
Date: Wed, 7 May 2025 04:58:03 +0000
Message-ID: <20250507045805.1210982-1-divya.chellam@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Sensitive_Customer_Information: Yes
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40
 definitions=2025-05-07_01,2025-05-06_01,2025-02-21_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0
 priorityscore=1501 bulkscore=0 mlxscore=0 spamscore=0 malwarescore=0
 clxscore=1015 adultscore=0 impostorscore=0 mlxlogscore=999 phishscore=0
 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc=
 route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2504070000
 definitions=main-2505070043
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 07 May 2025 04:58:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216087

Series

[styhead,1/3] ruby :fix CVE-2025-27219 | expand

Commit Message

dchellam May 7, 2025, 4:58 a.m. UTC

From: Divya Chellam <divya.chellam@windriver.com>

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in
the CGI library contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie value
it processes. This oversight can lead to excessive resource consumption
when parsing extremely large cookies.In the CGI gem before 0.4.2 for Ruby,
the CGI::Cookie.parse method in the CGI library contains a potential Denial
of Service (DoS) vulnerability. The method does not impose any limit on the
length of the raw cookie value it processes. This oversight can lead to
excessive resource consumption when parsing extremely large cookies.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-27219

Upstream-patch:
https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 .../ruby/ruby/CVE-2025-27219.patch            | 36 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.3.4.bb      |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch

Comments

Gyorgy Sarvari May 7, 2025, 8:59 a.m. UTC | #1

Note that at least based on yesterday's status report[1], there are no
plans for further Styhead (5.1) releases.

[1]: https://lists.openembedded.org/g/openembedded-core/message/216055

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
new file mode 100644
index 0000000000..ed73e3ad41
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
@@ -0,0 +1,36 @@ 
+From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:01:17 +0900
+Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
+
+Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
+
+CVE: CVE-2025-27219
+
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/cgi/cookie.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index 9498e2f..1c4ef6a 100644
+--- a/lib/cgi/cookie.rb
++++ b/lib/cgi/cookie.rb
+@@ -190,9 +190,10 @@ class CGI
+         values ||= ""
+         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+         if cookies.has_key?(name)
+-          values = cookies[name].value + values
++          cookies[name].concat(values)
++        else
++          cookies[name] = Cookie.new(name, *values)
+         end
+-        cookies[name] = Cookie.new(name, *values)
+       end
+ 
+       cookies
+-- 
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.4.bb b/meta/recipes-devtools/ruby/ruby_3.3.4.bb
index d39b7ae520..a1a0aa5d31 100644
--- a/meta/recipes-devtools/ruby/ruby_3.3.4.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.3.4.bb
@@ -27,6 +27,7 @@  SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
            file://0006-Make-gemspecs-reproducible.patch \
            file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
+           file://CVE-2025-27219.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"

[styhead,1/3] ruby :fix CVE-2025-27219

Commit Message

Comments

Patch