[scarthgap] ruby: Fix CVE-2025-27219

Message ID	20250310182607.1114400-1-asharma@mvista.com
State	Under Review
Delegated to:	Steve Sakoman
Headers	show Return-Path: <asharma@mvista.com> ip: 209.85.214.176, mailfrom: asharma@mvista.com) From: Ashish Sharma <asharma@mvista.com> To: openembedded-core@lists.openembedded.org Cc: Ashish Sharma <asharma@mvista.com> Subject: [OE-core][scarthgap][PATCH] ruby: Fix CVE-2025-27219 Date: Mon, 10 Mar 2025 23:56:07 +0530 Message-ID: <20250310182607.1114400-1-asharma@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap] ruby: Fix CVE-2025-27219 \| expand [scarthgap] ruby: Fix CVE-2025-27219

Message ID

20250310182607.1114400-1-asharma@mvista.com

State

Under Review

Delegated to:

Steve Sakoman

Headers

From: Ashish Sharma <asharma@mvista.com>
To: openembedded-core@lists.openembedded.org
Cc: Ashish Sharma <asharma@mvista.com>
Subject: [OE-core][scarthgap][PATCH] ruby: Fix CVE-2025-27219
Date: Mon, 10 Mar 2025 23:56:07 +0530
Message-ID: <20250310182607.1114400-1-asharma@mvista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap] ruby: Fix CVE-2025-27219 | expand

Commit Message

Ashish Sharma March 10, 2025, 6:26 p.m. UTC

Upstream-Status: Backport from [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]

Signed-off-by: Ashish Sharma <asharma@mvista.com>
---
 .../ruby/ruby/CVE-2025-27219.patch            | 31 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.3.5.bb      |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
new file mode 100644
index 0000000000..7813a6143c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
@@ -0,0 +1,31 @@ 
+From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:01:17 +0900
+Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
+
+Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
+
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]
+CVE: CVE-2025-27219
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ lib/cgi/cookie.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index 9498e2f..1c4ef6a 100644
+--- a/lib/cgi/cookie.rb
++++ b/lib/cgi/cookie.rb
+@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
+         values ||= ""
+         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+         if cookies.has_key?(name)
+-          values = cookies[name].value + values
++          cookies[name].concat(values)
++        else
++          cookies[name] = Cookie.new(name, *values)
+         end
+-        cookies[name] = Cookie.new(name, *values)
+       end
+ 
+       cookies
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
index fb0d711765..4354107a85 100644
--- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -26,6 +26,7 @@  SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
            file://0006-Make-gemspecs-reproducible.patch \
            file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
+           file://CVE-2025-27219.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"

[scarthgap] ruby: Fix CVE-2025-27219

Commit Message

Patch