new file mode 100644
@@ -0,0 +1,31 @@
+From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:01:17 +0900
+Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
+
+Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
+
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]
+CVE: CVE-2025-27219
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ lib/cgi/cookie.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index 9498e2f..1c4ef6a 100644
+--- a/lib/cgi/cookie.rb
++++ b/lib/cgi/cookie.rb
+@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
+ values ||= ""
+ values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+ if cookies.has_key?(name)
+- values = cookies[name].value + values
++ cookies[name].concat(values)
++ else
++ cookies[name] = Cookie.new(name, *values)
+ end
+- cookies[name] = Cookie.new(name, *values)
+ end
+
+ cookies
@@ -47,6 +47,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://CVE-2024-49761-0009.patch \
file://CVE-2024-41946.patch \
file://CVE-2025-27220.patch \
+ file://CVE-2025-27219.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab] Signed-off-by: Ashish Sharma <asharma@mvista.com> --- .../ruby/ruby/CVE-2025-27219.patch | 31 +++++++++++++++++++ meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch