From 8c31f8e142894f103409ee10deccc22fdeea897c Mon Sep 17 00:00:00 2001 From: Divya Chellam Date: Thu, 27 Mar 2025 10:57:44 +0000 Subject: [PATCH] ruby: fix CVE-2025-27220 In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27220 Upstream-patch: https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2025-27220.patch | 78 +++++++++++++++++++ meta/recipes-devtools/ruby/ruby_3.3.5.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch new file mode 100644 index 0000000000..f2f8bc7f76 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch @@ -0,0 +1,78 @@ +From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 15:53:31 +0900 +Subject: [PATCH] Escape/unescape unclosed tags as well + +Co-authored-by: Nobuyoshi Nakada + +CVE: CVE-2025-27220 + +Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6] + +Signed-off-by: Divya Chellam +--- + lib/cgi/util.rb | 4 ++-- + test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb +index 4986e54..5f12eae 100644 +--- a/lib/cgi/util.rb ++++ b/lib/cgi/util.rb +@@ -184,7 +184,7 @@ module CGI::Util + def escapeElement(string, *elements) + elements = elements[0] if elements[0].kind_of?(Array) + unless elements.empty? +- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do ++ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do + CGI.escapeHTML($&) + end + else +@@ -204,7 +204,7 @@ module CGI::Util + def unescapeElement(string, *elements) + elements = elements[0] if elements[0].kind_of?(Array) + unless elements.empty? +- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do ++ string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do + unescapeHTML($&) + end + else +diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb +index b0612fc..bff77f7 100644 +--- a/test/cgi/test_cgi_util.rb ++++ b/test/cgi/test_cgi_util.rb +@@ -269,6 +269,14 @@ class CGIUtilTest < Test::Unit::TestCase + assert_equal("
<A HREF="url"></A>", escapeElement('
', ["A", "IMG"])) + assert_equal("
<A HREF="url"></A>", escape_element('
', "A", "IMG")) + assert_equal("
<A HREF="url"></A>", escape_element('
', ["A", "IMG"])) ++ ++ assert_equal("<A <A HREF="url"></A>", escapeElement('', "A", "IMG")) ++ assert_equal("<A <A HREF="url"></A>", escapeElement('', ["A", "IMG"])) ++ assert_equal("<A <A HREF="url"></A>", escape_element('', "A", "IMG")) ++ assert_equal("<A <A HREF="url"></A>", escape_element('', ["A", "IMG"])) ++ ++ assert_equal("<A <A ", escapeElement('', unescapeElement(escapeHTML('
'), ["A", "IMG"])) + assert_equal('<BR>', unescape_element(escapeHTML('
'), "A", "IMG")) + assert_equal('<BR>', unescape_element(escapeHTML('
'), ["A", "IMG"])) ++ ++ assert_equal('', unescapeElement(escapeHTML(''), "A", "IMG")) ++ assert_equal('', unescapeElement(escapeHTML(''), ["A", "IMG"])) ++ assert_equal('', unescape_element(escapeHTML(''), "A", "IMG")) ++ assert_equal('', unescape_element(escapeHTML(''), ["A", "IMG"])) ++ ++ assert_equal('