From: Divya Chellam Date: Fri, 23 May 2025 13:23:53 +0000 (+0530) Subject: ruby: fix CVE-2025-27221 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c77ff1288719d90ef257dfe28cb33b3768fc124a;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git ruby: fix CVE-2025-27221 In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27221 Upstream-patches: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch new file mode 100644 index 0000000000..4dd2e55b1c --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch @@ -0,0 +1,57 @@ +From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 16:29:36 +0900 +Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+ + +CVE: CVE-2025-27221 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495] + +Signed-off-by: Divya Chellam +--- + lib/uri/generic.rb | 6 +++++- + test/uri/test_generic.rb | 11 +++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb +index cfa0de6..23d2398 100644 +--- a/lib/uri/generic.rb ++++ b/lib/uri/generic.rb +@@ -1131,7 +1131,11 @@ module URI + end + + # RFC2396, Section 5.2, 7) +- base.set_userinfo(rel.userinfo) if rel.userinfo ++ if rel.userinfo ++ base.set_userinfo(rel.userinfo) ++ else ++ base.set_userinfo(nil) ++ end + base.set_host(rel.host) if rel.host + base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query +diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb +index fdb405e..b74f8e6 100644 +--- a/test/uri/test_generic.rb ++++ b/test/uri/test_generic.rb +@@ -157,6 +157,17 @@ class URI::TestGeneric < Test::Unit::TestCase + assert_equal(nil, url.user) + assert_equal(nil, url.password) + assert_equal(nil, url.userinfo) ++ ++ # sec-2957667 ++ url = URI.parse('http://user:pass@example.com').merge('//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.join('http://user:pass@example.com', '//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.parse('http://user:pass@example.com') + '//example.net' ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) + end + + def test_parse_scheme_with_symbols +-- +2.40.0 + diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch new file mode 100644 index 0000000000..370b1aa66d --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch @@ -0,0 +1,73 @@ +From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 18:16:28 +0900 +Subject: [PATCH] Fix merger of URI with authority component + +https://hackerone.com/reports/2957667 + +Co-authored-by: Nobuyoshi Nakada + +CVE: CVE-2025-27221 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5] + +Signed-off-by: Divya Chellam +--- + lib/uri/generic.rb | 19 +++++++------------ + test/uri/test_generic.rb | 7 +++++++ + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb +index 23d2398..2420882 100644 +--- a/lib/uri/generic.rb ++++ b/lib/uri/generic.rb +@@ -1123,21 +1123,16 @@ module URI + base.fragment=(nil) + + # RFC2396, Section 5.2, 4) +- if !authority +- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path +- else +- # RFC2396, Section 5.2, 4) +- base.set_path(rel.path) if rel.path ++ if authority ++ base.set_userinfo(rel.userinfo) ++ base.set_host(rel.host) ++ base.set_port(rel.port || base.default_port) ++ base.set_path(rel.path) ++ elsif base.path && rel.path ++ base.set_path(merge_path(base.path, rel.path)) + end + + # RFC2396, Section 5.2, 7) +- if rel.userinfo +- base.set_userinfo(rel.userinfo) +- else +- base.set_userinfo(nil) +- end +- base.set_host(rel.host) if rel.host +- base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query + base.fragment=(rel.fragment) if rel.fragment + +diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb +index b74f8e6..ade0294 100644 +--- a/test/uri/test_generic.rb ++++ b/test/uri/test_generic.rb +@@ -260,6 +260,13 @@ class URI::TestGeneric < Test::Unit::TestCase + assert_equal(u0, u1) + end + ++ def test_merge_authority ++ u = URI.parse('http://user:pass@example.com:8080') ++ u0 = URI.parse('http://new.example.org/path') ++ u1 = u.merge('//new.example.org/path') ++ assert_equal(u0, u1) ++ end ++ + def test_route + url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html') + assert_equal('b.html', url.to_s) +-- +2.40.0 + diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index ca061e7f70..65d62002ec 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb @@ -49,6 +49,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://CVE-2025-27220.patch \ file://CVE-2025-27219.patch \ file://CVE-2024-43398.patch \ + file://CVE-2025-27221-0001.patch \ + file://CVE-2025-27221-0002.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"