From a0bcb149bc3b160257816b88676d339ae2cfe631 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong1@huawei.com>
Date: Fri, 28 Feb 2025 15:49:57 +0800
Subject: [PATCH] fix CVE-2025-27219 CVE-2025-27220 CVE-2025-27221

---
 backport-0001-CVE-2025-27221.patch | 55 ++++++++++++++++++++++
 backport-0002-CVE-2025-27221.patch | 71 ++++++++++++++++++++++++++++
 backport-CVE-2025-27219.patch      | 35 ++++++++++++++
 backport-CVE-2025-27220.patch      | 75 ++++++++++++++++++++++++++++++
 ruby.spec                          |  9 +++-
 5 files changed, 244 insertions(+), 1 deletion(-)
 create mode 100644 backport-0001-CVE-2025-27221.patch
 create mode 100644 backport-0002-CVE-2025-27221.patch
 create mode 100644 backport-CVE-2025-27219.patch
 create mode 100644 backport-CVE-2025-27220.patch

diff --git a/backport-0001-CVE-2025-27221.patch b/backport-0001-CVE-2025-27221.patch
new file mode 100644
index 0000000..ca1cdbc
--- /dev/null
+++ b/backport-0001-CVE-2025-27221.patch
@@ -0,0 +1,55 @@
+From 4263c0d15a582b46d75aac57cd26a47d33941a53 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
+
+Reference:https://github.com/ruby/uri/commit/4263c0d15a582b46d75aac57cd26a47d33941a53
+Conflict:NA
+---
+ lib/uri/generic.rb       |  6 +++++-
+ test/uri/test_generic.rb | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index a4192c6..6b60873 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1131,7 +1131,11 @@ module URI
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      base.set_userinfo(rel.userinfo) if rel.userinfo
++      if rel.userinfo
++        base.set_userinfo(rel.userinfo)
++      else
++        base.set_userinfo(nil)
++      end
+       base.set_host(rel.host)         if rel.host
+       base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index b449a0a..8a611e3 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -157,6 +157,17 @@ class URI::TestGeneric < Test::Unit::TestCase
+     assert_equal(nil, url.user)
+     assert_equal(nil, url.password)
+     assert_equal(nil, url.userinfo)
++
++    # sec-2957667
++    url = URI.parse('http://user:pass@example.com').merge('//example.net')
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
++    url = URI.join('http://user:pass@example.com', '//example.net')
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
++    url = URI.parse('http://user:pass@example.com') + '//example.net'
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
+   end
+ 
+   def test_merge
+-- 
+2.33.0
+
+
diff --git a/backport-0002-CVE-2025-27221.patch b/backport-0002-CVE-2025-27221.patch
new file mode 100644
index 0000000..742d8be
--- /dev/null
+++ b/backport-0002-CVE-2025-27221.patch
@@ -0,0 +1,71 @@
+From 58adef476ef4b5e6deefaf92e7594ab29396c624 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: [PATCH] Fix merger of URI with authority component
+
+Reference:https://github.com/ruby/uri/commit/58adef476ef4b5e6deefaf92e7594ab29396c624
+Conflict:NA
+
+https://hackerone.com/reports/2957667
+
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+---
+ lib/uri/generic.rb       | 19 +++++++------------
+ test/uri/test_generic.rb |  7 +++++++
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index 6b60873..3ca5831 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1123,21 +1123,16 @@ module URI
+       base.fragment=(nil)
+ 
+       # RFC2396, Section 5.2, 4)
+-      if !authority
+-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+-      else
+-        # RFC2396, Section 5.2, 4)
+-        base.set_path(rel.path) if rel.path
++      if authority
++        base.set_userinfo(rel.userinfo)
++        base.set_host(rel.host)
++        base.set_port(rel.port || base.default_port)
++        base.set_path(rel.path)
++      elsif base.path && rel.path
++        base.set_path(merge_path(base.path, rel.path))
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      if rel.userinfo
+-        base.set_userinfo(rel.userinfo)
+-      else
+-        base.set_userinfo(nil)
+-      end
+-      base.set_host(rel.host)         if rel.host
+-      base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+       base.fragment=(rel.fragment) if rel.fragment
+ 
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index 8a611e3..a365f10 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -253,6 +253,13 @@ class URI::TestGeneric < Test::Unit::TestCase
+     assert_equal(u0, u1)
+   end
+ 
++  def test_merge_authority
++    u = URI.parse('http://user:pass@example.com:8080')
++    u0 = URI.parse('http://new.example.org/path')
++    u1 = u.merge('//new.example.org/path')
++    assert_equal(u0, u1)
++  end
++
+   def test_route
+     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
+     assert_equal('b.html', url.to_s)
+-- 
+2.33.0
+
+
diff --git a/backport-CVE-2025-27219.patch b/backport-CVE-2025-27219.patch
new file mode 100644
index 0000000..479398b
--- /dev/null
+++ b/backport-CVE-2025-27219.patch
@@ -0,0 +1,35 @@
+From 2c2d89e7cce0c81d9e63bb29c0e65b0436885af1 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:01:17 +0900
+Subject: [PATCH 1/2] Use String#concat instead of String#+ for reducing cpu
+ usage
+
+Reference:https://github.com/ruby/cgi/commit/2c2d89e7cce0c81d9e63bb29c0e65b0436885af1
+Conflict:NA
+
+Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
+---
+ lib/cgi/cookie.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index 9498e2f..1c4ef6a 100644
+--- a/lib/cgi/cookie.rb
++++ b/lib/cgi/cookie.rb
+@@ -190,9 +190,10 @@ class CGI
+         values ||= ""
+         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+         if cookies.has_key?(name)
+-          values = cookies[name].value + values
++          cookies[name].concat(values)
++        else
++          cookies[name] = Cookie.new(name, *values)
+         end
+-        cookies[name] = Cookie.new(name, *values)
+       end
+ 
+       cookies
+-- 
+2.33.0
+
+
diff --git a/backport-CVE-2025-27220.patch b/backport-CVE-2025-27220.patch
new file mode 100644
index 0000000..45b3f73
--- /dev/null
+++ b/backport-CVE-2025-27220.patch
@@ -0,0 +1,75 @@
+From da7aadf928d85ffdf594d7e77aed4a441f7c3ebb Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 15:53:31 +0900
+Subject: [PATCH 2/2] Escape/unescape unclosed tags as well
+
+Reference:https://github.com/ruby/cgi/commit/da7aadf928d85ffdf594d7e77aed4a441f7c3ebb
+Conflict:NA
+
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+---
+ lib/cgi/util.rb           |  4 ++--
+ test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
+index aab8b00..5ff8ba5 100644
+--- a/lib/cgi/util.rb
++++ b/lib/cgi/util.rb
+@@ -140,7 +140,7 @@ module CGI::Util
+   def escapeElement(string, *elements)
+     elements = elements[0] if elements[0].kind_of?(Array)
+     unless elements.empty?
+-      string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
++      string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
+         CGI.escapeHTML($&)
+       end
+     else
+@@ -160,7 +160,7 @@ module CGI::Util
+   def unescapeElement(string, *elements)
+     elements = elements[0] if elements[0].kind_of?(Array)
+     unless elements.empty?
+-      string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
++      string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
+         unescapeHTML($&)
+       end
+     else
+diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
+index b7bb7b8..e93be47 100644
+--- a/test/cgi/test_cgi_util.rb
++++ b/test/cgi/test_cgi_util.rb
+@@ -181,6 +181,14 @@ class CGIUtilTest < Test::Unit::TestCase
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
++
++    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
++    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
++    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
++    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
++
++    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', "A", "IMG"))
++    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', ["A", "IMG"]))
+   end
+ 
+ 
+@@ -189,5 +197,15 @@ class CGIUtilTest < Test::Unit::TestCase
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
++
++    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
++    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
++    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
++    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
++
++    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
++    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
++    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
++    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
+   end
+ end
+-- 
+2.33.0
+
+
diff --git a/ruby.spec b/ruby.spec
index e20cf40..ff7063a 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -33,7 +33,7 @@
 
 Name:      ruby
 Version:   %{ruby_version}
-Release:   141
+Release:   142
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@@ -206,6 +206,10 @@ Patch6034: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.pat
 Patch6035: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch
 Patch6036: backport-CVE-2024-47220.patch
 Patch6037: backport-CVE-2024-49761.patch
+Patch6038: backport-CVE-2025-27219.patch
+Patch6039: backport-CVE-2025-27220.patch
+Patch6040: backport-0001-CVE-2025-27221.patch
+Patch6041: backport-0002-CVE-2025-27221.patch
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -1204,6 +1208,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
 
 %changelog
+* Fri Feb 28 2025 shixuantong <shixuantong1@huawei.com> - 3.0.3-142
+- fix CVE-2025-27219 CVE-2025-27220 CVE-2025-27221
+
 * Tue Oct 29 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-141
 - fix CVE-2024-49761
 
-- 
Gitee