From a1bf1aba130920b10def848776fa0abd60c2564c Mon Sep 17 00:00:00 2001 From: Super User Date: Wed, 3 Sep 2025 18:30:35 +0800 Subject: [PATCH] Fix-CVE-2025-59830 CVE-2025-61919 --- Fix-CVE-2025-59830.patch | 42 +++++++++++++++++++++++++ Fix-CVE-2025-61919.patch | 66 ++++++++++++++++++++++++++++++++++++++++ rubygem-rack.spec | 10 +++++- 3 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 Fix-CVE-2025-59830.patch create mode 100644 Fix-CVE-2025-61919.patch diff --git a/Fix-CVE-2025-59830.patch b/Fix-CVE-2025-59830.patch new file mode 100644 index 0000000..c742076 --- /dev/null +++ b/Fix-CVE-2025-59830.patch @@ -0,0 +1,42 @@ +From 54e4ffdd5affebcb0c015cc6ae74635c0831ed71 Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Thu, 25 Sep 2025 17:51:18 +0900 +Subject: [PATCH] Unbounded parameter parsing in `Rack::QueryParser`. + +--- + CHANGELOG.md | 5 +++++ + lib/rack/query_parser.rb | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG.md b/CHANGELOG.md +index a07dae6..611b267 100644 +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -2,6 +2,11 @@ + + All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/). + ++## [2.2.18] - 2025-09-25 ++ ++- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters. ++ ++ + ## [2.2.4] - 2022-06-30 + + - Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix)) +diff --git a/lib/rack/query_parser.rb b/lib/rack/query_parser.rb +index a6f6d68..438af68 100644 +--- a/lib/rack/query_parser.rb ++++ b/lib/rack/query_parser.rb +@@ -188,7 +188,7 @@ module Rack + raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})" + end + +- if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit ++ if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit + raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})" + end + +-- +2.46.0 + diff --git a/Fix-CVE-2025-61919.patch b/Fix-CVE-2025-61919.patch new file mode 100644 index 0000000..a4dad05 --- /dev/null +++ b/Fix-CVE-2025-61919.patch @@ -0,0 +1,66 @@ +From 4e2c903991a790ee211a3021808ff4fd6fe82881 Mon Sep 17 00:00:00 2001 +From: Samuel Williams +Date: Thu, 9 Oct 2025 20:38:58 +1300 +Subject: [PATCH] Unbounded read in `Rack::Request` form parsing can lead to + memory exhaustion. + +- Limit read to `query_parser.bytesize_limit`. +--- + CHANGELOG.md | 1 + + lib/rack/query_parser.rb | 4 +++- + lib/rack/request.rb | 5 ++++- + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG.md b/CHANGELOG.md +index 611b267..e954fb5 100644 +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file. For info on + + - [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters. + ++- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion. + + ## [2.2.4] - 2022-06-30 + +diff --git a/lib/rack/query_parser.rb b/lib/rack/query_parser.rb +index 438af68..f7316e2 100644 +--- a/lib/rack/query_parser.rb ++++ b/lib/rack/query_parser.rb +@@ -51,6 +51,8 @@ module Rack + PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096) + private_constant :PARAMS_LIMIT + ++ attr_reader :bytesize_limit ++ + def initialize(params_class, key_space_limit, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT) + @params_class = params_class + @key_space_limit = key_space_limit +@@ -185,7 +187,7 @@ module Rack + def check_query_string(qs, sep) + if qs + if qs.bytesize > @bytesize_limit +- raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})" ++ raise QueryLimitError, "total query size exceeds limit (#{@bytesize_limit})" + end + + if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit +diff --git a/lib/rack/request.rb b/lib/rack/request.rb +index fea9845..618d498 100644 +--- a/lib/rack/request.rb ++++ b/lib/rack/request.rb +@@ -444,7 +444,10 @@ module Rack + get_header(RACK_REQUEST_FORM_HASH) + elsif form_data? || parseable_data? + unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart) +- form_vars = get_header(RACK_INPUT).read ++ # Add 2 bytes. One to check whether it is over the limit, and a second ++ # in case the slice! call below removes the last byte ++ # If read returns nil, use the empty string ++ form_vars = get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || '' + + # Fix for Safari Ajax postings that always append \0 + # form_vars.sub!(/\0\z/, '') # performance replacement: +-- +2.46.0 + diff --git a/rubygem-rack.spec b/rubygem-rack.spec index 76e6592..456683e 100644 --- a/rubygem-rack.spec +++ b/rubygem-rack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Version: 2.2.4 Epoch: 1 -Release: 12 +Release: 13 Summary: A modular Ruby webserver interface License: MIT and BSD URL: https://rack.github.io/ @@ -21,6 +21,8 @@ Patch8: Fix-CVE-2025-27610.patch Patch9: Fix-CVE-2025-27111.patch Patch10: Fix-CVE-2025-25184.patch Patch11: Fix-CVE-2025-46727.patch +Patch12: Fix-CVE-2025-59830.patch +Patch13: Fix-CVE-2025-61919.patch BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: rubygem(memcache-client) @@ -109,6 +111,12 @@ popd %doc %{gem_instdir}/contrib %changelog +* Sun Sep 28 2025 changtao - 1:2.2.4-13 +- Type:CVES +- ID:CVE-2025-59830 CVE-2025-61919 +- SUG:NA +- DESC:CVE-2025-59830 CVE-2025-61919 + * Wed Aug 20 2025 zouzhimin - 1:2.2.4-12 - Type:CVES - ID:CVE-2025-46727 -- Gitee