From 4b6f6cad8224fbe5b170256ca69e1c41b81ad07b Mon Sep 17 00:00:00 2001 From: wangziliang Date: Thu, 9 Oct 2025 13:53:21 +0800 Subject: [PATCH] fix CVE-2025-61772 --- Fix-CVE-2025-61772.patch | 72 ++++++++++++++++++++++++++++++++++++++++ rubygem-rack.spec | 9 ++++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 Fix-CVE-2025-61772.patch diff --git a/Fix-CVE-2025-61772.patch b/Fix-CVE-2025-61772.patch new file mode 100644 index 0000000..1c500ca --- /dev/null +++ b/Fix-CVE-2025-61772.patch @@ -0,0 +1,72 @@ +From d869fed663b113b95a74ad53e1b5cae6ab31f29e Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Mon, 15 Sep 2025 17:17:03 -0700 +Subject: [PATCH] Fix denial of service vulnerbilties in multipart parsing + +Two separate vulnerabilities: + +1. Unbounded buffering of uploaded data waiting for a boundary. + +2. Unbounded buffering of uploaded data waiting for complete + mime part header. + +The respective limits are 16KB for (1) and 64KB for (2), but those +limits only apply for non-default buffer sizes. If left at the +default configuration, 1MB (default buffer size) will be the limit +for both. + +This changes one EmptyContentError exception to an Error exception, +but EmptyContentError is probably the wrong error to raise for a +very long boundary. +--- + lib/rack/multipart/parser.rb | 20 ++++++++- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb +index 3b53832f..0cb5d347 100644 +--- a/lib/rack/multipart/parser.rb ++++ b/lib/rack/multipart/parser.rb +@@ -18,6 +18,12 @@ module Rack + + BOUNDARY_REGEX = /\A([^\n]*(?:\n|\Z))/ + ++ BOUNDARY_START_LIMIT = 16 * 1024 ++ private_constant :BOUNDARY_START_LIMIT ++ ++ MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024 ++ private_constant :MIME_HEADER_BYTESIZE_LIMIT ++ + class BoundedIO # :nodoc: + def initialize(io, content_length) + @io = io +@@ -233,7 +239,13 @@ module Rack + @state = :MIME_HEAD + else + raise EOFError, "bad content body" if @sbuf.rest_size >= @bufsize +- :want_read ++ ++ # We raise if we don't find the multipart boundary, to avoid unbounded memory ++ # buffering. Note that the actual limit is the higher of 16KB and the buffer size (1MB by default) ++ raise EOFError, "multipart boundary not found within limit" if @sbuf.string.bytesize > BOUNDARY_START_LIMIT ++ ++ # no boundary found, keep reading data ++ return :want_read + end + end + +@@ -266,7 +278,11 @@ module Rack + @collector.on_mime_head @mime_index, head, filename, content_type, name + @state = :MIME_BODY + else +- :want_read ++ # We raise if the mime part header is too large, to avoid unbounded memory ++ # buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default) ++ raise EOFError, "multipart mime part header too large" if @sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT ++ ++ return :want_read + end + end + +-- +2.43.0 + diff --git a/rubygem-rack.spec b/rubygem-rack.spec index 76e6592..4e99587 100644 --- a/rubygem-rack.spec +++ b/rubygem-rack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Version: 2.2.4 Epoch: 1 -Release: 12 +Release: 13 Summary: A modular Ruby webserver interface License: MIT and BSD URL: https://rack.github.io/ @@ -21,6 +21,7 @@ Patch8: Fix-CVE-2025-27610.patch Patch9: Fix-CVE-2025-27111.patch Patch10: Fix-CVE-2025-25184.patch Patch11: Fix-CVE-2025-46727.patch +Patch12: Fix-CVE-2025-61772.patch BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: rubygem(memcache-client) @@ -109,6 +110,12 @@ popd %doc %{gem_instdir}/contrib %changelog +* Thu Oct 09 2025 wangziliang - 1:2.2.4-13 +- Type:CVES +- ID:CVE-2025-61772 +- SUG:NA +- DESC:CVE-2025-61772 + * Wed Aug 20 2025 zouzhimin - 1:2.2.4-12 - Type:CVES - ID:CVE-2025-46727 -- Gitee