From 2d6df4a3ea5433b00bbe621f1dd0ec2e35ebc909 Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Fri, 10 Oct 2025 22:48:02 +0800
Subject: [PATCH] fix CVE-2025-61921

---
 backport-CVE-2025-61921.patch | 25 +++++++++++++++++++++++++
 rubygem-sinatra.spec          |  7 ++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-61921.patch

diff --git a/backport-CVE-2025-61921.patch b/backport-CVE-2025-61921.patch
new file mode 100644
index 0000000..20f9155
--- /dev/null
+++ b/backport-CVE-2025-61921.patch
@@ -0,0 +1,25 @@
+From 70790616590f3898de60b4a8c7d51c5c9b379ebc Mon Sep 17 00:00:00 2001
+From: changtao <changtao@kylinos.cn>
+Date: Fri, 10 Oct 2025 22:45:49 +0800
+Subject: [PATCH] fix cve
+
+---
+ lib/sinatra/base.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index 5004f22..2a0e3c5 100644
+--- a/lib/sinatra/base.rb
++++ b/lib/sinatra/base.rb
+@@ -646,7 +646,7 @@ module Sinatra
+     # Helper method checking if a ETag value list includes the current ETag.
+     def etag_matches?(list, new_resource = request.post?)
+       return !new_resource if list == '*'
+-      list.to_s.split(/\s*,\s*/).include? response['ETag']
++      list.to_s.split(',').map(&:strip).include?(response['ETag'])
+     end
+ 
+     def with_params(temp_params)
+-- 
+2.46.0
+
diff --git a/rubygem-sinatra.spec b/rubygem-sinatra.spec
index d869e00..f3751e0 100644
--- a/rubygem-sinatra.spec
+++ b/rubygem-sinatra.spec
@@ -3,7 +3,7 @@
 Summary:             Ruby-based web application framework
 Name:                rubygem-%{gem_name}
 Version:             2.0.8.1
-Release:             3
+Release:             4
 License:             MIT
 URL:                 http://www.sinatrarb.com/
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
@@ -20,6 +20,7 @@ Patch3:              Fix-broken-spec.patch
 # Security fix
 Patch3000:           backport-CVE-2022-45442.patch
 Patch3001:           backport-CVE-2022-45442-test.patch
+Patch3002:           backport-CVE-2025-61921.patch
 
 BuildRequires:       rubygems-devel ruby(release) ruby >= 2.2.0
 %if ! 0%{?bootstrap}
@@ -52,6 +53,7 @@ popd
 
 %patch2 -p1
 %patch3000 -p1
+%patch3002 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -96,6 +98,9 @@ popd
 %{gem_instdir}/examples
 
 %changelog
+* Sat Oct 11 2025 changtao <changtao@kylinos.cn> - 1:2.0.8.1-4
+- fix CVE-2025-61921
+
 * Mon Nov 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.0.8.1-3
 - Fix CVE-2022-45442
 
-- 
Gitee