From ef283c386981e3781cd3be0f0166708a95f3fa84 Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Fri, 10 Oct 2025 03:43:44 +0800
Subject: [PATCH] fix CVE-2025-61921

(cherry picked from commit 0d26c70c73b1851d0cc8213e6505e4d507189bf3)
---
 backport-CVE-2025-61921.patch | 23 +++++++++++++++++++++++
 rubygem-sinatra.spec          |  7 ++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-61921.patch

diff --git a/backport-CVE-2025-61921.patch b/backport-CVE-2025-61921.patch
new file mode 100644
index 0000000..bf6fe5b
--- /dev/null
+++ b/backport-CVE-2025-61921.patch
@@ -0,0 +1,23 @@
+From 3fe8c38dc405586f7ad8f2ac748aa53e9c3615bd Mon Sep 17 00:00:00 2001
+From: gecunps <geraldineelaine.cu@nelnet.net>
+Date: Wed, 8 Oct 2025 22:50:03 +0800
+Subject: [PATCH] Fix regex in `etag_matches?` to prevent ReDoS (#2121)
+---
+ lib/sinatra/base.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index 5004f22..2a0e3c5 100644
+--- a/lib/sinatra/base.rb
++++ b/lib/sinatra/base.rb
+@@ -646,7 +646,7 @@ module Sinatra
+     # Helper method checking if a ETag value list includes the current ETag.
+     def etag_matches?(list, new_resource = request.post?)
+       return !new_resource if list == '*'
+-      list.to_s.split(/\s*,\s*/).include? response['ETag']
++      list.to_s.split(',').map(&:strip).include?(response['ETag'])
+     end
+
+     def with_params(temp_params)
+-- 
+2.46.0
diff --git a/rubygem-sinatra.spec b/rubygem-sinatra.spec
index 7c0348f..58af233 100644
--- a/rubygem-sinatra.spec
+++ b/rubygem-sinatra.spec
@@ -3,7 +3,7 @@
 Summary:             Ruby-based web application framework
 Name:                rubygem-%{gem_name}
 Version:             2.0.8.1
-Release:             4
+Release:             5
 License:             MIT
 URL:                 http://www.sinatrarb.com/
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
@@ -20,6 +20,7 @@ Patch3:              Fix-broken-spec.patch
 # Security fix
 Patch3000:           backport-CVE-2022-45442.patch
 Patch3001:           backport-CVE-2022-45442-test.patch
+Patch3002:           backport-CVE-2025-61921.patch
 
 BuildRequires:       rubygems-devel ruby(release) ruby >= 2.2.0
 %if ! 0%{?bootstrap}
@@ -52,6 +53,7 @@ popd
 
 %patch2 -p1
 %patch3000 -p1
+%patch3002 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -96,6 +98,9 @@ popd
 %{gem_instdir}/examples
 
 %changelog
+* Sat Oct 11 2025 changtao <changtao@kylinos.cn> - 1:2.0.8.1-5
+- fix CVE-2025-61921
+
 * Mon Nov 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.0.8.1-4
 - Fix CVE-2022-45442
 
-- 
Gitee