diff --git a/backport-fix-CVE-2025-6442.patch b/backport-fix-CVE-2025-6442.patch new file mode 100644 index 0000000000000000000000000000000000000000..dbe02d3e63412fd4308fe5be4babd7433dd9f9e0 --- /dev/null +++ b/backport-fix-CVE-2025-6442.patch @@ -0,0 +1,70 @@ +From ee60354bcb84ec33b9245e1d1aa6e1f7e8132101 Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Tue, 25 Jun 2024 14:39:04 -0700 +Subject: [PATCH] Require CRLF line endings in request line and headers + +Disallow bare CR, LF, NUL in header and request lines. Tighten +parsing of request lines to only allow single spaces, as specified +in the RFCs. + +Forcing this RFC-compliant behavior breaks a lot of tests, so +fix the tests to correctly use CRLF instead of LF for requests +(other than the specific checks for handling of bad requests). + +Fixes #137 +--- + lib/webrick/httprequest.rb | 4 ++-- + lib/webrick/httputils.rb | 8 +++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb +index 15f95a0..a38f77b 100644 +--- a/lib/webrick/httprequest.rb ++++ b/lib/webrick/httprequest.rb +@@ -458,7 +458,7 @@ module WEBrick + end + + @request_time = Time.now +- if /^(\S+)\s+(\S++)(?:\s+HTTP\/(\d+\.\d+))?\r?\n/mo =~ @request_line ++ if /^(\S+) (\S++)(?: HTTP\/(\d+\.\d+))?\r\n/mo =~ @request_line + @request_method = $1 + @unparsed_uri = $2 + @http_version = HTTPVersion.new($3 ? $3 : "0.9") +@@ -471,7 +471,7 @@ module WEBrick + def read_header(socket) + if socket + while line = read_line(socket) +- break if /\A(#{CRLF}|#{LF})\z/om =~ line ++ break if /\A#{CRLF}\z/om =~ line + if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH + raise HTTPStatus::RequestEntityTooLarge, 'headers too large' + end +diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb +index f1b9ddf..8898481 100644 +--- a/lib/webrick/httputils.rb ++++ b/lib/webrick/httputils.rb +@@ -147,16 +147,18 @@ module WEBrick + field = nil + raw.each_line{|line| + case line +- when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):\s*(.*?)\s*\z/om ++ when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):([^\r\n\0]*?)\r\n\z/om + field, value = $1, $2 + field.downcase! + header[field] = [] unless header.has_key?(field) + header[field] << value +- when /^\s+(.*?)\s*\z/om +- value = $1 ++ when /^\s+([^\r\n\0]*?)\r\n/om + unless field + raise HTTPStatus::BadRequest, "bad header '#{line}'." + end ++ value = lineMore actions ++ value.lstrip! ++ value.slice!(-2..-1) + header[field][-1] << " " << value + else + raise HTTPStatus::BadRequest, "bad header '#{line}'." +-- +2.43.0 + diff --git a/rubygem-webrick.spec b/rubygem-webrick.spec index 53ce562f7981ba692987b09192e72340cfe275d4..90f188d8bc113766415b4fa8df5b3cf6edaea5a6 100644 --- a/rubygem-webrick.spec +++ b/rubygem-webrick.spec @@ -2,13 +2,14 @@ %global gem_name webrick Name: rubygem-webrick Version: 1.7.0 -Release: 2 +Release: 3 Summary: HTTP server toolkit License: Ruby and BSD-2-Clause URL: https://github.com/ruby/webrick Source0: https://rubygems.org/gems/webrick-1.7.0.gem # https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7 Patch3000: backport-fix-CVE-2024-47220.patch +Patch3001: backport-fix-CVE-2025-6442.patch BuildArch: noarch BuildRequires: ruby rsync @@ -70,6 +71,9 @@ mv %{buildroot}/filelist.lst . %{gem_docdir}/* %changelog +* Tue Jul 01 2025 zouzhimin 1.7.0-3 +- Fix CVE-2025-6442 + * Sun Sep 29 2024 yaoxin - 1.7.0-2 - Fix CVE-2024-47220