diff --git a/rubygem-addressable-2.7.0-CVE-2021-32740.patch b/rubygem-addressable-2.7.0-CVE-2021-32740.patch new file mode 100644 index 0000000..74c40fc --- /dev/null +++ b/rubygem-addressable-2.7.0-CVE-2021-32740.patch @@ -0,0 +1,57 @@ +From b48ff03347a6d46e8dc674e242ce74c6381962a5 Mon Sep 17 00:00:00 2001 +From: Security Curious +Date: Fri, 2 Jul 2021 15:30:02 -0400 +Subject: [PATCH] Prevent ReDOS vuln on URI Template matching + +The regular expression used to match a template against a URL is +vulnerable to a regular expression denial-of-service via catastrophic +backtracking. + +This commit includes a test that demonstrates the failure without +the fix as well as updates the regexp to remove the vulnerability. +The vulnerability is removed by updating the grouping to be atomic. +--- + lib/addressable/template.rb | 2 +- + spec/addressable/template_spec.rb | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb +index 2696695..45967ce 100644 +--- a/lib/addressable/template.rb ++++ b/lib/addressable/template.rb +@@ -37,7 +37,7 @@ class Template + Addressable::URI::CharacterClasses::DIGIT + '_' + + var_char = +- "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)" ++ "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)" + RESERVED = + "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])" + UNRESERVED = +diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb +index a019165..d47589a 100644 +--- a/spec/addressable/template_spec.rb ++++ b/spec/addressable/template_spec.rb +@@ -19,6 +19,7 @@ + require "spec_helper" + + require "bigdecimal" ++require "timeout" + require "addressable/template" + + shared_examples_for 'expands' do |tests| +@@ -1340,6 +1341,14 @@ def self.match(name) + expect(subject).not_to match("foo_bar*") + expect(subject).not_to match("foo_bar:20") + end ++ ++ it 'should parse in a reasonable time' do ++ expect do ++ Timeout.timeout(0.1) do ++ expect(subject).not_to match("0"*25 + "!") ++ end ++ end.not_to raise_error ++ end + end + context "VARIABLE_LIST" do + subject { Addressable::Template::VARIABLE_LIST } diff --git a/rubygem-addressable.spec b/rubygem-addressable.spec index 5a9ab01..401d583 100644 --- a/rubygem-addressable.spec +++ b/rubygem-addressable.spec @@ -3,11 +3,14 @@ Name: rubygem-%{gem_name} Version: 2.7.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: URI Implementation License: ASL 2.0 URL: https://github.com/sporkmonger/addressable Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem +# https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5 +# https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g +Patch0: rubygem-addressable-2.7.0-CVE-2021-32740.patch BuildRequires: ruby(release) BuildRequires: rubygems-devel BuildRequires: rubygem(bigdecimal) @@ -31,6 +34,7 @@ Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version} +%patch -p1 %build # Create the gem as gem install only works on a gem file @@ -81,6 +85,9 @@ popd %{gem_instdir}/spec %changelog +* Sun Aug 8 2021 Mamoru TASAKA - 2.7.0-5 +- Upstream patch for CVE-2021-32740 (bug 1979702) + * Fri Jul 23 2021 Fedora Release Engineering - 2.7.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild