From 83bd148cf33b86cc6fa29d752f6c9a0f5af40a11 Mon Sep 17 00:00:00 2001 From: programmer12 <964969108@qq.com> Date: Wed, 14 Jul 2021 17:17:15 +0800 Subject: [PATCH] fix CVE-2021-32740 --- CVE-2021-32740.patch | 57 ++++++++++++++++++++++++++++++++++++++++ rubygem-addressable.spec | 7 ++++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-32740.patch diff --git a/CVE-2021-32740.patch b/CVE-2021-32740.patch new file mode 100644 index 0000000..74c40fc --- /dev/null +++ b/CVE-2021-32740.patch @@ -0,0 +1,57 @@ +From b48ff03347a6d46e8dc674e242ce74c6381962a5 Mon Sep 17 00:00:00 2001 +From: Security Curious +Date: Fri, 2 Jul 2021 15:30:02 -0400 +Subject: [PATCH] Prevent ReDOS vuln on URI Template matching + +The regular expression used to match a template against a URL is +vulnerable to a regular expression denial-of-service via catastrophic +backtracking. + +This commit includes a test that demonstrates the failure without +the fix as well as updates the regexp to remove the vulnerability. +The vulnerability is removed by updating the grouping to be atomic. +--- + lib/addressable/template.rb | 2 +- + spec/addressable/template_spec.rb | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb +index 2696695..45967ce 100644 +--- a/lib/addressable/template.rb ++++ b/lib/addressable/template.rb +@@ -37,7 +37,7 @@ class Template + Addressable::URI::CharacterClasses::DIGIT + '_' + + var_char = +- "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)" ++ "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)" + RESERVED = + "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])" + UNRESERVED = +diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb +index a019165..d47589a 100644 +--- a/spec/addressable/template_spec.rb ++++ b/spec/addressable/template_spec.rb +@@ -19,6 +19,7 @@ + require "spec_helper" + + require "bigdecimal" ++require "timeout" + require "addressable/template" + + shared_examples_for 'expands' do |tests| +@@ -1340,6 +1341,14 @@ def self.match(name) + expect(subject).not_to match("foo_bar*") + expect(subject).not_to match("foo_bar:20") + end ++ ++ it 'should parse in a reasonable time' do ++ expect do ++ Timeout.timeout(0.1) do ++ expect(subject).not_to match("0"*25 + "!") ++ end ++ end.not_to raise_error ++ end + end + context "VARIABLE_LIST" do + subject { Addressable::Template::VARIABLE_LIST } diff --git a/rubygem-addressable.spec b/rubygem-addressable.spec index b2bd810..1b8260d 100644 --- a/rubygem-addressable.spec +++ b/rubygem-addressable.spec @@ -1,7 +1,7 @@ %global gem_name addressable Name: rubygem-%{gem_name} Version: 2.5.2 -Release: 1 +Release: 2 Summary: URI Implementation License: ASL 2.0 URL: https://github.com/sporkmonger/addressable @@ -13,6 +13,7 @@ BuildArch: noarch Patch0: no-rack-mount.patch # Comment out failing tests Patch1: fix_addressable_tests.patch +Patch2: CVE-2021-32740.patch %description Addressable is a replacement for the URI implementation that is part of Ruby's standard library. It more closely conforms to the relevant RFCs and @@ -31,6 +32,7 @@ gem unpack %{SOURCE0} gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec %patch0 %patch1 +%patch2 -p1 %build gem build %{gem_name}.gemspec @@ -68,5 +70,8 @@ popd %{gem_instdir}/spec %changelog +* Wed Jul 14 2021 liwu - 2.5.2-2 +- fix CVE-2021-32740 + * Tue Aug 18 2020 shenleizhao - 2.5.2-1 - package init -- Gitee