Package: release.debian.org
Control: affects -1 + src:rubygems
X-Debbugs-Cc: rubyg...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
This includes a fix for CVE-2025-27221 and CVE-2023-28755.

[ Impact ]
Users systems will be vulnerable due to URI code vendored in rubygems.

[ Tests ]
The upstream tests were not included in those patches because the tests
in vendor code are not executed. However, this was well tested upstream
and I also did some manual testing to make sure the URI code is now
fixes.

[ Risks ]
The code changed is not too complex, I do not foresee a big risk of a
regression TBH.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported upstream fixes for the 2 CVEs mentioned and nothing else.

[ Other info ]
The security team asked me to push those changes via proposed-updates.
diff -Nru rubygems-3.3.15/debian/changelog rubygems-3.3.15/debian/changelog
--- rubygems-3.3.15/debian/changelog	2023-01-01 05:50:51.000000000 -0300
+++ rubygems-3.3.15/debian/changelog	2025-04-17 22:54:07.000000000 -0300
@@ -1,3 +1,19 @@
+rubygems (3.3.15-2+deb12u1) UNRELEASED; urgency=medium
+
+  * Fix CVE-2025-27221.
+    The URI handling methods (URI.join, URI#merge, URI#+) have an
+    inadvertent leakage of authentication credentials because userinfo is
+    retained even after changing the host.
+     - d/p/CVE-2025-27221_*.patch
+  * Fix CVE-2023-28755.
+    A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby
+    through 3.2.1. The URI parser mishandles invalid URLs that have specific
+    characters. It causes an increase in execution time for parsing strings
+    to URI objects.
+     - d/p/CVE-2023-28755.patch
+
+ -- Lucas Kanashiro <kanash...@debian.org>  Thu, 17 Apr 2025 22:54:07 -0300
+
 rubygems (3.3.15-2) unstable; urgency=medium
 
   * Team upload
diff -Nru rubygems-3.3.15/debian/patches/CVE-2023-28755.patch rubygems-3.3.15/debian/patches/CVE-2023-28755.patch
--- rubygems-3.3.15/debian/patches/CVE-2023-28755.patch	1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2023-28755.patch	2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,26 @@
+From: Nobuyoshi Nakada <n...@ruby-lang.org>
+Date: Mon, 10 Jan 2022 01:12:57 +0900
+Subject: Fix quadratic backtracking on invalid URI
+
+https://hackerone.com/reports/1444501
+
+Origin: backport, https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+index 2029cfd..2330a28 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+@@ -3,8 +3,8 @@ module Bundler::URI
+   class RFC3986_Parser # :nodoc:
+     # Bundler::URI defined in RFC3986
+     # this regexp is modified not to host is not empty string
+-    RFC3986_URI = /\A(?<Bundler::URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
+-    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
++    RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
++    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
+     attr_reader :regexp
+ 
+     def initialize
diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch
--- rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch	1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch	2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,28 @@
+From: Hiroshi SHIBATA <h...@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: Truncate userinfo with URI#join, URI#merge and URI#+
+
+Origin: backport, https://github.com/ruby/uri/commit/3675494839112b64d5f082
+
+NOTE: test removed, the file is not preset nor executed.
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+index f29ba6c..998e808 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+@@ -1131,7 +1131,11 @@ def merge(oth)
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      base.set_userinfo(rel.userinfo) if rel.userinfo
++      if rel.userinfo
++        base.set_userinfo(rel.userinfo)
++      else
++        base.set_userinfo(nil)
++      end
+       base.set_host(rel.host)         if rel.host
+       base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch
--- rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch	1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch	2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,48 @@
+From: Hiroshi SHIBATA <h...@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: Fix merger of URI with authority component
+
+https://hackerone.com/reports/2957667
+
+Co-authored-by: Nobuyoshi Nakada <n...@ruby-lang.org>
+
+Origin: backport, https://github.com/ruby/uri/commit/2789182478f42ccbb6
+
+NOTES: test removed, the file is not preset nor executed.
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+index 998e808..efab83b 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+@@ -1123,21 +1123,16 @@ def merge(oth)
+       base.fragment=(nil)
+ 
+       # RFC2396, Section 5.2, 4)
+-      if !authority
+-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+-      else
+-        # RFC2396, Section 5.2, 4)
+-        base.set_path(rel.path) if rel.path
++      if authority
++        base.set_userinfo(rel.userinfo)
++        base.set_host(rel.host)
++        base.set_port(rel.port || base.default_port)
++        base.set_path(rel.path)
++      elsif base.path && rel.path
++        base.set_path(merge_path(base.path, rel.path))
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      if rel.userinfo
+-        base.set_userinfo(rel.userinfo)
+-      else
+-        base.set_userinfo(nil)
+-      end
+-      base.set_host(rel.host)         if rel.host
+-      base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+       base.fragment=(rel.fragment) if rel.fragment
+ 
diff -Nru rubygems-3.3.15/debian/patches/series rubygems-3.3.15/debian/patches/series
--- rubygems-3.3.15/debian/patches/series	2023-01-01 05:48:13.000000000 -0300
+++ rubygems-3.3.15/debian/patches/series	2025-04-17 22:51:20.000000000 -0300
@@ -1 +1,4 @@
 0001-Don-t-consider-gems-provided-by-Debian-packages-as-d.patch
+CVE-2025-27221_1.patch
+CVE-2025-27221_2.patch
+CVE-2023-28755.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to