Package: release.debian.org Control: affects -1 + src:rubygems X-Debbugs-Cc: rubyg...@packages.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: bookworm Severity: normal
[ Reason ] This includes a fix for CVE-2025-27221 and CVE-2023-28755. [ Impact ] Users systems will be vulnerable due to URI code vendored in rubygems. [ Tests ] The upstream tests were not included in those patches because the tests in vendor code are not executed. However, this was well tested upstream and I also did some manual testing to make sure the URI code is now fixes. [ Risks ] The code changed is not too complex, I do not foresee a big risk of a regression TBH. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backported upstream fixes for the 2 CVEs mentioned and nothing else. [ Other info ] The security team asked me to push those changes via proposed-updates.
diff -Nru rubygems-3.3.15/debian/changelog rubygems-3.3.15/debian/changelog --- rubygems-3.3.15/debian/changelog 2023-01-01 05:50:51.000000000 -0300 +++ rubygems-3.3.15/debian/changelog 2025-04-17 22:54:07.000000000 -0300 @@ -1,3 +1,19 @@ +rubygems (3.3.15-2+deb12u1) UNRELEASED; urgency=medium + + * Fix CVE-2025-27221. + The URI handling methods (URI.join, URI#merge, URI#+) have an + inadvertent leakage of authentication credentials because userinfo is + retained even after changing the host. + - d/p/CVE-2025-27221_*.patch + * Fix CVE-2023-28755. + A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby + through 3.2.1. The URI parser mishandles invalid URLs that have specific + characters. It causes an increase in execution time for parsing strings + to URI objects. + - d/p/CVE-2023-28755.patch + + -- Lucas Kanashiro <kanash...@debian.org> Thu, 17 Apr 2025 22:54:07 -0300 + rubygems (3.3.15-2) unstable; urgency=medium * Team upload diff -Nru rubygems-3.3.15/debian/patches/CVE-2023-28755.patch rubygems-3.3.15/debian/patches/CVE-2023-28755.patch --- rubygems-3.3.15/debian/patches/CVE-2023-28755.patch 1969-12-31 21:00:00.000000000 -0300 +++ rubygems-3.3.15/debian/patches/CVE-2023-28755.patch 2025-04-17 22:51:20.000000000 -0300 @@ -0,0 +1,26 @@ +From: Nobuyoshi Nakada <n...@ruby-lang.org> +Date: Mon, 10 Jan 2022 01:12:57 +0900 +Subject: Fix quadratic backtracking on invalid URI + +https://hackerone.com/reports/1444501 + +Origin: backport, https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d +--- + bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +index 2029cfd..2330a28 100644 +--- a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb ++++ b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +@@ -3,8 +3,8 @@ module Bundler::URI + class RFC3986_Parser # :nodoc: + # Bundler::URI defined in RFC3986 + # this regexp is modified not to host is not empty string +- RFC3986_URI = /\A(?<Bundler::URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ ++ RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ + attr_reader :regexp + + def initialize diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch --- rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch 1969-12-31 21:00:00.000000000 -0300 +++ rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch 2025-04-17 22:51:20.000000000 -0300 @@ -0,0 +1,28 @@ +From: Hiroshi SHIBATA <h...@ruby-lang.org> +Date: Fri, 21 Feb 2025 16:29:36 +0900 +Subject: Truncate userinfo with URI#join, URI#merge and URI#+ + +Origin: backport, https://github.com/ruby/uri/commit/3675494839112b64d5f082 + +NOTE: test removed, the file is not preset nor executed. +--- + bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +index f29ba6c..998e808 100644 +--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb ++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +@@ -1131,7 +1131,11 @@ def merge(oth) + end + + # RFC2396, Section 5.2, 7) +- base.set_userinfo(rel.userinfo) if rel.userinfo ++ if rel.userinfo ++ base.set_userinfo(rel.userinfo) ++ else ++ base.set_userinfo(nil) ++ end + base.set_host(rel.host) if rel.host + base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch --- rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch 1969-12-31 21:00:00.000000000 -0300 +++ rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch 2025-04-17 22:51:20.000000000 -0300 @@ -0,0 +1,48 @@ +From: Hiroshi SHIBATA <h...@ruby-lang.org> +Date: Fri, 21 Feb 2025 18:16:28 +0900 +Subject: Fix merger of URI with authority component + +https://hackerone.com/reports/2957667 + +Co-authored-by: Nobuyoshi Nakada <n...@ruby-lang.org> + +Origin: backport, https://github.com/ruby/uri/commit/2789182478f42ccbb6 + +NOTES: test removed, the file is not preset nor executed. +--- + bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +index 998e808..efab83b 100644 +--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb ++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb +@@ -1123,21 +1123,16 @@ def merge(oth) + base.fragment=(nil) + + # RFC2396, Section 5.2, 4) +- if !authority +- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path +- else +- # RFC2396, Section 5.2, 4) +- base.set_path(rel.path) if rel.path ++ if authority ++ base.set_userinfo(rel.userinfo) ++ base.set_host(rel.host) ++ base.set_port(rel.port || base.default_port) ++ base.set_path(rel.path) ++ elsif base.path && rel.path ++ base.set_path(merge_path(base.path, rel.path)) + end + + # RFC2396, Section 5.2, 7) +- if rel.userinfo +- base.set_userinfo(rel.userinfo) +- else +- base.set_userinfo(nil) +- end +- base.set_host(rel.host) if rel.host +- base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query + base.fragment=(rel.fragment) if rel.fragment + diff -Nru rubygems-3.3.15/debian/patches/series rubygems-3.3.15/debian/patches/series --- rubygems-3.3.15/debian/patches/series 2023-01-01 05:48:13.000000000 -0300 +++ rubygems-3.3.15/debian/patches/series 2025-04-17 22:51:20.000000000 -0300 @@ -1 +1,4 @@ 0001-Don-t-consider-gems-provided-by-Debian-packages-as-d.patch +CVE-2025-27221_1.patch +CVE-2025-27221_2.patch +CVE-2023-28755.patch
signature.asc
Description: This is a digitally signed message part
