--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:rubygems
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
Severity: normal
[ Reason ]
This includes a fix for CVE-2025-27221 and CVE-2023-28755.
[ Impact ]
Users systems will be vulnerable due to URI code vendored in rubygems.
[ Tests ]
The upstream tests were not included in those patches because the tests
in vendor code are not executed. However, this was well tested upstream
and I also did some manual testing to make sure the URI code is now
fixes.
[ Risks ]
The code changed is not too complex, I do not foresee a big risk of a
regression TBH.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backported upstream fixes for the 2 CVEs mentioned and nothing else.
[ Other info ]
The security team asked me to push those changes via proposed-updates.
diff -Nru rubygems-3.3.15/debian/changelog rubygems-3.3.15/debian/changelog
--- rubygems-3.3.15/debian/changelog 2023-01-01 05:50:51.000000000 -0300
+++ rubygems-3.3.15/debian/changelog 2025-04-17 22:54:07.000000000 -0300
@@ -1,3 +1,19 @@
+rubygems (3.3.15-2+deb12u1) UNRELEASED; urgency=medium
+
+ * Fix CVE-2025-27221.
+ The URI handling methods (URI.join, URI#merge, URI#+) have an
+ inadvertent leakage of authentication credentials because userinfo is
+ retained even after changing the host.
+ - d/p/CVE-2025-27221_*.patch
+ * Fix CVE-2023-28755.
+ A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby
+ through 3.2.1. The URI parser mishandles invalid URLs that have specific
+ characters. It causes an increase in execution time for parsing strings
+ to URI objects.
+ - d/p/CVE-2023-28755.patch
+
+ -- Lucas Kanashiro <[email protected]> Thu, 17 Apr 2025 22:54:07 -0300
+
rubygems (3.3.15-2) unstable; urgency=medium
* Team upload
diff -Nru rubygems-3.3.15/debian/patches/CVE-2023-28755.patch rubygems-3.3.15/debian/patches/CVE-2023-28755.patch
--- rubygems-3.3.15/debian/patches/CVE-2023-28755.patch 1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2023-28755.patch 2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,26 @@
+From: Nobuyoshi Nakada <[email protected]>
+Date: Mon, 10 Jan 2022 01:12:57 +0900
+Subject: Fix quadratic backtracking on invalid URI
+
+https://hackerone.com/reports/1444501
+
+Origin: backport, https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+index 2029cfd..2330a28 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+@@ -3,8 +3,8 @@ module Bundler::URI
+ class RFC3986_Parser # :nodoc:
+ # Bundler::URI defined in RFC3986
+ # this regexp is modified not to host is not empty string
+- RFC3986_URI = /\A(?<Bundler::URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
+- RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
++ RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
++ RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
+ attr_reader :regexp
+
+ def initialize
diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch
--- rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch 1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch 2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,28 @@
+From: Hiroshi SHIBATA <[email protected]>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: Truncate userinfo with URI#join, URI#merge and URI#+
+
+Origin: backport, https://github.com/ruby/uri/commit/3675494839112b64d5f082
+
+NOTE: test removed, the file is not preset nor executed.
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+index f29ba6c..998e808 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+@@ -1131,7 +1131,11 @@ def merge(oth)
+ end
+
+ # RFC2396, Section 5.2, 7)
+- base.set_userinfo(rel.userinfo) if rel.userinfo
++ if rel.userinfo
++ base.set_userinfo(rel.userinfo)
++ else
++ base.set_userinfo(nil)
++ end
+ base.set_host(rel.host) if rel.host
+ base.set_port(rel.port) if rel.port
+ base.query = rel.query if rel.query
diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch
--- rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch 1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch 2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,48 @@
+From: Hiroshi SHIBATA <[email protected]>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: Fix merger of URI with authority component
+
+https://hackerone.com/reports/2957667
+
+Co-authored-by: Nobuyoshi Nakada <[email protected]>
+
+Origin: backport, https://github.com/ruby/uri/commit/2789182478f42ccbb6
+
+NOTES: test removed, the file is not preset nor executed.
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+index 998e808..efab83b 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+@@ -1123,21 +1123,16 @@ def merge(oth)
+ base.fragment=(nil)
+
+ # RFC2396, Section 5.2, 4)
+- if !authority
+- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+- else
+- # RFC2396, Section 5.2, 4)
+- base.set_path(rel.path) if rel.path
++ if authority
++ base.set_userinfo(rel.userinfo)
++ base.set_host(rel.host)
++ base.set_port(rel.port || base.default_port)
++ base.set_path(rel.path)
++ elsif base.path && rel.path
++ base.set_path(merge_path(base.path, rel.path))
+ end
+
+ # RFC2396, Section 5.2, 7)
+- if rel.userinfo
+- base.set_userinfo(rel.userinfo)
+- else
+- base.set_userinfo(nil)
+- end
+- base.set_host(rel.host) if rel.host
+- base.set_port(rel.port) if rel.port
+ base.query = rel.query if rel.query
+ base.fragment=(rel.fragment) if rel.fragment
+
diff -Nru rubygems-3.3.15/debian/patches/series rubygems-3.3.15/debian/patches/series
--- rubygems-3.3.15/debian/patches/series 2023-01-01 05:48:13.000000000 -0300
+++ rubygems-3.3.15/debian/patches/series 2025-04-17 22:51:20.000000000 -0300
@@ -1 +1,4 @@
0001-Don-t-consider-gems-provided-by-Debian-packages-as-d.patch
+CVE-2025-27221_1.patch
+CVE-2025-27221_2.patch
+CVE-2023-28755.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
