Verified Commit 9f1630d0 authored by TBK's avatar TBK
Browse files

main/ruby: fix CVE-2020-25613

parent 78bdb7e4
Pipeline #66930 canceled with stages
in 18 minutes and 4 seconds
......@@ -3,6 +3,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
# 2.6.6-r3:
# - CVE-2020-25613
# 2.6.6-r0:
# - CVE-2020-10663
# - CVE-2020-10933
......@@ -36,7 +38,7 @@
pkgname=ruby
pkgver=2.6.6
_abiver="${pkgver%.*}.0"
pkgrel=2
pkgrel=3
pkgdesc="An object-oriented language for quick and easy programming"
url="https://www.ruby-lang.org/"
arch="all"
......@@ -74,6 +76,7 @@ source="https://cache.ruby-lang.org/pub/$pkgname/${pkgver%.*}/$pkgname-$pkgver.t
fix-get_main_stack.patch
avoid-rdoc-hook-when-its-failed-to-load-rdoc-library.patch
openssl-config-support-include-directive.patch
CVE-2020-25613.patch
"
replaces="ruby-gems"
builddir="$srcdir/$pkgname-$pkgver"
......@@ -366,4 +369,5 @@ cfdc5ea3b2e2ea69c51f38e8e2180cb1dc27008ca55cc6301f142ebafdbab31c3379b3b6bba9ff54
814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch
8d730f02f76e53799f1c220eb23e3d2305940bb31216a7ab1e42d3256149c0721c7d173cdbfe505023b1af2f5cb3faa233dcc1b5d560fa8f980c17c2d29a9d81 fix-get_main_stack.patch
cc6acabcf8d237ba75309f7c3b5fbe6bd68b2e355d2c4a656a50dea6dda4ab8153db90399b23d301ee463d56274f629aa40b2958646122f71925b4e2e602304d avoid-rdoc-hook-when-its-failed-to-load-rdoc-library.patch
a67813d7aa3553ed336f04b17461c5129546afb71a2a7cca6d1b1c860f8dd5839ca2f7695c971369f295aced3580687a28881ccd6c305f6dbdfe6b0ecf584d0e openssl-config-support-include-directive.patch"
a67813d7aa3553ed336f04b17461c5129546afb71a2a7cca6d1b1c860f8dd5839ca2f7695c971369f295aced3580687a28881ccd6c305f6dbdfe6b0ecf584d0e openssl-config-support-include-directive.patch
e4279a84b12f8ae4a842fc21975598fd47d39e688dee0beb6b0ad9cd48e246ce1f659c0ff4246e355b247f248f789e0e0dafcab0351d782f1ae053bcf7bc836f CVE-2020-25613.patch"
From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
From: Yusuke Endoh <mame@ruby-lang.org>
Date: Tue, 29 Sep 2020 13:15:58 +0900
Subject: [PATCH] Make it more strict to interpret some headers
Some regexps were too tolerant.
---
lib/webrick/httprequest.rb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
index 294bd91..d34eac7 100644
--- a/lib/webrick/httprequest.rb
+++ b/lib/webrick/httprequest.rb
@@ -226,9 +226,9 @@
raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
end
- if /close/io =~ self["connection"]
+ if /\Aclose\z/io =~ self["connection"]
@keep_alive = false
- elsif /keep-alive/io =~ self["connection"]
+ elsif /\Akeep-alive\z/io =~ self["connection"]
@keep_alive = true
elsif @http_version < "1.1"
@keep_alive = false
@@ -503,7 +503,7 @@
return unless socket
if tc = self['transfer-encoding']
case tc
- when /chunked/io then read_chunked(socket, block)
+ when /\Achunked\z/io then read_chunked(socket, block)
else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
end
elsif self['content-length'] || @remaining_size
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment