5 files changed, 210 insertions, 45 deletions
diff --git a/meta/recipes-devtools/ruby/ruby.inc b/meta/recipes-devtools/ruby/ruby.inc
index 7b6d4edc61..a9f4240932 100644
--- a/meta/recipes-devtools/ruby/ruby.inc
+++ b/meta/recipes-devtools/ruby/ruby.inc
@@ -14,8 +14,8 @@ LIC_FILES_CHKSUM = "\
    file://LEGAL;md5=2b6d62dc0d608f34d510ca3f428110ec \
 "
-DEPENDS = "ruby-native zlib openssl libyaml gdbm readline libffi"
+DEPENDS = "zlib openssl libyaml gdbm readline libffi"
-DEPENDS_class-native = "openssl-native libyaml-native readline-native zlib-native"
+DEPENDS_append_class-target = " ruby-native"
 SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
 SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch b/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
deleted file mode 100644
index 1abcb7547e..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
-From: Yusuke Endoh <mame@ruby-lang.org>
-Date: Tue, 29 Sep 2020 13:15:58 +0900
-Subject: [PATCH] Make it more strict to interpret some headers
-Some regexps were too tolerant.
-Upstream-Status: Backport
-[https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7]
-CVE: CVE-2020-25613
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
- lib/webrick/httprequest.rb | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
-index 294bd91..d34eac7 100644
--- a/lib/webrick/httprequest.rb
-+++ b/lib/webrick/httprequest.rb
-@@ -227,9 +227,9 @@ def parse(socket=nil)
-         raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
-       end
- 
-      if /close/io =~ self["connection"]
-+      if /\Aclose\z/io =~ self["connection"]
-         @keep_alive = false
-      elsif /keep-alive/io =~ self["connection"]
-+      elsif /\Akeep-alive\z/io =~ self["connection"]
-         @keep_alive = true
-       elsif @http_version < "1.1"
-         @keep_alive = false
-@@ -508,7 +508,7 @@ def read_body(socket, block)
-       return unless socket
-       if tc = self['transfer-encoding']
-         case tc
-        when /chunked/io then read_chunked(socket, block)
-+        when /\Achunked\z/io then read_chunked(socket, block)
-         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
-         end
-       elsif self['content-length'] || @remaining_size
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
new file mode 100644
index 0000000000..cc2f9853db
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
@@ -0,0 +1,139 @@
+From 64c5045c0a6b84fdb938a8465a0890e5f7162708 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 22 Nov 2022 10:49:27 +0900
+Subject: [PATCH] Prevent CRLF injection
+Throw a RuntimeError if the HTTP response header contains CR or LF to
+prevent HTTP response splitting.
+https://hackerone.com/reports/1204695
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708]
+CVE: CVE-2021-33621
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/cgi/core.rb             | 45 +++++++++++++++++++++++--------------
+ test/cgi/test_cgi_header.rb |  8 +++++++
+ 2 files changed, 36 insertions(+), 17 deletions(-)
+diff --git a/lib/cgi/core.rb b/lib/cgi/core.rb
+index bec76e0..62e6068 100644
+--- a/lib/cgi/core.rb
+++ b/lib/cgi/core.rb
+@@ -188,17 +188,28 @@ class CGI
+   # Using #header with the HTML5 tag maker will create a <header> element.
+   alias :header :http_header
+ 
+  def _no_crlf_check(str)
+    if str
+      str = str.to_s
+      raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
+      str
+    else
+      nil
+    end
+  end
+  private :_no_crlf_check
+
+   def _header_for_string(content_type) #:nodoc:
+     buf = ''.dup
+     if nph?()
+-      buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}"
+      buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}"
+       buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
+-      buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
+      buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
+       buf << "Connection: close#{EOL}"
+     end
+-    buf << "Content-Type: #{content_type}#{EOL}"
+    buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
+     if @output_cookies
+-      @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" }
+      @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
+     end
+     return buf
+   end # _header_for_string
+@@ -213,9 +224,9 @@ class CGI
+     ## NPH
+     options.delete('nph') if defined?(MOD_RUBY)
+     if options.delete('nph') || nph?()
+-      protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'
+      protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'
+       status = options.delete('status')
+-      status = HTTP_STATUS[status] || status || '200 OK'
+      status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK'
+       buf << "#{protocol} #{status}#{EOL}"
+       buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
+       options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || ''
+@@ -223,38 +234,38 @@ class CGI
+     end
+     ## common headers
+     status = options.delete('status')
+-    buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status
+    buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status
+     server = options.delete('server')
+-    buf << "Server: #{server}#{EOL}" if server
+    buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
+     connection = options.delete('connection')
+-    buf << "Connection: #{connection}#{EOL}" if connection
+    buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
+     type = options.delete('type')
+-    buf << "Content-Type: #{type}#{EOL}" #if type
+    buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
+     length = options.delete('length')
+-    buf << "Content-Length: #{length}#{EOL}" if length
+    buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
+     language = options.delete('language')
+-    buf << "Content-Language: #{language}#{EOL}" if language
+    buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
+     expires = options.delete('expires')
+     buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
+     ## cookie
+     if cookie = options.delete('cookie')
+       case cookie
+       when String, Cookie
+-        buf << "Set-Cookie: #{cookie}#{EOL}"
+        buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
+       when Array
+         arr = cookie
+-        arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
+        arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+       when Hash
+         hash = cookie
+-        hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" }
+        hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+       end
+     end
+     if @output_cookies
+-      @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
+      @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+     end
+     ## other headers
+     options.each do |key, value|
+-      buf << "#{key}: #{value}#{EOL}"
+      buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
+     end
+     return buf
+   end # _header_for_hash
+diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb
+index bab2d03..ec2f4de 100644
+--- a/test/cgi/test_cgi_header.rb
+++ b/test/cgi/test_cgi_header.rb
+@@ -176,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase
+   end
+ 
+ 
+  def test_cgi_http_header_crlf_injection
+    cgi = CGI.new
+    assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") }
+    assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") }
+    assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") }
+    assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") }
+  end
+
+ 
+   instance_methods.each do |method|
+     private method if method =~ /^test_(.*)/ && $1 != ENV['TEST']
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
new file mode 100644
index 0000000000..c25a147d36
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,61 @@
+From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Wed, 29 Mar 2023 13:28:25 +0900
+Subject: [PATCH] CVE-2023-28756
+CVE: CVE-2023-28756
+Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/time.rb       | 6 +++---
+ test/test_time.rb | 9 +++++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+diff --git a/lib/time.rb b/lib/time.rb
+index f27bacd..4a86e8e 100644
+--- a/lib/time.rb
+++ b/lib/time.rb
+@@ -501,8 +501,8 @@ class Time
+           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+           (\d{2,})\s+
+           (\d{2})\s*
+-          :\s*(\d{2})\s*
+-          (?::\s*(\d{2}))?\s+
+          :\s*(\d{2})
+          (?:\s*:\s*(\d\d))?\s+
+           ([+-]\d{4}|
+            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+         # Since RFC 2822 permit comments, the regexp has no right anchor.
+@@ -717,7 +717,7 @@ class Time
+   #
+   # If self is a UTC time, Z is used as TZD.  [+-]hh:mm is used otherwise.
+   #
+-  # +fractional_digits+ specifies a number of digits to use for fractional
+  # +fraction_digits+ specifies a number of digits to use for fractional
+   # seconds.  Its default value is 0.
+   #
+   #     require 'time'
+diff --git a/test/test_time.rb b/test/test_time.rb
+index ca20788..4f11048 100644
+--- a/test/test_time.rb
+++ b/test/test_time.rb
+@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
+     assert_equal(true, t.utc?)
+   end
+ 
+  def test_rfc2822_nonlinear
+    pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
+    assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
+      assert_raise(ArgumentError) do
+        Time.rfc2822(s)
+      end
+    end
+  end
+
+   def test_encode_rfc2822
+     t = Time.utc(1)
+     assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822)
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.1.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
index a6c65e887b..7e6373bd24 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -6,12 +6,17 @@ SRC_URI += " \
           file://remove_has_include_macros.patch \
           file://run-ptest \
           file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
-           file://CVE-2020-25613.patch \
           file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
+           file://CVE-2023-28756.patch \
+           file://CVE-2021-33621.patch \
           "
-SRC_URI[md5sum] = "debb9c325bf65021214451660f46e909"
+SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"
-SRC_URI[sha256sum] = "d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418"
+SRC_URI[sha256sum] = "e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10"
+# CVE-2021-28966 is Windows specific and not affects Linux OS
+# https://security-tracker.debian.org/tracker/CVE-2021-28966
+CVE_CHECK_WHITELIST += "CVE-2021-28966"
 PACKAGECONFIG ??= ""
 PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"

diff --git a/meta/recipes-devtools/ruby/ruby.inc b/meta/recipes-devtools/ruby/ruby.inc index 7b6d4edc61..a9f4240932 100644 --- a/meta/recipes-devtools/ruby/ruby.inc +++ b/meta/recipes-devtools/ruby/ruby.inc
@@ -14,8 +14,8 @@ LIC_FILES_CHKSUM = "\
14	file://LEGAL;md5=2b6d62dc0d608f34d510ca3f428110ec \	14	file://LEGAL;md5=2b6d62dc0d608f34d510ca3f428110ec \
15	"	15	"
16		16
17	DEPENDS = "ruby-native zlib openssl libyaml gdbm readline libffi"	17	DEPENDS = "zlib openssl libyaml gdbm readline libffi"
18	DEPENDS_class-native = "openssl-native libyaml-native readline-native zlib-native"	18	DEPENDS_append_class-target = " ruby-native"
19		19
20	SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"	20	SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
21	SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \	21	SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch b/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch deleted file mode 100644 index 1abcb7547e..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch +++ /dev/null
@@ -1,40 +0,0 @@
1	From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
2	From: Yusuke Endoh <mame@ruby-lang.org>
3	Date: Tue, 29 Sep 2020 13:15:58 +0900
4	Subject: [PATCH] Make it more strict to interpret some headers
5
6	Some regexps were too tolerant.
7
8	Upstream-Status: Backport
9	[https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7]
10	CVE: CVE-2020-25613
11	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
12	---
13	lib/webrick/httprequest.rb \| 6 +++---
14	1 file changed, 3 insertions(+), 3 deletions(-)
15
16	diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
17	index 294bd91..d34eac7 100644
18	--- a/lib/webrick/httprequest.rb
19	+++ b/lib/webrick/httprequest.rb
20	@@ -227,9 +227,9 @@ def parse(socket=nil)
21	raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
22	end
23
24	- if /close/io =~ self["connection"]
25	+ if /\Aclose\z/io =~ self["connection"]
26	@keep_alive = false
27	- elsif /keep-alive/io =~ self["connection"]
28	+ elsif /\Akeep-alive\z/io =~ self["connection"]
29	@keep_alive = true
30	elsif @http_version < "1.1"
31	@keep_alive = false
32	@@ -508,7 +508,7 @@ def read_body(socket, block)
33	return unless socket
34	if tc = self['transfer-encoding']
35	case tc
36	- when /chunked/io then read_chunked(socket, block)
37	+ when /\Achunked\z/io then read_chunked(socket, block)
38	else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
39	end
40	elsif self['content-length'] \|\| @remaining_size


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch new file mode 100644 index 0000000000..cc2f9853db --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
@@ -0,0 +1,139 @@
		1	From 64c5045c0a6b84fdb938a8465a0890e5f7162708 Mon Sep 17 00:00:00 2001
		2	From: Yusuke Endoh <mame@ruby-lang.org>
		3	Date: Tue, 22 Nov 2022 10:49:27 +0900
		4	Subject: [PATCH] Prevent CRLF injection
		5
		6	Throw a RuntimeError if the HTTP response header contains CR or LF to
		7	prevent HTTP response splitting.
		8
		9	https://hackerone.com/reports/1204695
		10
		11	Upstream-Status: Backport [https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708]
		12	CVE: CVE-2021-33621
		13	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		14	---
		15	lib/cgi/core.rb \| 45 +++++++++++++++++++++++--------------
		16	test/cgi/test_cgi_header.rb \| 8 +++++++
		17	2 files changed, 36 insertions(+), 17 deletions(-)
		18
		19	diff --git a/lib/cgi/core.rb b/lib/cgi/core.rb
		20	index bec76e0..62e6068 100644
		21	--- a/lib/cgi/core.rb
		22	+++ b/lib/cgi/core.rb
		23	@@ -188,17 +188,28 @@ class CGI
		24	# Using #header with the HTML5 tag maker will create a <header> element.
		25	alias :header :http_header
		26
		27	+ def _no_crlf_check(str)
		28	+ if str
		29	+ str = str.to_s
		30	+ raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
		31	+ str
		32	+ else
		33	+ nil
		34	+ end
		35	+ end
		36	+ private :_no_crlf_check
		37	+
		38	def _header_for_string(content_type) #:nodoc:
		39	buf = ''.dup
		40	if nph?()
		41	- buf << "#{$CGI_ENV['SERVER_PROTOCOL'] \|\| 'HTTP/1.0'} 200 OK#{EOL}"
		42	+ buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) \|\| 'HTTP/1.0'} 200 OK#{EOL}"
		43	buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
		44	- buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
		45	+ buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
		46	buf << "Connection: close#{EOL}"
		47	end
		48	- buf << "Content-Type: #{content_type}#{EOL}"
		49	+ buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
		50	if @output_cookies
		51	- @output_cookies.each {\|cookie\| buf << "Set-Cookie: #{cookie}#{EOL}" }
		52	+ @output_cookies.each {\|cookie\| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
		53	end
		54	return buf
		55	end # _header_for_string
		56	@@ -213,9 +224,9 @@ class CGI
		57	## NPH
		58	options.delete('nph') if defined?(MOD_RUBY)
		59	if options.delete('nph') \|\| nph?()
		60	- protocol = $CGI_ENV['SERVER_PROTOCOL'] \|\| 'HTTP/1.0'
		61	+ protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) \|\| 'HTTP/1.0'
		62	status = options.delete('status')
		63	- status = HTTP_STATUS[status] \|\| status \|\| '200 OK'
		64	+ status = HTTP_STATUS[status] \|\| _no_crlf_check(status) \|\| '200 OK'
		65	buf << "#{protocol} #{status}#{EOL}"
		66	buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
		67	options['server'] \|\|= $CGI_ENV['SERVER_SOFTWARE'] \|\| ''
		68	@@ -223,38 +234,38 @@ class CGI
		69	end
		70	## common headers
		71	status = options.delete('status')
		72	- buf << "Status: #{HTTP_STATUS[status] \|\| status}#{EOL}" if status
		73	+ buf << "Status: #{HTTP_STATUS[status] \|\| _no_crlf_check(status)}#{EOL}" if status
		74	server = options.delete('server')
		75	- buf << "Server: #{server}#{EOL}" if server
		76	+ buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
		77	connection = options.delete('connection')
		78	- buf << "Connection: #{connection}#{EOL}" if connection
		79	+ buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
		80	type = options.delete('type')
		81	- buf << "Content-Type: #{type}#{EOL}" #if type
		82	+ buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
		83	length = options.delete('length')
		84	- buf << "Content-Length: #{length}#{EOL}" if length
		85	+ buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
		86	language = options.delete('language')
		87	- buf << "Content-Language: #{language}#{EOL}" if language
		88	+ buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
		89	expires = options.delete('expires')
		90	buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
		91	## cookie
		92	if cookie = options.delete('cookie')
		93	case cookie
		94	when String, Cookie
		95	- buf << "Set-Cookie: #{cookie}#{EOL}"
		96	+ buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
		97	when Array
		98	arr = cookie
		99	- arr.each {\|c\| buf << "Set-Cookie: #{c}#{EOL}" }
		100	+ arr.each {\|c\| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
		101	when Hash
		102	hash = cookie
		103	- hash.each_value {\|c\| buf << "Set-Cookie: #{c}#{EOL}" }
		104	+ hash.each_value {\|c\| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
		105	end
		106	end
		107	if @output_cookies
		108	- @output_cookies.each {\|c\| buf << "Set-Cookie: #{c}#{EOL}" }
		109	+ @output_cookies.each {\|c\| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
		110	end
		111	## other headers
		112	options.each do \|key, value\|
		113	- buf << "#{key}: #{value}#{EOL}"
		114	+ buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
		115	end
		116	return buf
		117	end # _header_for_hash
		118	diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb
		119	index bab2d03..ec2f4de 100644
		120	--- a/test/cgi/test_cgi_header.rb
		121	+++ b/test/cgi/test_cgi_header.rb
		122	@@ -176,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase
		123	end
		124
		125
		126	+ def test_cgi_http_header_crlf_injection
		127	+ cgi = CGI.new
		128	+ assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") }
		129	+ assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") }
		130	+ assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") }
		131	+ assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") }
		132	+ end
		133	+
		134
		135	instance_methods.each do \|method\|
		136	private method if method =~ /^test_(.*)/ && $1 != ENV['TEST']
		137	--
		138	2.25.1
		139


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch new file mode 100644 index 0000000000..c25a147d36 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,61 @@
		1	From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Wed, 29 Mar 2023 13:28:25 +0900
		4	Subject: [PATCH] CVE-2023-28756
		5
		6	CVE: CVE-2023-28756
		7	Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
		8
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	lib/time.rb \| 6 +++---
		12	test/test_time.rb \| 9 +++++++++
		13	2 files changed, 12 insertions(+), 3 deletions(-)
		14
		15	diff --git a/lib/time.rb b/lib/time.rb
		16	index f27bacd..4a86e8e 100644
		17	--- a/lib/time.rb
		18	+++ b/lib/time.rb
		19	@@ -501,8 +501,8 @@ class Time
		20	(Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep\|Oct\|Nov\|Dec)\s+
		21	(\d{2,})\s+
		22	(\d{2})\s*
		23	- :\s(\d{2})\s
		24	- (?::\s*(\d{2}))?\s+
		25	+ :\s*(\d{2})
		26	+ (?:\s:\s(\d\d))?\s+
		27	([+-]\d{4}\|
		28	UT\|GMT\|EST\|EDT\|CST\|CDT\|MST\|MDT\|PST\|PDT\|[A-IK-Z])/ix =~ date
		29	# Since RFC 2822 permit comments, the regexp has no right anchor.
		30	@@ -717,7 +717,7 @@ class Time
		31	#
		32	# If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise.
		33	#
		34	- # +fractional_digits+ specifies a number of digits to use for fractional
		35	+ # +fraction_digits+ specifies a number of digits to use for fractional
		36	# seconds. Its default value is 0.
		37	#
		38	# require 'time'
		39	diff --git a/test/test_time.rb b/test/test_time.rb
		40	index ca20788..4f11048 100644
		41	--- a/test/test_time.rb
		42	+++ b/test/test_time.rb
		43	@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
		44	assert_equal(true, t.utc?)
		45	end
		46
		47	+ def test_rfc2822_nonlinear
		48	+ pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
		49	+ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do \|s\|
		50	+ assert_raise(ArgumentError) do
		51	+ Time.rfc2822(s)
		52	+ end
		53	+ end
		54	+ end
		55	+
		56	def test_encode_rfc2822
		57	t = Time.utc(1)
		58	assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822)
		59	--
		60	2.25.1
		61


diff --git a/meta/recipes-devtools/ruby/ruby_2.7.1.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb index a6c65e887b..7e6373bd24 100644 --- a/meta/recipes-devtools/ruby/ruby_2.7.1.bb +++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -6,12 +6,17 @@ SRC_URI += " \
6	file://remove_has_include_macros.patch \	6	file://remove_has_include_macros.patch \
7	file://run-ptest \	7	file://run-ptest \
8	file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \	8	file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
9	file://CVE-2020-25613.patch \
10	file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \	9	file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
		10	file://CVE-2023-28756.patch \
		11	file://CVE-2021-33621.patch \
11	"	12	"
12		13
13	SRC_URI[md5sum] = "debb9c325bf65021214451660f46e909"	14	SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"
14	SRC_URI[sha256sum] = "d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418"	15	SRC_URI[sha256sum] = "e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10"
		16
		17	# CVE-2021-28966 is Windows specific and not affects Linux OS
		18	# https://security-tracker.debian.org/tracker/CVE-2021-28966
		19	CVE_CHECK_WHITELIST += "CVE-2021-28966"
15		20
16	PACKAGECONFIG ??= ""	21	PACKAGECONFIG ??= ""
17	PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"	22	PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"