ruby: fix CVE-2025-27221

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27221 Upstream-patches: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 (From OE-Core rev: 421d7011269f4750f5942b815d68f77fa4559d69) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-05-23 18:55:42 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-02 07:12:34 -0700
commit: 7ad1d266889568491e25d7a26f3785de38db1982 (patch)
tree: d736b5ecf7c5830cf5022846e1e5bc1a469f6300
parent: 186e2b2b0540a091cdc3b0646eedafa8646c575a (diff)
download: poky-7ad1d266889568491e25d7a26f3785de38db1982.tar.gz
3 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
new file mode 100644
index 0000000000..95802d04f9
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
@@ -0,0 +1,57 @@
+From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
+CVE: CVE-2025-27221
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       |  6 +++++-
+ test/uri/test_generic.rb | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index f3540a2..ecc78c5 100644
+--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
+@@ -1141,7 +1141,11 @@ module URI
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      base.set_userinfo(rel.userinfo) if rel.userinfo
+      if rel.userinfo
+        base.set_userinfo(rel.userinfo)
+      else
+        base.set_userinfo(nil)
+      end
+       base.set_host(rel.host)         if rel.host
+       base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index e661937..17ba2b6 100644
+--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
+@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase
+     # must be empty string to identify as path-abempty, not path-absolute
+     assert_equal('', url.host)
+     assert_equal('http:////example.com', url.to_s)
+
+    # sec-2957667
+    url = URI.parse('http://user:pass@example.com').merge('//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.join('http://user:pass@example.com', '//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.parse('http://user:pass@example.com') + '//example.net'
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+   end
+ 
+   def test_parse_scheme_with_symbols
+-- 
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
new file mode 100644
index 0000000000..4435b87c34
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
@@ -0,0 +1,73 @@
+From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: [PATCH] Fix merger of URI with authority component
+https://hackerone.com/reports/2957667
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+CVE: CVE-2025-27221
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       | 19 +++++++------------
+ test/uri/test_generic.rb |  7 +++++++
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index ecc78c5..2c0a88d 100644
+--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
+@@ -1133,21 +1133,16 @@ module URI
+       base.fragment=(nil)
+ 
+       # RFC2396, Section 5.2, 4)
+-      if !authority
+-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+-      else
+-        # RFC2396, Section 5.2, 4)
+-        base.set_path(rel.path) if rel.path
+      if authority
+        base.set_userinfo(rel.userinfo)
+        base.set_host(rel.host)
+        base.set_port(rel.port || base.default_port)
+        base.set_path(rel.path)
+      elsif base.path && rel.path
+        base.set_path(merge_path(base.path, rel.path))
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      if rel.userinfo
+-        base.set_userinfo(rel.userinfo)
+-      else
+-        base.set_userinfo(nil)
+-      end
+-      base.set_host(rel.host)         if rel.host
+-      base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+       base.fragment=(rel.fragment) if rel.fragment
+ 
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index 17ba2b6..1a70dd4 100644
+--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
+@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase
+     assert_equal(u0, u1)
+   end
+ 
+  def test_merge_authority
+    u = URI.parse('http://user:pass@example.com:8080')
+    u0 = URI.parse('http://new.example.org/path')
+    u1 = u.merge('//new.example.org/path')
+    assert_equal(u0, u1)
+  end
+
+   def test_route
+     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
+     assert_equal('b.html', url.to_s)
+-- 
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
index c91c51657f..b37f0d03e7 100644
--- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -28,6 +28,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
           file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
           file://CVE-2025-27219.patch \
           file://CVE-2025-27220.patch \
+           file://CVE-2025-27221-0001.patch \
+           file://CVE-2025-27221-0002.patch \
           "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
author	Divya Chellam <divya.chellam@windriver.com>	2025-05-23 18:55:42 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-02 07:12:34 -0700
commit	7ad1d266889568491e25d7a26f3785de38db1982 (patch)
tree	d736b5ecf7c5830cf5022846e1e5bc1a469f6300
parent	186e2b2b0540a091cdc3b0646eedafa8646c575a (diff)
download	poky-7ad1d266889568491e25d7a26f3785de38db1982.tar.gz

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch new file mode 100644 index 0000000000..95802d04f9 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
@@ -0,0 +1,57 @@
		1	From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Fri, 21 Feb 2025 16:29:36 +0900
		4	Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
		5
		6	CVE: CVE-2025-27221
		7
		8	Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
		9
		10	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		11	---
		12	lib/uri/generic.rb \| 6 +++++-
		13	test/uri/test_generic.rb \| 11 +++++++++++
		14	2 files changed, 16 insertions(+), 1 deletion(-)
		15
		16	diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
		17	index f3540a2..ecc78c5 100644
		18	--- a/lib/uri/generic.rb
		19	+++ b/lib/uri/generic.rb
		20	@@ -1141,7 +1141,11 @@ module URI
		21	end
		22
		23	# RFC2396, Section 5.2, 7)
		24	- base.set_userinfo(rel.userinfo) if rel.userinfo
		25	+ if rel.userinfo
		26	+ base.set_userinfo(rel.userinfo)
		27	+ else
		28	+ base.set_userinfo(nil)
		29	+ end
		30	base.set_host(rel.host) if rel.host
		31	base.set_port(rel.port) if rel.port
		32	base.query = rel.query if rel.query
		33	diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
		34	index e661937..17ba2b6 100644
		35	--- a/test/uri/test_generic.rb
		36	+++ b/test/uri/test_generic.rb
		37	@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase
		38	# must be empty string to identify as path-abempty, not path-absolute
		39	assert_equal('', url.host)
		40	assert_equal('http:////example.com', url.to_s)
		41	+
		42	+ # sec-2957667
		43	+ url = URI.parse('http://user:pass@example.com').merge('//example.net')
		44	+ assert_equal('http://example.net', url.to_s)
		45	+ assert_nil(url.userinfo)
		46	+ url = URI.join('http://user:pass@example.com', '//example.net')
		47	+ assert_equal('http://example.net', url.to_s)
		48	+ assert_nil(url.userinfo)
		49	+ url = URI.parse('http://user:pass@example.com') + '//example.net'
		50	+ assert_equal('http://example.net', url.to_s)
		51	+ assert_nil(url.userinfo)
		52	end
		53
		54	def test_parse_scheme_with_symbols
		55	--
		56	2.40.0
		57


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch new file mode 100644 index 0000000000..4435b87c34 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
@@ -0,0 +1,73 @@
		1	From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Fri, 21 Feb 2025 18:16:28 +0900
		4	Subject: [PATCH] Fix merger of URI with authority component
		5
		6	https://hackerone.com/reports/2957667
		7
		8	Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
		9
		10	CVE: CVE-2025-27221
		11
		12	Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
		13
		14	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		15	---
		16	lib/uri/generic.rb \| 19 +++++++------------
		17	test/uri/test_generic.rb \| 7 +++++++
		18	2 files changed, 14 insertions(+), 12 deletions(-)
		19
		20	diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
		21	index ecc78c5..2c0a88d 100644
		22	--- a/lib/uri/generic.rb
		23	+++ b/lib/uri/generic.rb
		24	@@ -1133,21 +1133,16 @@ module URI
		25	base.fragment=(nil)
		26
		27	# RFC2396, Section 5.2, 4)
		28	- if !authority
		29	- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
		30	- else
		31	- # RFC2396, Section 5.2, 4)
		32	- base.set_path(rel.path) if rel.path
		33	+ if authority
		34	+ base.set_userinfo(rel.userinfo)
		35	+ base.set_host(rel.host)
		36	+ base.set_port(rel.port \|\| base.default_port)
		37	+ base.set_path(rel.path)
		38	+ elsif base.path && rel.path
		39	+ base.set_path(merge_path(base.path, rel.path))
		40	end
		41
		42	# RFC2396, Section 5.2, 7)
		43	- if rel.userinfo
		44	- base.set_userinfo(rel.userinfo)
		45	- else
		46	- base.set_userinfo(nil)
		47	- end
		48	- base.set_host(rel.host) if rel.host
		49	- base.set_port(rel.port) if rel.port
		50	base.query = rel.query if rel.query
		51	base.fragment=(rel.fragment) if rel.fragment
		52
		53	diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
		54	index 17ba2b6..1a70dd4 100644
		55	--- a/test/uri/test_generic.rb
		56	+++ b/test/uri/test_generic.rb
		57	@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase
		58	assert_equal(u0, u1)
		59	end
		60
		61	+ def test_merge_authority
		62	+ u = URI.parse('http://user:pass@example.com:8080')
		63	+ u0 = URI.parse('http://new.example.org/path')
		64	+ u1 = u.merge('//new.example.org/path')
		65	+ assert_equal(u0, u1)
		66	+ end
		67	+
		68	def test_route
		69	url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
		70	assert_equal('b.html', url.to_s)
		71	--
		72	2.40.0
		73


diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb index c91c51657f..b37f0d03e7 100644 --- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb +++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -28,6 +28,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
28	file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \	28	file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
29	file://CVE-2025-27219.patch \	29	file://CVE-2025-27219.patch \
30	file://CVE-2025-27220.patch \	30	file://CVE-2025-27220.patch \
		31	file://CVE-2025-27221-0001.patch \
		32	file://CVE-2025-27221-0002.patch \
31	"	33	"
32	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"	34	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
33		35