ruby: fix CVE-2025-27221

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27221 Upstream-patches: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 (From OE-Core rev: c77ff1288719d90ef257dfe28cb33b3768fc124a) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-05-23 18:53:53 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-05-28 08:46:32 -0700
commit: 32d2b233c6b194992c8125728d4230d748be0659 (patch)
tree: 749f5075f9a46c21cb9bbc3a4835d7e8de7ede77 /meta/recipes-devtools/ruby
parent: 097732e0574126222472eeabda9417072b5ac3f8 (diff)
download: poky-32d2b233c6b194992c8125728d4230d748be0659.tar.gz
3 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
new file mode 100644
index 0000000000..4dd2e55b1c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
@@ -0,0 +1,57 @@
+From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
+CVE: CVE-2025-27221
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       |  6 +++++-
+ test/uri/test_generic.rb | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index cfa0de6..23d2398 100644
+--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
+@@ -1131,7 +1131,11 @@ module URI
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      base.set_userinfo(rel.userinfo) if rel.userinfo
+      if rel.userinfo
+        base.set_userinfo(rel.userinfo)
+      else
+        base.set_userinfo(nil)
+      end
+       base.set_host(rel.host)         if rel.host
+       base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index fdb405e..b74f8e6 100644
+--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
+@@ -157,6 +157,17 @@ class URI::TestGeneric < Test::Unit::TestCase
+     assert_equal(nil, url.user)
+     assert_equal(nil, url.password)
+     assert_equal(nil, url.userinfo)
+
+    # sec-2957667
+    url = URI.parse('http://user:pass@example.com').merge('//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.join('http://user:pass@example.com', '//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.parse('http://user:pass@example.com') + '//example.net'
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+   end
+ 
+   def test_parse_scheme_with_symbols
+-- 
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
new file mode 100644
index 0000000000..370b1aa66d
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
@@ -0,0 +1,73 @@
+From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: [PATCH] Fix merger of URI with authority component
+https://hackerone.com/reports/2957667
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+CVE: CVE-2025-27221
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       | 19 +++++++------------
+ test/uri/test_generic.rb |  7 +++++++
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index 23d2398..2420882 100644
+--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
+@@ -1123,21 +1123,16 @@ module URI
+       base.fragment=(nil)
+ 
+       # RFC2396, Section 5.2, 4)
+-      if !authority
+-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+-      else
+-        # RFC2396, Section 5.2, 4)
+-        base.set_path(rel.path) if rel.path
+      if authority
+        base.set_userinfo(rel.userinfo)
+        base.set_host(rel.host)
+        base.set_port(rel.port || base.default_port)
+        base.set_path(rel.path)
+      elsif base.path && rel.path
+        base.set_path(merge_path(base.path, rel.path))
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      if rel.userinfo
+-        base.set_userinfo(rel.userinfo)
+-      else
+-        base.set_userinfo(nil)
+-      end
+-      base.set_host(rel.host)         if rel.host
+-      base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+       base.fragment=(rel.fragment) if rel.fragment
+ 
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index b74f8e6..ade0294 100644
+--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
+@@ -260,6 +260,13 @@ class URI::TestGeneric < Test::Unit::TestCase
+     assert_equal(u0, u1)
+   end
+ 
+  def test_merge_authority
+    u = URI.parse('http://user:pass@example.com:8080')
+    u0 = URI.parse('http://new.example.org/path')
+    u1 = u.merge('//new.example.org/path')
+    assert_equal(u0, u1)
+  end
+
+   def test_route
+     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
+     assert_equal('b.html', url.to_s)
+-- 
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index ca061e7f70..65d62002ec 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -49,6 +49,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
           file://CVE-2025-27220.patch \
           file://CVE-2025-27219.patch \
           file://CVE-2024-43398.patch \
+           file://CVE-2025-27221-0001.patch \
+           file://CVE-2025-27221-0002.patch \
           "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
author	Divya Chellam <divya.chellam@windriver.com>	2025-05-23 18:53:53 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-05-28 08:46:32 -0700
commit	32d2b233c6b194992c8125728d4230d748be0659 (patch)
tree	749f5075f9a46c21cb9bbc3a4835d7e8de7ede77 /meta/recipes-devtools/ruby
parent	097732e0574126222472eeabda9417072b5ac3f8 (diff)
download	poky-32d2b233c6b194992c8125728d4230d748be0659.tar.gz

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch new file mode 100644 index 0000000000..4dd2e55b1c --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
@@ -0,0 +1,57 @@
		1	From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Fri, 21 Feb 2025 16:29:36 +0900
		4	Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
		5
		6	CVE: CVE-2025-27221
		7
		8	Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
		9
		10	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		11	---
		12	lib/uri/generic.rb \| 6 +++++-
		13	test/uri/test_generic.rb \| 11 +++++++++++
		14	2 files changed, 16 insertions(+), 1 deletion(-)
		15
		16	diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
		17	index cfa0de6..23d2398 100644
		18	--- a/lib/uri/generic.rb
		19	+++ b/lib/uri/generic.rb
		20	@@ -1131,7 +1131,11 @@ module URI
		21	end
		22
		23	# RFC2396, Section 5.2, 7)
		24	- base.set_userinfo(rel.userinfo) if rel.userinfo
		25	+ if rel.userinfo
		26	+ base.set_userinfo(rel.userinfo)
		27	+ else
		28	+ base.set_userinfo(nil)
		29	+ end
		30	base.set_host(rel.host) if rel.host
		31	base.set_port(rel.port) if rel.port
		32	base.query = rel.query if rel.query
		33	diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
		34	index fdb405e..b74f8e6 100644
		35	--- a/test/uri/test_generic.rb
		36	+++ b/test/uri/test_generic.rb
		37	@@ -157,6 +157,17 @@ class URI::TestGeneric < Test::Unit::TestCase
		38	assert_equal(nil, url.user)
		39	assert_equal(nil, url.password)
		40	assert_equal(nil, url.userinfo)
		41	+
		42	+ # sec-2957667
		43	+ url = URI.parse('http://user:pass@example.com').merge('//example.net')
		44	+ assert_equal('http://example.net', url.to_s)
		45	+ assert_nil(url.userinfo)
		46	+ url = URI.join('http://user:pass@example.com', '//example.net')
		47	+ assert_equal('http://example.net', url.to_s)
		48	+ assert_nil(url.userinfo)
		49	+ url = URI.parse('http://user:pass@example.com') + '//example.net'
		50	+ assert_equal('http://example.net', url.to_s)
		51	+ assert_nil(url.userinfo)
		52	end
		53
		54	def test_parse_scheme_with_symbols
		55	--
		56	2.40.0
		57


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch new file mode 100644 index 0000000000..370b1aa66d --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
@@ -0,0 +1,73 @@
		1	From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Fri, 21 Feb 2025 18:16:28 +0900
		4	Subject: [PATCH] Fix merger of URI with authority component
		5
		6	https://hackerone.com/reports/2957667
		7
		8	Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
		9
		10	CVE: CVE-2025-27221
		11
		12	Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
		13
		14	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		15	---
		16	lib/uri/generic.rb \| 19 +++++++------------
		17	test/uri/test_generic.rb \| 7 +++++++
		18	2 files changed, 14 insertions(+), 12 deletions(-)
		19
		20	diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
		21	index 23d2398..2420882 100644
		22	--- a/lib/uri/generic.rb
		23	+++ b/lib/uri/generic.rb
		24	@@ -1123,21 +1123,16 @@ module URI
		25	base.fragment=(nil)
		26
		27	# RFC2396, Section 5.2, 4)
		28	- if !authority
		29	- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
		30	- else
		31	- # RFC2396, Section 5.2, 4)
		32	- base.set_path(rel.path) if rel.path
		33	+ if authority
		34	+ base.set_userinfo(rel.userinfo)
		35	+ base.set_host(rel.host)
		36	+ base.set_port(rel.port \|\| base.default_port)
		37	+ base.set_path(rel.path)
		38	+ elsif base.path && rel.path
		39	+ base.set_path(merge_path(base.path, rel.path))
		40	end
		41
		42	# RFC2396, Section 5.2, 7)
		43	- if rel.userinfo
		44	- base.set_userinfo(rel.userinfo)
		45	- else
		46	- base.set_userinfo(nil)
		47	- end
		48	- base.set_host(rel.host) if rel.host
		49	- base.set_port(rel.port) if rel.port
		50	base.query = rel.query if rel.query
		51	base.fragment=(rel.fragment) if rel.fragment
		52
		53	diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
		54	index b74f8e6..ade0294 100644
		55	--- a/test/uri/test_generic.rb
		56	+++ b/test/uri/test_generic.rb
		57	@@ -260,6 +260,13 @@ class URI::TestGeneric < Test::Unit::TestCase
		58	assert_equal(u0, u1)
		59	end
		60
		61	+ def test_merge_authority
		62	+ u = URI.parse('http://user:pass@example.com:8080')
		63	+ u0 = URI.parse('http://new.example.org/path')
		64	+ u1 = u.merge('//new.example.org/path')
		65	+ assert_equal(u0, u1)
		66	+ end
		67	+
		68	def test_route
		69	url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
		70	assert_equal('b.html', url.to_s)
		71	--
		72	2.40.0
		73


diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index ca061e7f70..65d62002ec 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -49,6 +49,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
49	file://CVE-2025-27220.patch \	49	file://CVE-2025-27220.patch \
50	file://CVE-2025-27219.patch \	50	file://CVE-2025-27219.patch \
51	file://CVE-2024-43398.patch \	51	file://CVE-2024-43398.patch \
		52	file://CVE-2025-27221-0001.patch \
		53	file://CVE-2025-27221-0002.patch \
52	"	54	"
53	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"	55	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
54		56