2 files changed, 32 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
new file mode 100644
index 0000000000..7813a6143c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
@@ -0,0 +1,31 @@
+From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:01:17 +0900
+Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
+Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]
+CVE: CVE-2025-27219
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ lib/cgi/cookie.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index 9498e2f..1c4ef6a 100644
+--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
+@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
+         values ||= ""
+         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+         if cookies.has_key?(name)
+-          values = cookies[name].value + values
+          cookies[name].concat(values)
+        else
+          cookies[name] = Cookie.new(name, *values)
+         end
+-        cookies[name] = Cookie.new(name, *values)
+       end
+ 
+       cookies
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
index fb0d711765..4354107a85 100644
--- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
           file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
           file://0006-Make-gemspecs-reproducible.patch \
           file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
+           file://CVE-2025-27219.patch \
           "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch new file mode 100644 index 0000000000..7813a6143c --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
@@ -0,0 +1,31 @@
		1	From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Fri, 21 Feb 2025 16:01:17 +0900
		4	Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
		5
		6	Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
		7
		8	Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]
		9	CVE: CVE-2025-27219
		10	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		11
		12	lib/cgi/cookie.rb \| 5 +++--
		13	1 file changed, 3 insertions(+), 2 deletions(-)
		14
		15	diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
		16	index 9498e2f..1c4ef6a 100644
		17	--- a/lib/cgi/cookie.rb
		18	+++ b/lib/cgi/cookie.rb
		19	@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
		20	values \|\|= ""
		21	values = values.split('&').collect{\|v\| CGI.unescape(v,@@accept_charset) }
		22	if cookies.has_key?(name)
		23	- values = cookies[name].value + values
		24	+ cookies[name].concat(values)
		25	+ else
		26	+ cookies[name] = Cookie.new(name, *values)
		27	end
		28	- cookies[name] = Cookie.new(name, *values)
		29	end
		30
		31	cookies


diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb index fb0d711765..4354107a85 100644 --- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb +++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
26	file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \	26	file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
27	file://0006-Make-gemspecs-reproducible.patch \	27	file://0006-Make-gemspecs-reproducible.patch \
28	file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \	28	file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
		29	file://CVE-2025-27219.patch \
29	"	30	"
30	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"	31	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
31		32