2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
new file mode 100644
index 0000000000..4fc71f7ff9
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
@@ -0,0 +1,76 @@
+From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 15:53:31 +0900
+Subject: [PATCH] Escape/unescape unclosed tags as well
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6]
+CVE: CVE-2025-27220
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/cgi/util.rb           |  4 ++--
+ test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
+index 5a5c77a..ce77a0c 100644
+--- a/lib/cgi/util.rb
+++ b/lib/cgi/util.rb
+@@ -178,7 +178,7 @@ module CGI::Util
+   def escapeElement(string, *elements)
+     elements = elements[0] if elements[0].kind_of?(Array)
+     unless elements.empty?
+-      string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
+      string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
+         CGI.escapeHTML($&)
+       end
+     else
+@@ -198,7 +198,7 @@ module CGI::Util
+   def unescapeElement(string, *elements)
+     elements = elements[0] if elements[0].kind_of?(Array)
+     unless elements.empty?
+-      string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
+      string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
+         unescapeHTML($&)
+       end
+     else
+diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
+index a3be193..d058ccc 100644
+--- a/test/cgi/test_cgi_util.rb
+++ b/test/cgi/test_cgi_util.rb
+@@ -244,6 +244,14 @@ class CGIUtilTest < Test::Unit::TestCase
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', "A", "IMG"))
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', ["A", "IMG"]))
+   end
+ 
+ 
+@@ -252,6 +260,16 @@ class CGIUtilTest < Test::Unit::TestCase
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
+   end
+ end
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index 96873fd7fa..ac9dec3514 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -46,6 +46,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
           file://CVE-2024-49761-0008.patch \
           file://CVE-2024-49761-0009.patch \
           file://CVE-2024-41946.patch \
+           file://CVE-2025-27220.patch \
           "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch new file mode 100644 index 0000000000..4fc71f7ff9 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
@@ -0,0 +1,76 @@
		1	From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Fri, 21 Feb 2025 15:53:31 +0900
		4	Subject: [PATCH] Escape/unescape unclosed tags as well
		5
		6	Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
		7
		8	Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6]
		9	CVE: CVE-2025-27220
		10	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		11	---
		12	lib/cgi/util.rb \| 4 ++--
		13	test/cgi/test_cgi_util.rb \| 18 ++++++++++++++++++
		14	2 files changed, 20 insertions(+), 2 deletions(-)
		15
		16	diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
		17	index 5a5c77a..ce77a0c 100644
		18	--- a/lib/cgi/util.rb
		19	+++ b/lib/cgi/util.rb
		20	@@ -178,7 +178,7 @@ module CGI::Util
		21	def escapeElement(string, *elements)
		22	elements = elements[0] if elements[0].kind_of?(Array)
		23	unless elements.empty?
		24	- string.gsub(/<\/?(?:#{elements.join("\|")})(?!\w)(?:.\|\n)*?>/i) do
		25	+ string.gsub(/<\/?(?:#{elements.join("\|")})\b[^<>]*+>?/im) do
		26	CGI.escapeHTML($&)
		27	end
		28	else
		29	@@ -198,7 +198,7 @@ module CGI::Util
		30	def unescapeElement(string, *elements)
		31	elements = elements[0] if elements[0].kind_of?(Array)
		32	unless elements.empty?
		33	- string.gsub(/<\/?(?:#{elements.join("\|")})(?!\w)(?:.\|\n)*?>/i) do
		34	+ string.gsub(/<\/?(?:#{elements.join("\|")})\b(?>[^&]+\|&(?![gl]t;)\w+;)*(?:>)?/im) do
		35	unescapeHTML($&)
		36	end
		37	else
		38	diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
		39	index a3be193..d058ccc 100644
		40	--- a/test/cgi/test_cgi_util.rb
		41	+++ b/test/cgi/test_cgi_util.rb
		42	@@ -244,6 +244,14 @@ class CGIUtilTest < Test::Unit::TestCase
		43	assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
		44	assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
		45	assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
		46	+
		47	+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
		48	+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
		49	+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
		50	+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
		51	+
		52	+ assert_equal("<A <A ", escapeElement('<A <A ', "A", "IMG"))
		53	+ assert_equal("<A <A ", escapeElement('<A <A ', ["A", "IMG"]))
		54	end
		55
		56
		57	@@ -252,6 +260,16 @@ class CGIUtilTest < Test::Unit::TestCase
		58	assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
		59	assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
		60	assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
		61	+
		62	+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
		63	+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
		64	+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
		65	+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
		66	+
		67	+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
		68	+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
		69	+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
		70	+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
		71	end
		72	end
		73
		74	--
		75	2.25.1
		76


diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index 96873fd7fa..ac9dec3514 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -46,6 +46,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
46	file://CVE-2024-49761-0008.patch \	46	file://CVE-2024-49761-0008.patch \
47	file://CVE-2024-49761-0009.patch \	47	file://CVE-2024-49761-0009.patch \
48	file://CVE-2024-41946.patch \	48	file://CVE-2024-41946.patch \
		49	file://CVE-2025-27220.patch \
49	"	50	"
50	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"	51	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
51		52