[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1103926: marked as done (bookworm-pu: package rubygems/3.3.15-2+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1103926,
regarding bookworm-pu: package rubygems/3.3.15-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1103926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103926
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:rubygems
X-Debbugs-Cc: rubygems@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
This includes a fix for CVE-2025-27221 and CVE-2023-28755.

[ Impact ]
Users systems will be vulnerable due to URI code vendored in rubygems.

[ Tests ]
The upstream tests were not included in those patches because the tests
in vendor code are not executed. However, this was well tested upstream
and I also did some manual testing to make sure the URI code is now
fixes.

[ Risks ]
The code changed is not too complex, I do not foresee a big risk of a
regression TBH.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported upstream fixes for the 2 CVEs mentioned and nothing else.

[ Other info ]
The security team asked me to push those changes via proposed-updates.

diff -Nru rubygems-3.3.15/debian/changelog rubygems-3.3.15/debian/changelog
--- rubygems-3.3.15/debian/changelog	2023-01-01 05:50:51.000000000 -0300
+++ rubygems-3.3.15/debian/changelog	2025-04-17 22:54:07.000000000 -0300
@@ -1,3 +1,19 @@
+rubygems (3.3.15-2+deb12u1) UNRELEASED; urgency=medium
+
+  * Fix CVE-2025-27221.
+    The URI handling methods (URI.join, URI#merge, URI#+) have an
+    inadvertent leakage of authentication credentials because userinfo is
+    retained even after changing the host.
+     - d/p/CVE-2025-27221_*.patch
+  * Fix CVE-2023-28755.
+    A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby
+    through 3.2.1. The URI parser mishandles invalid URLs that have specific
+    characters. It causes an increase in execution time for parsing strings
+    to URI objects.
+     - d/p/CVE-2023-28755.patch
+
+ -- Lucas Kanashiro <kanashiro@debian.org>  Thu, 17 Apr 2025 22:54:07 -0300
+
 rubygems (3.3.15-2) unstable; urgency=medium
 
   * Team upload
diff -Nru rubygems-3.3.15/debian/patches/CVE-2023-28755.patch rubygems-3.3.15/debian/patches/CVE-2023-28755.patch
--- rubygems-3.3.15/debian/patches/CVE-2023-28755.patch	1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2023-28755.patch	2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,26 @@
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Mon, 10 Jan 2022 01:12:57 +0900
+Subject: Fix quadratic backtracking on invalid URI
+
+https://hackerone.com/reports/1444501
+
+Origin: backport, https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+index 2029cfd..2330a28 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+@@ -3,8 +3,8 @@ module Bundler::URI
+   class RFC3986_Parser # :nodoc:
+     # Bundler::URI defined in RFC3986
+     # this regexp is modified not to host is not empty string
+-    RFC3986_URI = /\A(?<Bundler::URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
+-    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
++    RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
++    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
+     attr_reader :regexp
+ 
+     def initialize
diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch
--- rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch	1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2025-27221_1.patch	2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,28 @@
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: Truncate userinfo with URI#join, URI#merge and URI#+
+
+Origin: backport, https://github.com/ruby/uri/commit/3675494839112b64d5f082
+
+NOTE: test removed, the file is not preset nor executed.
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+index f29ba6c..998e808 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+@@ -1131,7 +1131,11 @@ def merge(oth)
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      base.set_userinfo(rel.userinfo) if rel.userinfo
++      if rel.userinfo
++        base.set_userinfo(rel.userinfo)
++      else
++        base.set_userinfo(nil)
++      end
+       base.set_host(rel.host)         if rel.host
+       base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
diff -Nru rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch
--- rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch	1969-12-31 21:00:00.000000000 -0300
+++ rubygems-3.3.15/debian/patches/CVE-2025-27221_2.patch	2025-04-17 22:51:20.000000000 -0300
@@ -0,0 +1,48 @@
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: Fix merger of URI with authority component
+
+https://hackerone.com/reports/2957667
+
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+
+Origin: backport, https://github.com/ruby/uri/commit/2789182478f42ccbb6
+
+NOTES: test removed, the file is not preset nor executed.
+---
+ bundler/lib/bundler/vendor/uri/lib/uri/generic.rb | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+index 998e808..efab83b 100644
+--- a/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
++++ b/bundler/lib/bundler/vendor/uri/lib/uri/generic.rb
+@@ -1123,21 +1123,16 @@ def merge(oth)
+       base.fragment=(nil)
+ 
+       # RFC2396, Section 5.2, 4)
+-      if !authority
+-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+-      else
+-        # RFC2396, Section 5.2, 4)
+-        base.set_path(rel.path) if rel.path
++      if authority
++        base.set_userinfo(rel.userinfo)
++        base.set_host(rel.host)
++        base.set_port(rel.port || base.default_port)
++        base.set_path(rel.path)
++      elsif base.path && rel.path
++        base.set_path(merge_path(base.path, rel.path))
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      if rel.userinfo
+-        base.set_userinfo(rel.userinfo)
+-      else
+-        base.set_userinfo(nil)
+-      end
+-      base.set_host(rel.host)         if rel.host
+-      base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+       base.fragment=(rel.fragment) if rel.fragment
+ 
diff -Nru rubygems-3.3.15/debian/patches/series rubygems-3.3.15/debian/patches/series
--- rubygems-3.3.15/debian/patches/series	2023-01-01 05:48:13.000000000 -0300
+++ rubygems-3.3.15/debian/patches/series	2025-04-17 22:51:20.000000000 -0300
@@ -1 +1,4 @@
 0001-Don-t-consider-gems-provided-by-Debian-packages-as-d.patch
+CVE-2025-27221_1.patch
+CVE-2025-27221_2.patch
+CVE-2023-28755.patch

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: