Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack-2.2 for
openSUSE:Factory checked in at 2023-03-14 18:17:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-2.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-2.2"
Tue Mar 14 18:17:23 2023 rev:3 rq:1071430 version:2.2.6.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack-2.2/rubygem-rack-2.2.changes
2023-01-23 18:33:50.052836870 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.31432/rubygem-rack-2.2.changes
2023-03-14 18:17:26.567987773 +0100
@@ -1,0 +2,7 @@
+Mon Mar 13 15:43:57 UTC 2023 - Daniel Donisa <[email protected]>
+
+- updated to version 2.2.6.3
+
+ [CVE-2023-27530] Possible DoS Vulnerability in Multipart MIME parsing
+
+-------------------------------------------------------------------
Old:
----
rack-2.2.6.2.gem
New:
----
rack-2.2.6.3.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-2.2.spec ++++++
--- /var/tmp/diff_new_pack.DrwfhB/_old 2023-03-14 18:17:27.127990767 +0100
+++ /var/tmp/diff_new_pack.DrwfhB/_new 2023-03-14 18:17:27.135990810 +0100
@@ -24,18 +24,13 @@
#
Name: rubygem-rack-2.2
-Version: 2.2.6.2
+Version: 2.2.6.3
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
%define mod_version_suffix -2.2
# MANUAL
BuildRequires: fdupes
-
-%if 0%{?suse_version} && 0%{?suse_version} < 1330
-%define rb_build_versions ruby23 ruby24 ruby25
-%define rb_build_ruby_abi ruby:2.3.0 ruby:2.4.0 ruby:2.5.0
-%endif
# /MANUAL
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: %{ruby >= 2.3.0}
++++++ gem2rpm.yml ++++++
--- /var/tmp/diff_new_pack.DrwfhB/_old 2023-03-14 18:17:27.171991002 +0100
+++ /var/tmp/diff_new_pack.DrwfhB/_new 2023-03-14 18:17:27.175991023 +0100
@@ -8,11 +8,6 @@
:preamble: |-
BuildRequires: fdupes
- %if 0%{?suse_version} && 0%{?suse_version} < 1330
- %define rb_build_versions ruby23 ruby24 ruby25
- %define rb_build_ruby_abi ruby:2.3.0 ruby:2.4.0 ruby:2.5.0
- %endif
-
:post_install: |-
%fdupes %{buildroot}%{_libdir}/ruby/gems/*/gems/%{mod_name}-%{version}/
++++++ rack-2.2.6.2.gem -> rack-2.2.6.3.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2023-01-17 22:22:12.000000000 +0100
+++ new/CHANGELOG.md 2023-03-02 23:55:39.000000000 +0100
@@ -2,6 +2,10 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.6.3] - 2023-03-02
+
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
## [2.2.6.2] - 2022-01-17
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.rdoc new/README.rdoc
--- old/README.rdoc 2023-01-17 22:22:12.000000000 +0100
+++ new/README.rdoc 2023-03-02 23:55:39.000000000 +0100
@@ -202,16 +202,30 @@
Defaults to 100.
-=== multipart_part_limit
+=== multipart_file_limit
-The maximum number of parts a request can contain.
+The maximum number of parts with a filename a request can contain.
Accepting too many part can lead to the server running out of file handles.
The default is 128, which means that a single request can't upload more than
128 files at once.
Set to 0 for no limit.
-Can also be set via the +RACK_MULTIPART_PART_LIMIT+ environment variable.
+Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable.
+
+(This is also aliased as +multipart_part_limit+ and
+RACK_MULTIPART_PART_LIMIT+ for compatibility)
+
+=== multipart_total_part_limit
+
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+
+Set to 0 for no limit.
+
+Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable.
== Changelog
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart/parser.rb
new/lib/rack/multipart/parser.rb
--- old/lib/rack/multipart/parser.rb 2023-01-17 22:22:12.000000000 +0100
+++ new/lib/rack/multipart/parser.rb 2023-03-02 23:55:39.000000000 +0100
@@ -5,6 +5,7 @@
module Rack
module Multipart
class MultipartPartLimitError < Errno::EMFILE; end
+ class MultipartTotalPartLimitError < StandardError; end
class Parser
(require_relative '../core_ext/regexp'; using ::Rack::RegexpExtensions)
if RUBY_VERSION < '2.4'
@@ -140,7 +141,7 @@
@mime_parts[mime_index] = klass.new(body, head, filename,
content_type, name)
- check_open_files
+ check_part_limits
end
def on_mime_body(mime_index, content)
@@ -152,13 +153,23 @@
private
- def check_open_files
- if Utils.multipart_part_limit > 0
- if @open_files >= Utils.multipart_part_limit
+ def check_part_limits
+ file_limit = Utils.multipart_file_limit
+ part_limit = Utils.multipart_total_part_limit
+
+ if file_limit && file_limit > 0
+ if @open_files >= file_limit
@mime_parts.each(&:close)
raise MultipartPartLimitError, 'Maximum file multiparts in
content reached'
end
end
+
+ if part_limit && part_limit > 0
+ if @mime_parts.size >= part_limit
+ @mime_parts.each(&:close)
+ raise MultipartTotalPartLimitError, 'Maximum total multiparts in
content reached'
+ end
+ end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb
--- old/lib/rack/utils.rb 2023-01-17 22:22:12.000000000 +0100
+++ new/lib/rack/utils.rb 2023-03-02 23:55:39.000000000 +0100
@@ -58,13 +58,24 @@
end
class << self
- attr_accessor :multipart_part_limit
+ attr_accessor :multipart_total_part_limit
+
+ attr_accessor :multipart_file_limit
+
+ # multipart_part_limit is the original name of multipart_file_limit, but
+ # the limit only counts parts with filenames.
+ alias multipart_part_limit multipart_file_limit
+ alias multipart_part_limit= multipart_file_limit=
end
- # The maximum number of parts a request can contain. Accepting too many
part
- # can lead to the server running out of file handles.
+ # The maximum number of file parts a request can contain. Accepting too
+ # many parts can lead to the server running out of file handles.
# Set to `0` for no limit.
- self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
+ self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] ||
ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
+
+ # The maximum total number of parts a request can contain. Accepting too
+ # many can lead to excessive memory use and parsing time.
+ self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT']
|| 4096).to_i
def self.param_depth_limit
default_query_parser.param_depth_limit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 2023-01-17 22:22:12.000000000 +0100
+++ new/lib/rack/version.rb 2023-03-02 23:55:39.000000000 +0100
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.6.2"
+ RELEASE = "2.2.6.3"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2023-01-17 22:22:12.000000000 +0100
+++ new/metadata 2023-03-02 23:55:39.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 2.2.6.2
+ version: 2.2.6.3
platform: ruby
authors:
- Leah Neukirchen
autorequire:
bindir: bin
cert_chain: []
-date: 2023-01-17 00:00:00.000000000 Z
+date: 2023-03-02 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: minitest
@@ -184,7 +184,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.5.0.dev
+rubygems_version: 3.4.1
signing_key:
specification_version: 4
summary: A modular Ruby webserver interface.
