Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack-2.2 for
openSUSE:Factory checked in at 2025-10-09 15:06:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-2.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.11973 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-2.2"
Thu Oct 9 15:06:59 2025 rev:17 rq:1309946 version:2.2.19
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack-2.2/rubygem-rack-2.2.changes
2025-09-29 16:34:46.204819961 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-2.2.new.11973/rubygem-rack-2.2.changes
2025-10-09 15:09:25.370014165 +0200
@@ -1,0 +2,9 @@
+Thu Oct 9 09:56:43 UTC 2025 - Daniel Donisa <[email protected]>
+
+- update to version 2.2.19
+
+ * [CVE-2025-61772] Multipart parser buffers unbounded per-part headers,
enabling DoS (memory exhaustion)
+ * [CVE-2025-61771] Multipart parser buffers large non‑file fields entirely
in memory, enabling DoS (memory exhaustion)
+ * [CVE-2025-61770] Unbounded multipart preamble buffering enables DoS
(memory exhaustion)
+
+-------------------------------------------------------------------
Old:
----
rack-2.2.18.gem
New:
----
rack-2.2.19.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-2.2.spec ++++++
--- /var/tmp/diff_new_pack.bUAj4x/_old 2025-10-09 15:09:26.018041517 +0200
+++ /var/tmp/diff_new_pack.bUAj4x/_new 2025-10-09 15:09:26.026041855 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-rack-2.2
-Version: 2.2.18
+Version: 2.2.19
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
@@ -57,7 +57,7 @@
%install
%gem_install \
--symlink-binaries \
- --doc-files="CHANGELOG.md MIT-LICENSE README.rdoc" \
+ --doc-files="CHANGELOG.md CONTRIBUTING.md MIT-LICENSE README.rdoc" \
-f
# MANUAL
%fdupes %{buildroot}%{_libdir}/ruby/gems/*/gems/%{mod_name}-%{version}/
++++++ rack-2.2.18.gem -> rack-2.2.19.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
+++ new/CHANGELOG.md 1980-01-02 01:00:00.000000000 +0100
@@ -2,8 +2,18 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.19] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c)
Multipart parser buffers unbounded per-part headers, enabling DoS (memory
exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw)
Multipart parser buffers large non‑file fields entirely in memory, enabling DoS
(memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp)
Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
## [2.2.18] - 2025-09-25
+### Security
+
-
[CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion via semicolon-separated parameters.
## [2.2.17] - 2025-06-03
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.rdoc new/README.rdoc
--- old/README.rdoc 1980-01-02 01:00:00.000000000 +0100
+++ new/README.rdoc 1980-01-02 01:00:00.000000000 +0100
@@ -206,6 +206,14 @@
used multiple times in the query, each counts as a separate parameter for
this check.
+=== `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
+
+This environment variable sets the maximum amount of memory Rack will use
+to buffer multipart parameters when parsing a request body. This considers
+the size of the multipart mime headers and the body part for multipart
+parameters that are buffered in memory and do not use tempfiles. This
+defaults to 16MB if not provided.
+
=== key_space_limit
The default number of bytes to allow all parameters keys in a given parameter
hash to take up.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart/parser.rb
new/lib/rack/multipart/parser.rb
--- old/lib/rack/multipart/parser.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/multipart/parser.rb 1980-01-02 01:00:00.000000000 +0100
@@ -20,6 +20,27 @@
BOUNDARY_REGEX = /\A([^\n]*(?:\n|\Z))/
+ BOUNDARY_START_LIMIT = 16 * 1024
+ private_constant :BOUNDARY_START_LIMIT
+
+ MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
+ private_constant :MIME_HEADER_BYTESIZE_LIMIT
+
+ env_int = lambda do |key, val|
+ if str_val = ENV[key]
+ begin
+ val = Integer(str_val, 10)
+ rescue ArgumentError
+ raise ArgumentError, "non-integer value provided for environment
variable #{key}"
+ end
+ end
+
+ val
+ end
+
+ BUFFERED_UPLOAD_BYTESIZE_LIMIT =
env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
+ private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
+
class BoundedIO # :nodoc:
def initialize(io, content_length)
@io = io
@@ -187,6 +208,8 @@
@end_boundary = @boundary + '--'
@state = :FAST_FORWARD
@mime_index = 0
+ @body_retained = nil
+ @retained_size = 0
@collector = Collector.new tempfile
@sbuf = StringScanner.new("".dup)
@@ -241,7 +264,13 @@
@state = :MIME_HEAD
else
raise EOFError, "bad content body" if @sbuf.rest_size >= @bufsize
- :want_read
+
+ # We raise if we don't find the multipart boundary, to avoid
unbounded memory
+ # buffering. Note that the actual limit is the higher of 16KB and
the buffer size (1MB by default)
+ raise EOFError, "multipart boundary not found within limit" if
@sbuf.string.bytesize > BOUNDARY_START_LIMIT
+
+ # no boundary found, keep reading data
+ return :want_read
end
end
@@ -271,16 +300,30 @@
name = filename || "#{content_type || TEXT_PLAIN}[]".dup
end
+ # Mime part head data is retained for both TempfilePart and
BufferPart
+ # for the entireity of the parse, even though it isn't used for
BufferPart.
+ update_retained_size(head.bytesize)
+
+ # If a filename is given, a TempfilePart will be used, so the body
will
+ # not be buffered in memory. However, if a filename is not given, a
BufferPart
+ # will be used, and the body will be buffered in memory.
+ @body_retained = !filename
+
@collector.on_mime_head @mime_index, head, filename, content_type,
name
@state = :MIME_BODY
else
- :want_read
+ # We raise if the mime part header is too large, to avoid unbounded
memory
+ # buffering. Note that the actual limit is the higher of 64KB and
the buffer size (1MB by default)
+ raise EOFError, "multipart mime part header too large" if
@sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
+
+ return :want_read
end
end
def handle_mime_body
if (body_with_boundary = @sbuf.check_until(@body_regex)) # check but
do not advance the pointer yet
body = body_with_boundary.sub(/#{@body_regex}\z/m, '') # remove the
boundary from the string
+ update_retained_size(body.bytesize) if @body_retained
@collector.on_mime_body @mime_index, body
@sbuf.pos += body.length + 2 # skip \r\n after the content
@state = :CONSUME_TOKEN
@@ -289,7 +332,9 @@
# Save what we have so far
if @rx_max_size < @sbuf.rest_size
delta = @sbuf.rest_size - @rx_max_size
- @collector.on_mime_body @mime_index, @sbuf.peek(delta)
+ body = @sbuf.peek(delta)
+ update_retained_size(body.bytesize) if @body_retained
+ @collector.on_mime_body @mime_index, body
@sbuf.pos += delta
@sbuf.string = @sbuf.rest
end
@@ -299,6 +344,17 @@
def full_boundary; @full_boundary; end
+ def update_retained_size(size)
+ @retained_size += size
+ if @retained_size > BUFFERED_UPLOAD_BYTESIZE_LIMIT
+ raise EOFError, "multipart data over retained size limit"
+ end
+ end
+
+ # Scan until the we find the start or end of the boundary.
+ # If we find it, return the appropriate symbol for the start or
+ # end of the boundary. If we don't find the start or end of the
+ # boundary, clear the buffer and return nil.
def consume_boundary
while read_buffer = @sbuf.scan_until(BOUNDARY_REGEX)
case read_buffer.strip
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
+++ new/lib/rack/version.rb 1980-01-02 01:00:00.000000000 +0100
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.18"
+ RELEASE = "2.2.19"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 1980-01-02 01:00:00.000000000 +0100
+++ new/metadata 1980-01-02 01:00:00.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 2.2.18
+ version: 2.2.19
platform: ruby
authors:
- Leah Neukirchen
++++++ rubygem-rack-rpmlintrc ++++++
--- /var/tmp/diff_new_pack.bUAj4x/_old 2025-10-09 15:09:26.306053673 +0200
+++ /var/tmp/diff_new_pack.bUAj4x/_new 2025-10-09 15:09:26.314054011 +0200
@@ -1,3 +1,2 @@
-addFilter('wrong-script-interpreter.*rackup')
-addFilter('script-without-shebang')
+addFilter("update-alternatives-postun-call-missing")
