Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack for openSUSE:Factory
checked in at 2023-03-09 17:46:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack"
Thu Mar 9 17:46:53 2023 rev:25 rq:1070412 version:3.0.4.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack/rubygem-rack.changes
2023-01-23 18:33:36.384742288 +0100
+++ /work/SRC/openSUSE:Factory/.rubygem-rack.new.31432/rubygem-rack.changes
2023-03-09 17:46:55.807287996 +0100
@@ -1,0 +2,13 @@
+Thu Mar 9 12:25:49 UTC 2023 - pgaj...@suse.com
+
+- version update to 3.0.4.2
+ * rack.input is now optional, and if missing, will raise an error.
+ Use this to fail on multipart parsing a request without an input body.
+ (#2018, @ioquatix)
+ * Introduce module Rack::BadRequest which is included in multipart and
+ query parser errors. (#2019, @ioquatix)
+ * MIME type for JavaScript files (.js) changed from application/javascript
+ to text/javascript (1bd0f15)
+ * fixes CVE-2023-27530 [bsc#1209095]
+
+-------------------------------------------------------------------
Old:
----
rack-3.0.4.1.gem
New:
----
rack-3.0.4.2.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack.spec ++++++
--- /var/tmp/diff_new_pack.8zUwxf/_old 2023-03-09 17:46:56.219290189 +0100
+++ /var/tmp/diff_new_pack.8zUwxf/_new 2023-03-09 17:46:56.223290210 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-rack
-Version: 3.0.4.1
+Version: 3.0.4.2
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
++++++ rack-3.0.4.1.gem -> rack-3.0.4.2.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2023-01-17 21:47:16.000000000 +0100
+++ new/CHANGELOG.md 2023-03-02 23:56:21.000000000 +0100
@@ -2,6 +2,10 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [3.0.4.1] - 2023-03-02
+
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
## [3.0.4.1] - 2023-01-17
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2023-01-17 21:47:16.000000000 +0100
+++ new/README.md 2023-03-02 23:56:21.000000000 +0100
@@ -186,19 +186,35 @@
Limiting the depth prevents a possible stack overflow when parsing parameters.
-### `multipart_part_limit`
+### `multipart_file_limit`
```ruby
-Rack::Utils.multipart_part_limit = 128 # default
+Rack::Utils.multipart_file_limit = 128 # default
```
-The maximum number of parts a request can contain. Accepting too many parts can
-lead to the server running out of file handles.
+The maximum number of parts with a filename a request can contain. Accepting
+too many parts can lead to the server running out of file handles.
The default is 128, which means that a single request can't upload more than
128
files at once. Set to 0 for no limit.
-Can also be set via the `RACK_MULTIPART_PART_LIMIT` environment variable.
+Can also be set via the `RACK_MULTIPART_FILE_LIMIT` environment variable.
+
+(This is also aliased as `multipart_part_limit` and
`RACK_MULTIPART_PART_LIMIT` for compatibility)
+
+
+### `multipart_total_part_limit`
+
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+
+Set to 0 for no limit.
+
+Can also be set via the `RACK_MULTIPART_TOTAL_PART_LIMIT` environment variable.
+
## Changelog
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart/parser.rb
new/lib/rack/multipart/parser.rb
--- old/lib/rack/multipart/parser.rb 2023-01-17 21:47:16.000000000 +0100
+++ new/lib/rack/multipart/parser.rb 2023-03-02 23:56:21.000000000 +0100
@@ -8,6 +8,8 @@
module Multipart
class MultipartPartLimitError < Errno::EMFILE; end
+ class MultipartTotalPartLimitError < StandardError; end
+
# Use specific error class when parsing multipart request
# that ends early.
class EmptyContentError < ::EOFError; end
@@ -166,7 +168,7 @@
@mime_parts[mime_index] = klass.new(body, head, filename,
content_type, name)
- check_open_files
+ check_part_limits
end
def on_mime_body(mime_index, content)
@@ -178,13 +180,23 @@
private
- def check_open_files
- if Utils.multipart_part_limit > 0
- if @open_files >= Utils.multipart_part_limit
+ def check_part_limits
+ file_limit = Utils.multipart_file_limit
+ part_limit = Utils.multipart_total_part_limit
+
+ if file_limit && file_limit > 0
+ if @open_files >= file_limit
@mime_parts.each(&:close)
raise MultipartPartLimitError, 'Maximum file multiparts in
content reached'
end
end
+
+ if part_limit && part_limit > 0
+ if @mime_parts.size >= part_limit
+ @mime_parts.each(&:close)
+ raise MultipartTotalPartLimitError, 'Maximum total multiparts in
content reached'
+ end
+ end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb
--- old/lib/rack/utils.rb 2023-01-17 21:47:16.000000000 +0100
+++ new/lib/rack/utils.rb 2023-03-02 23:56:21.000000000 +0100
@@ -58,13 +58,24 @@
end
class << self
- attr_accessor :multipart_part_limit
+ attr_accessor :multipart_total_part_limit
+
+ attr_accessor :multipart_file_limit
+
+ # multipart_part_limit is the original name of multipart_file_limit, but
+ # the limit only counts parts with filenames.
+ alias multipart_part_limit multipart_file_limit
+ alias multipart_part_limit= multipart_file_limit=
end
- # The maximum number of parts a request can contain. Accepting too many
part
- # can lead to the server running out of file handles.
+ # The maximum number of file parts a request can contain. Accepting too
+ # many parts can lead to the server running out of file handles.
# Set to `0` for no limit.
- self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
+ self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] ||
ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
+
+ # The maximum total number of parts a request can contain. Accepting too
+ # many can lead to excessive memory use and parsing time.
+ self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT']
|| 4096).to_i
def self.param_depth_limit
default_query_parser.param_depth_limit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/version.rb new/lib/rack/version.rb
--- old/lib/rack/version.rb 2023-01-17 21:47:16.000000000 +0100
+++ new/lib/rack/version.rb 2023-03-02 23:56:21.000000000 +0100
@@ -25,7 +25,7 @@
VERSION
end
- RELEASE = "3.0.4.1"
+ RELEASE = "3.0.4.2"
# Return the Rack release as a dotted string.
def self.release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2023-01-17 21:47:16.000000000 +0100
+++ new/metadata 2023-03-02 23:56:21.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 3.0.4.1
+ version: 3.0.4.2
platform: ruby
authors:
- Leah Neukirchen
autorequire:
bindir: bin
cert_chain: []
-date: 2023-01-17 00:00:00.000000000 Z
+date: 2023-03-02 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: minitest
@@ -164,7 +164,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.4.1
signing_key:
specification_version: 4
summary: A modular Ruby webserver interface.
