diff -pruN 3.0.2-7/debian/changelog 3.0.2-7ubuntu2/debian/changelog --- 3.0.2-7/debian/changelog 2022-01-21 12:29:42.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/changelog 2022-03-17 16:09:20.000000000 +0000 @@ -1,3 +1,32 @@ +ruby3.0 (3.0.2-7ubuntu2) jammy; urgency=medium + + * SECURITY UPDATE: Buffer overrun + - debian/patches/CVE-2021-41816.patch: fix integer overflow making + sure use of the check in rb_alloc_tmp_buffer2 in + ext/cgi/escape/escape.c. + - CVE-2021-41816 + * SECURITY UPDATE: ReDoS vulnerability + - debian/patches/CVE-2021-41817-*.patch: add length limit option + for methods that parses date strings and mimic prev behaviour + in ext/date/date_core.c, test/date/test_date_parse.rb. + - CVE-2021-41817 + * SECURITY UPDATE: Mishandles sec prefixes in cookie names + - debian/patches/CVE-2021-41819.patch: when parsing cookies, only + decode the values in lib/cgi/cookie.rb, test/cgi/test_cgi_cookie.rb. + - CVE-2021-41819 + + -- Leonidas Da Silva Barbosa Thu, 17 Mar 2022 13:09:20 -0300 + +ruby3.0 (3.0.2-7ubuntu1) jammy; urgency=medium + + * d/{genprovides,rules}: fix generation of Provides (LP: #1964813). + With ruby3.0 gems are provided both under + /usr/lib/ruby/gems/3.0.0/specifications/default/ and at the superior + directory, /usr/lib/ruby/gems/3.0.0/specifications/. Change to catch all + gemspecs under /usr/lib/ruby/gems/3.0.0/specifications/ instead. + + -- Lucas Kanashiro Mon, 14 Mar 2022 15:11:38 -0300 + ruby3.0 (3.0.2-7) unstable; urgency=medium * d/t/run-all: create needed empty files, fix autopkgtest regression. diff -pruN 3.0.2-7/debian/control 3.0.2-7ubuntu2/debian/control --- 3.0.2-7/debian/control 2021-11-26 13:51:19.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/control 2022-03-14 18:11:38.000000000 +0000 @@ -1,7 +1,8 @@ Source: ruby3.0 Section: ruby Priority: optional -Maintainer: Debian Ruby Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Ruby Team Uploaders: Antonio Terceiro , Utkarsh Gupta , Lucas Kanashiro diff -pruN 3.0.2-7/debian/genprovides 3.0.2-7ubuntu2/debian/genprovides --- 3.0.2-7/debian/genprovides 2021-09-13 18:48:01.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/genprovides 2022-03-14 18:11:38.000000000 +0000 @@ -3,6 +3,8 @@ set -eu printf 'libruby:Provides=' -ls -1 "$@" \ +find "$@" -name \*.gemspec \ + | xargs -n 1 basename \ + | sort \ | grep -v bundler \ | sed -e 's/_/-/g; s/\(.*\)-\([0-9.]\+\)\.gemspec/ruby-\1 (= \2), /' | xargs echo diff -pruN 3.0.2-7/debian/patches/CVE-2021-41816.patch 3.0.2-7ubuntu2/debian/patches/CVE-2021-41816.patch --- 3.0.2-7/debian/patches/CVE-2021-41816.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/patches/CVE-2021-41816.patch 2022-03-17 16:09:20.000000000 +0000 @@ -0,0 +1,26 @@ +From c728632c1c09d46cfd4ecbff9caaa3651dd1002a Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Fri, 3 Sep 2021 19:40:22 +0900 +Subject: [PATCH] Fix integer overflow + +Make use of the check in rb_alloc_tmp_buffer2. + +https://hackerone.com/reports/1328463 +--- + ext/cgi/escape/escape.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c +index 3a7837e..809f95e 100644 +--- a/ext/cgi/escape/escape.c ++++ b/ext/cgi/escape/escape.c +@@ -36,7 +36,8 @@ static VALUE + optimized_escape_html(VALUE str) + { + VALUE vbuf; +- char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN); ++ typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; ++ char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); + const char *cstr = RSTRING_PTR(str); + const char *end = cstr + RSTRING_LEN(str); + diff -pruN 3.0.2-7/debian/patches/CVE-2021-41817-1.patch 3.0.2-7ubuntu2/debian/patches/CVE-2021-41817-1.patch --- 3.0.2-7/debian/patches/CVE-2021-41817-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/patches/CVE-2021-41817-1.patch 2022-03-17 16:09:20.000000000 +0000 @@ -0,0 +1,921 @@ +From 3959accef8da5c128f8a8e2fd54e932a4fb253b0 Mon Sep 17 00:00:00 2001 +From: Yusuke Endoh +Date: Fri, 12 Nov 2021 12:15:25 +0900 +Subject: [PATCH] Add length limit option for methods that parses date strings + +`Date.parse` now raises an ArgumentError when a given date string is +longer than 128. You can configure the limit by giving `limit` keyword +arguments like `Date.parse(str, limit: 1000)`. If you pass `limit: nil`, +the limit is disabled. + +Not only `Date.parse` but also the following methods are changed. + +* Date._parse +* Date.parse +* DateTime.parse +* Date._iso8601 +* Date.iso8601 +* DateTime.iso8601 +* Date._rfc3339 +* Date.rfc3339 +* DateTime.rfc3339 +* Date._xmlschema +* Date.xmlschema +* DateTime.xmlschema +* Date._rfc2822 +* Date.rfc2822 +* DateTime.rfc2822 +* Date._rfc822 +* Date.rfc822 +* DateTime.rfc822 +* Date._jisx0301 +* Date.jisx0301 +* DateTime.jisx0301 +--- + date.gemspec | 2 +- + ext/date/date_core.c | 384 +++++++++++++++++++++++++++-------- + test/date/test_date_parse.rb | 29 +++ + 3 files changed, 326 insertions(+), 89 deletions(-) + +#diff --git a/date.gemspec b/date.gemspec +#index 88e5838..1a3ae81 100644 +#--- a/date.gemspec +#+++ b/date.gemspec +#@@ -1,7 +1,7 @@ +# # frozen_string_literal: true +# Gem::Specification.new do |s| +# s.name = "date" +#- s.version = '3.2.0' +#+ s.version = '3.2.1' +# s.summary = "A subclass of Object includes Comparable module for handling dates." +# s.description = "A subclass of Object includes Comparable module for handling dates." +# +diff --git a/ext/date/date_core.c b/ext/date/date_core.c +index 146f60f..e372a12 100644 +--- a/ext/date/date_core.c ++++ b/ext/date/date_core.c +@@ -4328,12 +4328,37 @@ date_s_strptime(int argc, VALUE *argv, VALUE klass) + + VALUE date__parse(VALUE str, VALUE comp); + ++static size_t ++get_limit(VALUE opt) ++{ ++ if (!NIL_P(opt)) { ++ VALUE limit = rb_hash_aref(opt, ID2SYM(rb_intern("limit"))); ++ if (NIL_P(limit)) return SIZE_MAX; ++ return NUM2SIZET(limit); ++ } ++ return 128; ++} ++ ++static void ++check_limit(VALUE str, VALUE opt) ++{ ++ StringValue(str); ++ size_t slen = RSTRING_LEN(str); ++ size_t limit = get_limit(opt); ++ if (slen > limit) { ++ rb_raise(rb_eArgError, ++ "string length (%"PRI_SIZE_PREFIX"u) exceeds the limit %"PRI_SIZE_PREFIX"u", slen, limit); ++ } ++} ++ + static VALUE + date_s__parse_internal(int argc, VALUE *argv, VALUE klass) + { +- VALUE vstr, vcomp, hash; ++ VALUE vstr, vcomp, hash, opt; + +- rb_scan_args(argc, argv, "11", &vstr, &vcomp); ++ rb_scan_args(argc, argv, "11:", &vstr, &vcomp, &opt); ++ if (!NIL_P(opt)) argc--; ++ check_limit(vstr, opt); + StringValue(vstr); + if (!rb_enc_str_asciicompat_p(vstr)) + rb_raise(rb_eArgError, +@@ -4348,7 +4373,7 @@ date_s__parse_internal(int argc, VALUE *argv, VALUE klass) + + /* + * call-seq: +- * Date._parse(string[, comp=true]) -> hash ++ * Date._parse(string[, comp=true], limit: 128) -> hash + * + * Parses the given representation of date and time, and returns a + * hash of parsed elements. +@@ -4363,6 +4388,10 @@ date_s__parse_internal(int argc, VALUE *argv, VALUE klass) + * it full. + * + * Date._parse('2001-02-03') #=> {:year=>2001, :mon=>2, :mday=>3} ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s__parse(int argc, VALUE *argv, VALUE klass) +@@ -4372,7 +4401,7 @@ date_s__parse(int argc, VALUE *argv, VALUE klass) + + /* + * call-seq: +- * Date.parse(string='-4712-01-01'[, comp=true[, start=Date::ITALY]]) -> date ++ * Date.parse(string='-4712-01-01'[, comp=true[, start=Date::ITALY]], limit: 128) -> date + * + * Parses the given representation of date and time, and creates a + * date object. +@@ -4389,13 +4418,18 @@ date_s__parse(int argc, VALUE *argv, VALUE klass) + * Date.parse('2001-02-03') #=> # + * Date.parse('20010203') #=> # + * Date.parse('3rd Feb 2001') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_parse(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, comp, sg; ++ VALUE str, comp, sg, opt; + +- rb_scan_args(argc, argv, "03", &str, &comp, &sg); ++ rb_scan_args(argc, argv, "03:", &str, &comp, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4407,11 +4441,12 @@ date_s_parse(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE argv2[2], hash; +- +- argv2[0] = str; +- argv2[1] = comp; +- hash = date_s__parse(2, argv2, klass); ++ int argc2 = 2; ++ VALUE argv2[3]; ++ argv2[0] = str; ++ argv2[1] = comp; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__parse(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } +@@ -4425,19 +4460,28 @@ VALUE date__jisx0301(VALUE); + + /* + * call-seq: +- * Date._iso8601(string) -> hash ++ * Date._iso8601(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__iso8601(VALUE klass, VALUE str) ++date_s__iso8601(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__iso8601(str); + } + + /* + * call-seq: +- * Date.iso8601(string='-4712-01-01'[, start=Date::ITALY]) -> date ++ * Date.iso8601(string='-4712-01-01'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical ISO 8601 formats. +@@ -4445,13 +4489,18 @@ date_s__iso8601(VALUE klass, VALUE str) + * Date.iso8601('2001-02-03') #=> # + * Date.iso8601('20010203') #=> # + * Date.iso8601('2001-W05-6') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_iso8601(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4461,38 +4510,56 @@ date_s_iso8601(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__iso8601(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__iso8601(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._rfc3339(string) -> hash ++ * Date._rfc3339(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__rfc3339(VALUE klass, VALUE str) ++date_s__rfc3339(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__rfc3339(str); + } + + /* + * call-seq: +- * Date.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> date ++ * Date.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical RFC 3339 formats. + * + * Date.rfc3339('2001-02-03T04:05:06+07:00') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_rfc3339(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4502,38 +4569,56 @@ date_s_rfc3339(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc3339(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__rfc3339(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._xmlschema(string) -> hash ++ * Date._xmlschema(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__xmlschema(VALUE klass, VALUE str) ++date_s__xmlschema(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__xmlschema(str); + } + + /* + * call-seq: +- * Date.xmlschema(string='-4712-01-01'[, start=Date::ITALY]) -> date ++ * Date.xmlschema(string='-4712-01-01'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical XML Schema formats. + * + * Date.xmlschema('2001-02-03') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_xmlschema(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4543,41 +4628,58 @@ date_s_xmlschema(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__xmlschema(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__xmlschema(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._rfc2822(string) -> hash +- * Date._rfc822(string) -> hash ++ * Date._rfc2822(string, limit: 128) -> hash ++ * Date._rfc822(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__rfc2822(VALUE klass, VALUE str) ++date_s__rfc2822(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__rfc2822(str); + } + + /* + * call-seq: +- * Date.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> date +- * Date.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> date ++ * Date.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> date ++ * Date.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical RFC 2822 formats. + * + * Date.rfc2822('Sat, 3 Feb 2001 00:00:00 +0000') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_rfc2822(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); + + switch (argc) { + case 0: +@@ -4587,39 +4689,56 @@ date_s_rfc2822(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc2822(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__rfc2822(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._httpdate(string) -> hash ++ * Date._httpdate(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__httpdate(VALUE klass, VALUE str) ++date_s__httpdate(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__httpdate(str); + } + + /* + * call-seq: +- * Date.httpdate(string='Mon, 01 Jan -4712 00:00:00 GMT'[, start=Date::ITALY]) -> date ++ * Date.httpdate(string='Mon, 01 Jan -4712 00:00:00 GMT'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some RFC 2616 format. + * + * Date.httpdate('Sat, 03 Feb 2001 00:00:00 GMT') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_httpdate(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); + + switch (argc) { + case 0: +@@ -4629,26 +4748,39 @@ date_s_httpdate(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__httpdate(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__httpdate(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._jisx0301(string) -> hash ++ * Date._jisx0301(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__jisx0301(VALUE klass, VALUE str) ++date_s__jisx0301(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__jisx0301(str); + } + + /* + * call-seq: +- * Date.jisx0301(string='-4712-01-01'[, start=Date::ITALY]) -> date ++ * Date.jisx0301(string='-4712-01-01'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical JIS X 0301 formats. +@@ -4658,13 +4790,18 @@ date_s__jisx0301(VALUE klass, VALUE str) + * For no-era year, legacy format, Heisei is assumed. + * + * Date.jisx0301('13.02.03') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_jisx0301(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4674,7 +4811,11 @@ date_s_jisx0301(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__jisx0301(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__jisx0301(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } +@@ -8013,7 +8154,7 @@ datetime_s_strptime(int argc, VALUE *argv, VALUE klass) + + /* + * call-seq: +- * DateTime.parse(string='-4712-01-01T00:00:00+00:00'[, comp=true[, start=Date::ITALY]]) -> datetime ++ * DateTime.parse(string='-4712-01-01T00:00:00+00:00'[, comp=true[, start=Date::ITALY]], limit: 128) -> datetime + * + * Parses the given representation of date and time, and creates a + * DateTime object. +@@ -8032,13 +8173,18 @@ datetime_s_strptime(int argc, VALUE *argv, VALUE klass) + * #=> # + * DateTime.parse('3rd Feb 2001 04:05:06 PM') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_parse(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, comp, sg; ++ VALUE str, comp, sg, opt; + +- rb_scan_args(argc, argv, "03", &str, &comp, &sg); ++ rb_scan_args(argc, argv, "03:", &str, &comp, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8050,18 +8196,20 @@ datetime_s_parse(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE argv2[2], hash; +- +- argv2[0] = str; +- argv2[1] = comp; +- hash = date_s__parse(2, argv2, klass); ++ int argc2 = 2; ++ VALUE argv2[3]; ++ argv2[0] = str; ++ argv2[1] = comp; ++ argv2[2] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__parse(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.iso8601(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.iso8601(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical ISO 8601 formats. +@@ -8072,13 +8220,18 @@ datetime_s_parse(int argc, VALUE *argv, VALUE klass) + * #=> # + * DateTime.iso8601('2001-W05-6T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_iso8601(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8088,27 +8241,37 @@ datetime_s_iso8601(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__iso8601(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2--; ++ VALUE hash = date_s__iso8601(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical RFC 3339 formats. + * + * DateTime.rfc3339('2001-02-03T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_rfc3339(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8118,27 +8281,37 @@ datetime_s_rfc3339(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc3339(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__rfc3339(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.xmlschema(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.xmlschema(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical XML Schema formats. + * + * DateTime.xmlschema('2001-02-03T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_xmlschema(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8148,28 +8321,38 @@ datetime_s_xmlschema(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__xmlschema(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__xmlschema(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> datetime +- * DateTime.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> datetime ++ * DateTime.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> datetime ++ * DateTime.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical RFC 2822 formats. + * + * DateTime.rfc2822('Sat, 3 Feb 2001 04:05:06 +0700') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_rfc2822(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8179,7 +8362,12 @@ datetime_s_rfc2822(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc2822(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__rfc2822(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } +@@ -8193,13 +8381,18 @@ datetime_s_rfc2822(int argc, VALUE *argv, VALUE klass) + * + * DateTime.httpdate('Sat, 03 Feb 2001 04:05:06 GMT') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_httpdate(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8209,14 +8402,19 @@ datetime_s_httpdate(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__httpdate(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__httpdate(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.jisx0301(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.jisx0301(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical JIS X 0301 formats. +@@ -8228,13 +8426,18 @@ datetime_s_httpdate(int argc, VALUE *argv, VALUE klass) + * + * DateTime.jisx0301('13.02.03T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_jisx0301(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8244,7 +8447,12 @@ datetime_s_jisx0301(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__jisx0301(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__jisx0301(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } +@@ -9403,19 +9611,19 @@ Init_date_core(void) + rb_define_singleton_method(cDate, "strptime", date_s_strptime, -1); + rb_define_singleton_method(cDate, "_parse", date_s__parse, -1); + rb_define_singleton_method(cDate, "parse", date_s_parse, -1); +- rb_define_singleton_method(cDate, "_iso8601", date_s__iso8601, 1); ++ rb_define_singleton_method(cDate, "_iso8601", date_s__iso8601, -1); + rb_define_singleton_method(cDate, "iso8601", date_s_iso8601, -1); +- rb_define_singleton_method(cDate, "_rfc3339", date_s__rfc3339, 1); ++ rb_define_singleton_method(cDate, "_rfc3339", date_s__rfc3339, -1); + rb_define_singleton_method(cDate, "rfc3339", date_s_rfc3339, -1); +- rb_define_singleton_method(cDate, "_xmlschema", date_s__xmlschema, 1); ++ rb_define_singleton_method(cDate, "_xmlschema", date_s__xmlschema, -1); + rb_define_singleton_method(cDate, "xmlschema", date_s_xmlschema, -1); +- rb_define_singleton_method(cDate, "_rfc2822", date_s__rfc2822, 1); +- rb_define_singleton_method(cDate, "_rfc822", date_s__rfc2822, 1); ++ rb_define_singleton_method(cDate, "_rfc2822", date_s__rfc2822, -1); ++ rb_define_singleton_method(cDate, "_rfc822", date_s__rfc2822, -1); + rb_define_singleton_method(cDate, "rfc2822", date_s_rfc2822, -1); + rb_define_singleton_method(cDate, "rfc822", date_s_rfc2822, -1); +- rb_define_singleton_method(cDate, "_httpdate", date_s__httpdate, 1); ++ rb_define_singleton_method(cDate, "_httpdate", date_s__httpdate, -1); + rb_define_singleton_method(cDate, "httpdate", date_s_httpdate, -1); +- rb_define_singleton_method(cDate, "_jisx0301", date_s__jisx0301, 1); ++ rb_define_singleton_method(cDate, "_jisx0301", date_s__jisx0301, -1); + rb_define_singleton_method(cDate, "jisx0301", date_s_jisx0301, -1); + + rb_define_method(cDate, "initialize", date_initialize, -1); +diff --git a/test/date/test_date_parse.rb b/test/date/test_date_parse.rb +index 9f92635..a486451 100644 +--- a/test/date/test_date_parse.rb ++++ b/test/date/test_date_parse.rb +@@ -1,6 +1,7 @@ + # frozen_string_literal: true + require 'test/unit' + require 'date' ++require 'timeout' + + class TestDateParse < Test::Unit::TestCase + +@@ -1228,4 +1229,32 @@ def test_given_string + assert_equal(s0, s) + end + ++ def test_length_limit ++ assert_raise(ArgumentError) { Date._parse("1" * 1000) } ++ assert_raise(ArgumentError) { Date._iso8601("1" * 1000) } ++ assert_raise(ArgumentError) { Date._rfc3339("1" * 1000) } ++ assert_raise(ArgumentError) { Date._xmlschema("1" * 1000) } ++ assert_raise(ArgumentError) { Date._rfc2822("1" * 1000) } ++ assert_raise(ArgumentError) { Date._rfc822("1" * 1000) } ++ assert_raise(ArgumentError) { Date._jisx0301("1" * 1000) } ++ ++ assert_raise(ArgumentError) { Date.parse("1" * 1000) } ++ assert_raise(ArgumentError) { Date.iso8601("1" * 1000) } ++ assert_raise(ArgumentError) { Date.rfc3339("1" * 1000) } ++ assert_raise(ArgumentError) { Date.xmlschema("1" * 1000) } ++ assert_raise(ArgumentError) { Date.rfc2822("1" * 1000) } ++ assert_raise(ArgumentError) { Date.rfc822("1" * 1000) } ++ assert_raise(ArgumentError) { Date.jisx0301("1" * 1000) } ++ ++ assert_raise(ArgumentError) { DateTime.parse("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.iso8601("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.rfc3339("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.xmlschema("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.rfc2822("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.rfc822("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.jisx0301("1" * 1000) } ++ ++ assert_raise(ArgumentError) { Date._parse("Jan " + "9" * 1000000) } ++ assert_raise(Timeout::Error) { Timeout.timeout(1) { Date._parse("Jan " + "9" * 1000000, limit: nil) } } ++ end + end diff -pruN 3.0.2-7/debian/patches/CVE-2021-41817-2.patch 3.0.2-7ubuntu2/debian/patches/CVE-2021-41817-2.patch --- 3.0.2-7/debian/patches/CVE-2021-41817-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/patches/CVE-2021-41817-2.patch 2022-03-17 16:09:20.000000000 +0000 @@ -0,0 +1,95 @@ +From 8f2d7a0c7e52cea8333824bd527822e5449ed83d Mon Sep 17 00:00:00 2001 +From: Jean Boussier +Date: Mon, 15 Nov 2021 11:37:40 +0100 +Subject: [PATCH] `Date._(nil)` should return an empty Hash + +Fix: https://github.com/ruby/date/issues/39 + +This is how versions previous to 3.2.1 behaved and Active Support +currently rely on this behavior. + +https://github.com/rails/rails/blob/90357af08048ef5076730505f6e7b14a81f33d0c/activesupport/lib/active_support/values/time_zone.rb#L383-L384 + +Any Rails application upgrading to date `3.2.1` might run into unexpected errors. +--- + ext/date/date_core.c | 2 ++ + test/date/test_date_parse.rb | 18 ++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/ext/date/date_core.c b/ext/date/date_core.c +index e372a12..d1d03fe 100644 +--- a/ext/date/date_core.c ++++ b/ext/date/date_core.c +@@ -4342,6 +4342,8 @@ get_limit(VALUE opt) + static void + check_limit(VALUE str, VALUE opt) + { ++ if (NIL_P(str)) return; ++ + StringValue(str); + size_t slen = RSTRING_LEN(str); + size_t limit = get_limit(opt); +diff --git a/test/date/test_date_parse.rb b/test/date/test_date_parse.rb +index a486451..1217ee8 100644 +--- a/test/date/test_date_parse.rb ++++ b/test/date/test_date_parse.rb +@@ -848,6 +848,9 @@ def test__iso8601 + + h = Date._iso8601('') + assert_equal({}, h) ++ ++ h = Date._iso8601(nil) ++ assert_equal({}, h) + end + + def test__rfc3339 +@@ -863,6 +866,9 @@ def test__rfc3339 + + h = Date._rfc3339('') + assert_equal({}, h) ++ ++ h = Date._rfc3339(nil) ++ assert_equal({}, h) + end + + def test__xmlschema +@@ -945,6 +951,9 @@ def test__xmlschema + + h = Date._xmlschema('') + assert_equal({}, h) ++ ++ h = Date._xmlschema(nil) ++ assert_equal({}, h) + end + + def test__rfc2822 +@@ -977,6 +986,9 @@ def test__rfc2822 + + h = Date._rfc2822('') + assert_equal({}, h) ++ ++ h = Date._rfc2822(nil) ++ assert_equal({}, h) + end + + def test__httpdate +@@ -997,6 +1009,9 @@ def test__httpdate + + h = Date._httpdate('') + assert_equal({}, h) ++ ++ h = Date._httpdate(nil) ++ assert_equal({}, h) + end + + def test__jisx0301 +@@ -1073,6 +1088,9 @@ def test__jisx0301 + + h = Date._jisx0301('') + assert_equal({}, h) ++ ++ h = Date._jisx0301(nil) ++ assert_equal({}, h) + end + + def test_iso8601 diff -pruN 3.0.2-7/debian/patches/CVE-2021-41817-3.patch 3.0.2-7ubuntu2/debian/patches/CVE-2021-41817-3.patch --- 3.0.2-7/debian/patches/CVE-2021-41817-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/patches/CVE-2021-41817-3.patch 2022-03-17 16:09:20.000000000 +0000 @@ -0,0 +1,92 @@ +From 376c65942bd1d81803f14d37351737df60ec4664 Mon Sep 17 00:00:00 2001 +From: Jean Boussier +Date: Tue, 16 Nov 2021 14:03:42 +0100 +Subject: [PATCH] check_limit: also handle symbols + +--- + ext/date/date_core.c | 1 + + test/date/test_date_parse.rb | 24 ++++++++++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/ext/date/date_core.c b/ext/date/date_core.c +index d1d03fe..f6579b8 100644 +--- a/ext/date/date_core.c ++++ b/ext/date/date_core.c +@@ -4343,6 +4343,7 @@ static void + check_limit(VALUE str, VALUE opt) + { + if (NIL_P(str)) return; ++ if (SYMBOL_P(str)) str = rb_sym2str(str); + + StringValue(str); + size_t slen = RSTRING_LEN(str); +diff --git a/test/date/test_date_parse.rb b/test/date/test_date_parse.rb +index 1217ee8..34a672b 100644 +--- a/test/date/test_date_parse.rb ++++ b/test/date/test_date_parse.rb +@@ -851,6 +851,10 @@ def test__iso8601 + + h = Date._iso8601(nil) + assert_equal({}, h) ++ ++ h = Date._iso8601('01-02-03T04:05:06Z'.to_sym) ++ assert_equal([2001, 2, 3, 4, 5, 6, 0], ++ h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset)) + end + + def test__rfc3339 +@@ -869,6 +873,10 @@ def test__rfc3339 + + h = Date._rfc3339(nil) + assert_equal({}, h) ++ ++ h = Date._rfc3339('2001-02-03T04:05:06Z'.to_sym) ++ assert_equal([2001, 2, 3, 4, 5, 6, 0], ++ h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset)) + end + + def test__xmlschema +@@ -954,6 +962,10 @@ def test__xmlschema + + h = Date._xmlschema(nil) + assert_equal({}, h) ++ ++ h = Date._xmlschema('2001-02-03'.to_sym) ++ assert_equal([2001, 2, 3, nil, nil, nil, nil], ++ h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset)) + end + + def test__rfc2822 +@@ -989,6 +1001,10 @@ def test__rfc2822 + + h = Date._rfc2822(nil) + assert_equal({}, h) ++ ++ h = Date._rfc2822('Sat, 3 Feb 2001 04:05:06 UT'.to_sym) ++ assert_equal([2001, 2, 3, 4, 5, 6, 0], ++ h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset)) + end + + def test__httpdate +@@ -1012,6 +1028,10 @@ def test__httpdate + + h = Date._httpdate(nil) + assert_equal({}, h) ++ ++ h = Date._httpdate('Sat, 03 Feb 2001 04:05:06 GMT'.to_sym) ++ assert_equal([2001, 2, 3, 4, 5, 6, 0], ++ h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset)) + end + + def test__jisx0301 +@@ -1091,6 +1111,10 @@ def test__jisx0301 + + h = Date._jisx0301(nil) + assert_equal({}, h) ++ ++ h = Date._jisx0301('H13.02.03T04:05:06.07+0100'.to_sym) ++ assert_equal([2001, 2, 3, 4, 5, 6, 3600], ++ h.values_at(:year, :mon, :mday, :hour, :min, :sec, :offset)) + end + + def test_iso8601 diff -pruN 3.0.2-7/debian/patches/CVE-2021-41819.patch 3.0.2-7ubuntu2/debian/patches/CVE-2021-41819.patch --- 3.0.2-7/debian/patches/CVE-2021-41819.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/patches/CVE-2021-41819.patch 2022-03-17 16:09:20.000000000 +0000 @@ -0,0 +1,38 @@ +From 052eb3a828b0f99bca39cfd800f6c2b91307dbd5 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Mon, 29 Jun 2020 10:29:25 +0900 +Subject: [PATCH] When parsing cookies, only decode the values + +--- + lib/cgi/cookie.rb | 1 - + test/cgi/test_cgi_cookie.rb | 5 +++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb +index ae9ab58..6b0d89c 100644 +--- a/lib/cgi/cookie.rb ++++ b/lib/cgi/cookie.rb +@@ -159,7 +159,6 @@ def self.parse(raw_cookie) + raw_cookie.split(/;\s?/).each do |pairs| + name, values = pairs.split('=',2) + next unless name and values +- name = CGI.unescape(name) + values ||= "" + values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } + if cookies.has_key?(name) +diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb +index 115a57e..985cc0d 100644 +--- a/test/cgi/test_cgi_cookie.rb ++++ b/test/cgi/test_cgi_cookie.rb +@@ -101,6 +101,11 @@ def test_cgi_cookie_parse + end + end + ++ def test_cgi_cookie_parse_not_decode_name ++ cookie_str = "%66oo=baz;foo=bar" ++ cookies = CGI::Cookie.parse(cookie_str) ++ assert_equal({"%66oo" => ["baz"], "foo" => ["bar"]}, cookies) ++ end + + def test_cgi_cookie_arrayinterface + cookie = CGI::Cookie.new('name1', 'a', 'b', 'c') diff -pruN 3.0.2-7/debian/patches/series 3.0.2-7ubuntu2/debian/patches/series --- 3.0.2-7/debian/patches/series 2022-01-20 20:29:30.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/patches/series 2022-03-17 16:09:20.000000000 +0000 @@ -12,3 +12,8 @@ ruby_default_arch.m4-don-t-require-arhit rand_init-fix-off-by-one-error.patch Update-openssl-to-version-3.0.0.patch Update-rubygems-to-version-3.3.3.patch +CVE-2021-41816.patch +CVE-2021-41817-1.patch +CVE-2021-41817-2.patch +CVE-2021-41817-3.patch +CVE-2021-41819.patch diff -pruN 3.0.2-7/debian/rules 3.0.2-7ubuntu2/debian/rules --- 3.0.2-7/debian/rules 2022-01-20 20:31:19.000000000 +0000 +++ 3.0.2-7ubuntu2/debian/rules 2022-03-14 18:11:38.000000000 +0000 @@ -164,6 +164,6 @@ override_dh_install-arch: dh_install override_dh_gencontrol: - ./debian/genprovides $(CURDIR)/debian/libruby$(RUBY_VERSION)/usr/lib/ruby/gems/$(RUBY_API_VERSION)/specifications/default/ \ + ./debian/genprovides $(CURDIR)/debian/libruby$(RUBY_VERSION)/usr/lib/ruby/gems/$(RUBY_API_VERSION)/specifications/ \ >> debian/libruby$(RUBY_VERSION).substvars dh_gencontrol