[AutoPR- Security] Patch ruby for CVE-2025-61594 [LOW] (#15436)

azurelinux-security · archana25-ms · web-flow · commit cabd233beae3 · 2026-01-22T18:09:56.000+05:30
Co-authored-by: Archana Shettigar &lt;v-shettigara@microsoft.com&gt;
diff --git a/SPECS/ruby/CVE-2025-61594.patch b/SPECS/ruby/CVE-2025-61594.patch
@@ -0,0 +1,170 @@
+From 612a8aa90e3d4c3eb2f7e6f24d52eac8fd440df3 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Sat, 12 Jul 2025 11:51:31 +0900
+Subject: [PATCH] Clear user info totally at setting any of authority info
+
+CVE-2025-61594: URI Credential Leakage Bypass over CVE-2025-27221
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
+---
+ lib/uri/generic.rb       | 29 +++++++++++++++++++++--------
+ test/uri/test_generic.rb | 15 ++++++++++-----
+ 2 files changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index 2c0a88d..c893ed1 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -186,18 +186,18 @@ module URI
+ 
+       if arg_check
+         self.scheme = scheme
+-        self.userinfo = userinfo
+         self.hostname = host
+         self.port = port
++        self.userinfo = userinfo
+         self.path = path
+         self.query = query
+         self.opaque = opaque
+         self.fragment = fragment
+       else
+         self.set_scheme(scheme)
+-        self.set_userinfo(userinfo)
+         self.set_host(host)
+         self.set_port(port)
++        self.set_userinfo(userinfo)
+         self.set_path(path)
+         self.query = query
+         self.set_opaque(opaque)
+@@ -511,7 +511,7 @@ module URI
+         user, password = split_userinfo(user)
+       end
+       @user     = user
+-      @password = password if password
++      @password = password
+ 
+       [@user, @password]
+     end
+@@ -522,7 +522,7 @@ module URI
+     # See also URI::Generic.user=.
+     #
+     def set_user(v)
+-      set_userinfo(v, @password)
++      set_userinfo(v, nil)
+       v
+     end
+     protected :set_user
+@@ -574,6 +574,12 @@ module URI
+       @password
+     end
+ 
++    # Returns the authority info (array of user, password, host and
++    # port), if any is set.  Or returns +nil+.
++    def authority
++      return @user, @password, @host, @port if @user || @password || @host || @port
++    end
++
+     # Returns the user component after URI decoding.
+     def decoded_user
+       URI.decode_uri_component(@user) if @user
+@@ -615,6 +621,13 @@ module URI
+     end
+     protected :set_host
+ 
++    # Protected setter for the authority info (+user+, +password+, +host+
++    # and +port+).  If +port+ is +nil+, +default_port+ will be set.
++    #
++    protected def set_authority(user, password, host, port = nil)
++      @user, @password, @host, @port = user, password, host, port || self.default_port
++    end
++
+     #
+     # == Args
+     #
+@@ -639,6 +652,7 @@ module URI
+     def host=(v)
+       check_host(v)
+       set_host(v)
++      set_userinfo(nil)
+       v
+     end
+ 
+@@ -729,6 +743,7 @@ module URI
+     def port=(v)
+       check_port(v)
+       set_port(v)
++      set_userinfo(nil)
+       port
+     end
+ 
+@@ -1121,7 +1136,7 @@ module URI
+ 
+       base = self.dup
+ 
+-      authority = rel.userinfo || rel.host || rel.port
++      authority = rel.authority
+ 
+       # RFC2396, Section 5.2, 2)
+       if (rel.path.nil? || rel.path.empty?) && !authority && !rel.query
+@@ -1134,9 +1149,7 @@ module URI
+ 
+       # RFC2396, Section 5.2, 4)
+       if authority
+-        base.set_userinfo(rel.userinfo)
+-        base.set_host(rel.host)
+-        base.set_port(rel.port || base.default_port)
++        base.set_authority(*authority)
+         base.set_path(rel.path)
+       elsif base.path && rel.path
+         base.set_path(merge_path(base.path, rel.path))
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index 1a70dd4..dc41b54 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -272,6 +272,9 @@ class URI::TestGeneric < Test::Unit::TestCase
+     u0 = URI.parse('http://new.example.org/path')
+     u1 = u.merge('//new.example.org/path')
+     assert_equal(u0, u1)
++    u0 = URI.parse('http://other@example.net')
++    u1 = u.merge('//other@example.net')
++    assert_equal(u0, u1)
+   end
+ 
+   def test_route
+@@ -737,17 +740,18 @@ class URI::TestGeneric < Test::Unit::TestCase
+   def test_set_component
+     uri = URI.parse('http://foo:bar@baz')
+     assert_equal('oof', uri.user = 'oof')
+-    assert_equal('http://oof:bar@baz', uri.to_s)
++    assert_equal('http://oof@baz', uri.to_s)
+     assert_equal('rab', uri.password = 'rab')
+     assert_equal('http://oof:rab@baz', uri.to_s)
+     assert_equal('foo', uri.userinfo = 'foo')
+-    assert_equal('http://foo:rab@baz', uri.to_s)
++    assert_equal('http://foo@baz', uri.to_s)
+     assert_equal(['foo', 'bar'], uri.userinfo = ['foo', 'bar'])
+     assert_equal('http://foo:bar@baz', uri.to_s)
+     assert_equal(['foo'], uri.userinfo = ['foo'])
+-    assert_equal('http://foo:bar@baz', uri.to_s)
++    assert_equal('http://foo@baz', uri.to_s)
+     assert_equal('zab', uri.host = 'zab')
+-    assert_equal('http://foo:bar@zab', uri.to_s)
++    assert_equal('http://zab', uri.to_s)
++    uri.userinfo = ['foo', 'bar']
+     uri.port = ""
+     assert_nil(uri.port)
+     uri.port = "80"
+@@ -757,7 +761,8 @@ class URI::TestGeneric < Test::Unit::TestCase
+     uri.port = " 080 "
+     assert_equal(80, uri.port)
+     assert_equal(8080, uri.port = 8080)
+-    assert_equal('http://foo:bar@zab:8080', uri.to_s)
++    assert_equal('http://zab:8080', uri.to_s)
++    uri = URI.parse('http://foo:bar@zab:8080')
+     assert_equal('/', uri.path = '/')
+     assert_equal('http://foo:bar@zab:8080/', uri.to_s)
+     assert_equal('a=1', uri.query = 'a=1')
+-- 
+2.45.4
+
diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec
@@ -87,7 +87,7 @@ Name:           ruby
 # provides should be versioned according to the ruby version.
 # More info: https://stdgems.org/
 Version:        %{ruby_version}
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -112,6 +112,7 @@ Patch5:         CVE-2025-27220.patch
 Patch6:         CVE-2025-27221.patch
 Patch7:         CVE-2025-6442.patch
 Patch8:         CVE-2025-24294.patch
+Patch9:         CVE-2025-61594.patch
 BuildRequires:  openssl-devel
 # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem.
 BuildRequires:  pkgconfig(yaml-0.1)
@@ -416,6 +417,9 @@ sudo -u test make test TESTS="-v"
 %{_rpmconfigdir}/rubygems.con
 
 %changelog
+* Mon Jan 05 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.3.5-7
+- Patch for CVE-2025-61594
+
 * Fri Oct 17 2025 BinduSri Adabala <v-badabala@microsoft.com> - 3.3.5-6
 - Bump release to build with new rubygem-rexml to fix CVE-2025-58767
 
