Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 950334 (CVE-2025-27219, CVE-2025-27220) - <dev-ruby/cgi-0.4.2: Denial of Service
Summary: <dev-ruby/cgi-0.4.2: Denial of Service
Status: RESOLVED FIXED
Alias: CVE-2025-27219, CVE-2025-27220
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-27 10:25 UTC by Hans de Graaff
Modified: 2025-03-23 14:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2025-02-27 10:25:59 UTC 
CVE-2025-27219: Denial of Service in CGI::Cookie.parse.

There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.


Details

CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.

Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.


Affected versions

    cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.



CVE-2025-27220: ReDoS in CGI::Util#escapeElement.

There is a possibility for Regular expression Denial of Service(ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.


Details

The regular expression used in CGI::Util#escapeElement is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.

This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.


Affected versions

    cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Comment 1 Larry the Git Cow gentoo-dev 2025-02-28 06:43:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e3cb9cfb86bb49d85dbbeceacd1d21d5df9c7ab

commit 3e3cb9cfb86bb49d85dbbeceacd1d21d5df9c7ab
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2025-02-28 06:41:39 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-02-28 06:42:09 +0000

    dev-ruby/cgi: add 0.4.2
    
    Bug: https://bugs.gentoo.org/950334
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/cgi/Manifest         |  1 +
 dev-ruby/cgi/cgi-0.4.2.ebuild | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2025-03-01 21:00:33 UTC 
all unstable + fixed in tree -> cleanup?
Comment 3 Larry the Git Cow gentoo-dev 2025-03-23 14:18:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e77bf3352d0dd3535ae6f320e260703f70407dca

commit e77bf3352d0dd3535ae6f320e260703f70407dca
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2025-03-23 14:17:45 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-03-23 14:18:25 +0000

    dev-ruby/cgi: drop 0.4.1
    
    Bug: https://bugs.gentoo.org/950334
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/cgi/Manifest         |  1 -
 dev-ruby/cgi/cgi-0.4.1.ebuild | 33 ---------------------------------
 2 files changed, 34 deletions(-)