[Medium] Patch ruby for CVE-2025-24294 (#14295)

BinduSri-6522866 · web-flow · commit 101be89846c5 · 2025-08-11T10:15:58.000+05:30
diff --git a/SPECS/ruby/CVE-2025-24294.patch b/SPECS/ruby/CVE-2025-24294.patch
@@ -0,0 +1,56 @@
+From 0402b9455a79af510e18bbd60f83427fe30fea86 Mon Sep 17 00:00:00 2001
+From: BinduSri-6522866 <v-badabala@microsoft.com>
+Date: Tue, 15 Jul 2025 07:41:43 +0000
+Subject: [PATCH] Address CVE-2025-24294
+
+Upstream Patch reference: https://github.com/ruby/resolv/commit/4c2f71b5e80826506f78417d85b38481c058fb25
+---
+ lib/resolv.rb           | 6 +++++-
+ test/resolv/test_dns.rb | 7 +++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/lib/resolv.rb b/lib/resolv.rb
+index 57fd173..778891c 100644
+--- a/lib/resolv.rb
++++ b/lib/resolv.rb
+@@ -1655,6 +1655,7 @@ class Resolv
+           prev_index = @index
+           save_index = nil
+           d = []
++          size = -1
+           while true
+             raise DecodeError.new("limit exceeded") if @limit <= @index
+             case @data.getbyte(@index)
+@@ -1675,7 +1676,10 @@ class Resolv
+               end
+               @index = idx
+             else
+-              d << self.get_label
++              l = self.get_label
++              d << l
++              size += 1 + l.string.bytesize
++              raise DecodeError.new("name label data exceed 255 octets") if size > 255
+             end
+           end
+         end
+diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb
+index 20c3408..c25026e 100644
+--- a/test/resolv/test_dns.rb
++++ b/test/resolv/test_dns.rb
+@@ -589,6 +589,13 @@ class TestResolvDNS < Test::Unit::TestCase
+     assert_operator(2**14, :<, m.to_s.length)
+   end
+ 
++  def test_too_long_address
++    too_long_address_message = [0, 0, 1, 0, 0, 0].pack("n*") + "\x01x" * 129 + [0, 0, 0].pack("cnn")
++    assert_raise_with_message(Resolv::DNS::DecodeError, /name label data exceed 255 octets/) do
++      Resolv::DNS::Message.decode too_long_address_message
++    end
++  end
++
+   def assert_no_fd_leak
+     socket = assert_throw(self) do |tag|
+       Resolv::DNS.stub(:bind_random_port, ->(s, *) {throw(tag, s)}) do
+-- 
+2.45.3
+
diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec
@@ -87,7 +87,7 @@ Name:           ruby
 # provides should be versioned according to the ruby version.
 # More info: https://stdgems.org/
 Version:        %{ruby_version}
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -111,6 +111,7 @@ Patch4:         CVE-2025-27219.patch
 Patch5:         CVE-2025-27220.patch
 Patch6:         CVE-2025-27221.patch
 Patch7:         CVE-2025-6442.patch
+Patch8:         CVE-2025-24294.patch
 BuildRequires:  openssl-devel
 # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem.
 BuildRequires:  pkgconfig(yaml-0.1)
@@ -415,6 +416,9 @@ sudo -u test make test TESTS="-v"
 %{_rpmconfigdir}/rubygems.con
 
 %changelog
+* Tue Jul 15 2025 BinduSri Adabala <v-badabala@microsoft.com> - 3.3.5-5
+- Patch CVE-2025-24294
+
 * Thu Jun 26 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 3.3.5-4
 - Patch CVE-2025-6442
 
