ruby: fix CVE-2025-27221

In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221

Upstream-patches:
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5

(From OE-Core rev: 421d7011269f4750f5942b815d68f77fa4559d69)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch

@@ -0,0 +1,57 @@
+From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
+
+CVE: CVE-2025-27221
+
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       |  6 +++++-
+ test/uri/test_generic.rb | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index f3540a2..ecc78c5 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1141,7 +1141,11 @@ module URI
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      base.set_userinfo(rel.userinfo) if rel.userinfo
++      if rel.userinfo
++        base.set_userinfo(rel.userinfo)
++      else
++        base.set_userinfo(nil)
++      end
+       base.set_host(rel.host)         if rel.host
+       base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index e661937..17ba2b6 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase
+     # must be empty string to identify as path-abempty, not path-absolute
+     assert_equal('', url.host)
+     assert_equal('http:////example.com', url.to_s)
++
++    # sec-2957667
++    url = URI.parse('http://user:pass@example.com').merge('//example.net')
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
++    url = URI.join('http://user:pass@example.com', '//example.net')
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
++    url = URI.parse('http://user:pass@example.com') + '//example.net'
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
+   end
+ 
+   def test_parse_scheme_with_symbols
+-- 
+2.40.0
+

meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch

@@ -0,0 +1,73 @@
+From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: [PATCH] Fix merger of URI with authority component
+
+https://hackerone.com/reports/2957667
+
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+
+CVE: CVE-2025-27221
+
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       | 19 +++++++------------
+ test/uri/test_generic.rb |  7 +++++++
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index ecc78c5..2c0a88d 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1133,21 +1133,16 @@ module URI
+       base.fragment=(nil)
+ 
+       # RFC2396, Section 5.2, 4)
+-      if !authority
+-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+-      else
+-        # RFC2396, Section 5.2, 4)
+-        base.set_path(rel.path) if rel.path
++      if authority
++        base.set_userinfo(rel.userinfo)
++        base.set_host(rel.host)
++        base.set_port(rel.port || base.default_port)
++        base.set_path(rel.path)
++      elsif base.path && rel.path
++        base.set_path(merge_path(base.path, rel.path))
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      if rel.userinfo
+-        base.set_userinfo(rel.userinfo)
+-      else
+-        base.set_userinfo(nil)
+-      end
+-      base.set_host(rel.host)         if rel.host
+-      base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+       base.fragment=(rel.fragment) if rel.fragment
+ 
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index 17ba2b6..1a70dd4 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase
+     assert_equal(u0, u1)
+   end
+ 
++  def test_merge_authority
++    u = URI.parse('http://user:pass@example.com:8080')
++    u0 = URI.parse('http://new.example.org/path')
++    u1 = u.merge('//new.example.org/path')
++    assert_equal(u0, u1)
++  end
++
+   def test_route
+     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
+     assert_equal('b.html', url.to_s)
+-- 
+2.40.0
+

meta/recipes-devtools/ruby/ruby_3.3.5.bb

@@ -28,6 +28,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
            file://CVE-2025-27219.patch \
            file://CVE-2025-27220.patch \
+           file://CVE-2025-27221-0001.patch \
+           file://CVE-2025-27221-0002.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"