diff mbox series

[bug#77304,v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]

Message ID 0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net
State New
Headers
Series [bug#77304,v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] |

Commit Message

Remco van 't Veer March 27, 2025, 10:25 a.m. UTC 
  Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
* gnu/packages/ruby.scm (ruby-3.1.7): Add package.

Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
---

Changes in this v2:

* improve commit subject.

 gnu/packages/ruby.scm | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)


base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2

Comments

Nicolas Graves March 27, 2025, 1:04 p.m. UTC | #1 
This should be applied on the ruby-team branch.
Remco van 't Veer March 27, 2025, 1:08 p.m. UTC | #2 
2025/03/27, Nicolas Graves:

> This should be applied on the ruby-team branch.

Does that also mean a graft is not needed?
Nicolas Graves March 27, 2025, 3:06 p.m. UTC | #3 
On 2025-03-27 14:08, Remco van t. Veer wrote:

> 2025/03/27, Nicolas Graves:
>
>> This should be applied on the ruby-team branch.
>
> Does that also mean a graft is not needed?

On ruby-team, no, they will be rebuilt.
Remco van 't Veer March 27, 2025, 3:42 p.m. UTC | #4 
2025/03/27, Nicolas Graves:

> On 2025-03-27 14:08, Remco van t. Veer wrote:
>
>> 2025/03/27, Nicolas Graves:
>>
>>> This should be applied on the ruby-team branch.
>>
>> Does that also mean a graft is not needed?
>
> On ruby-team, no, they will be rebuilt.

To be honest, I was not aware of the ruby-team branch.  Looking at it, I
assume this patch and the other two (bug#77308 and bug#77309) will not
apply on this branch.  Should I close this and the other two bugs and
create new ones for 3.1.7 and 3.2.8 for the ruby-team branch?
diff mbox series

Patch

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..875a1b9a10 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@ 
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu>
 ;;; Copyright © 2022 Philip McGrath <philip@philipmcgrath.com>
-;;; Copyright © 2022-2024 Remco van 't Veer <remco@remworks.net>
+;;; Copyright © 2022-2025 Remco van 't Veer <remco@remworks.net>
 ;;; Copyright © 2022 Taiju HIGASHI <higashi@taiju.info>
 ;;; Copyright © 2023 Yovan Naumovski <yovan@gorski.stream>
 ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev@gmail.com>
@@ -250,6 +250,7 @@  (define-public ruby-3.1
   (package
     (inherit ruby-3.0)
     (version "3.1.4")
+    (replacement ruby-3.1.7)
     (source
      (origin
        (method url-fetch)
@@ -260,6 +261,22 @@  (define-public ruby-3.1
         (base32
          "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v"))))))
 
++;;; TODO: This newer version resolves serveral CVEs.  Remove
++;;; after ungrafting ruby.
+(define ruby-3.1.7
+  (package
+    (inherit ruby-3.1)
+    (version "3.1.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5"))))))
+
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)