From patchwork Thu Mar 27 10:25:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Remco van 't Veer X-Patchwork-Id: 40878 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 59FEC27BBEA; Thu, 27 Mar 2025 10:27:18 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C0C4A27BBE2 for ; Thu, 27 Mar 2025 10:27:17 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txkRm-0000Cc-05; Thu, 27 Mar 2025 06:26:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txkR9-00008F-Er for guix-patches@gnu.org; Thu, 27 Mar 2025 06:26:20 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txkR0-0006Fj-V3 for guix-patches@gnu.org; Thu, 27 Mar 2025 06:26:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=42qryYkn/XCDGPd5T2uZRgARR1x6h9K8kP6DRPRJR/E=; b=WBzJ8fsgOnIoiy7SeBIQ0LqOgQnBc8u7Tvg0GsiqBFS2BK/UI8Qmc6Yd8r5HcHI7tLwog7vVovq7VNaW69mTTg1ClK/3b7xZPWJcyyt+G05WtpLvAzk7CWZVOF8au0KNAXmtNmuithH4DXhHSyIk6rEmu6JtJZ4ECQcf8Hdegb37pNBCRNfSyDH/IvROo/A6IDtM9Mcvag/UWXPctcZiru4R4MNBcPCnsh2J+PAGxfDhWcRuwf7dk5a6Mf3vRdJIcGqYZzi8d8nxyk7KsIx3uuOPMSb07Ez9BO50mFThUr8QfouSqvdquWvnjJRbjb4UKTybcZXR4QgRi9diTe2nMQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txkR0-0004OJ-GF; Thu, 27 Mar 2025 06:26:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] References: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> In-Reply-To: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> Resent-From: Remco van 't Veer Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, guix-patches@gnu.org Resent-Date: Thu, 27 Mar 2025 10:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77304 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77304@debbugs.gnu.org Cc: Remco van 't Veer , Christopher Baines X-Debbugs-Original-Xcc: Christopher Baines Received: via spool by 77304-submit@debbugs.gnu.org id=B77304.174307115216833 (code B ref 77304); Thu, 27 Mar 2025 10:26:02 +0000 Received: (at 77304) by debbugs.gnu.org; 27 Mar 2025 10:25:52 +0000 Received: from localhost ([127.0.0.1]:47669 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txkQq-0004NO-7t for submit@debbugs.gnu.org; Thu, 27 Mar 2025 06:25:52 -0400 Received: from fhigh-b4-smtp.messagingengine.com ([202.12.124.155]:34861) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txkQj-0004LL-Tv for 77304@debbugs.gnu.org; Thu, 27 Mar 2025 06:25:50 -0400 Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50]) by mailfhigh.stl.internal (Postfix) with ESMTP id 013D7254015E; Thu, 27 Mar 2025 06:25:39 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-10.internal (MEProxy); Thu, 27 Mar 2025 06:25:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :subject:subject:to:to; s=fm1; t=1743071139; x=1743157539; bh=42 qryYkn/XCDGPd5T2uZRgARR1x6h9K8kP6DRPRJR/E=; b=Y5bBCgZGbY95wohi9x VT+sBES03wDB1xNeFQ1HM5HPgQqIt9As5BxJnX0xSgMfp+SOxyo6+PhBHu8oVVbJ OTQx01QC0lGjyEwpNidN1IOwXUULSoEQg6LHYj3Uvs8Tau6gUd4QeINW2pv0e04x HbXrB8KScMNx6X58pdXtQvINzJ6v6phOFimh/geVVu9opnU7IyIWUtzAYmkib9Sp a+NYuXGKV6E0HStF1L6qw2TiiO+4oelsFQYDLTBn44CmKylfzC4XxFzjbsx8yfbF +w2F2KkTal/iSTrCCsggZsDCjsyapX8/d0CjdGPgjGN6IDRXqJPDZaAUCofKLZVn yeEQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1743071139; x=1743157539; bh=42qryYkn/XCDGPd5T2uZRgARR1x6 h9K8kP6DRPRJR/E=; b=NGOKHSA1/9VEbthxeInz3KbrItH/N/Kq9XlE0/2XrDtm 3dFS2Gvg+Be1czatc46UbVYThqM0yH3k61baWuJxhStSuw0KWCTHpZzVCkA+UmNe g5dzIgpG7R5Dvibwx+m1E+ZeUif2lu2G1FwP0smVZOQcgsVyWtlrLToR8hPbRWRb EUZtQGaHuK1AzNBOCQt5rPb6ja7JDiJ9EPQBQ6YhwspjY2DGeSAg9JcHoGkrCSmw 2rxSMnHEQ4lEpXalKAGE449a9GKQ3jnpvCq6gBfjkqPytk6bFES39aJ6NLH59qtb itb2nhzXou0btgTzHRm8QqVNhF4FZ+Akah9RfTYJSw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekudeiucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffogggtgfesthekredtredtjeenucfhrhhomheptfgvmhgtohcuvhgrnhcukdht ucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvtheqnecuggftrfgrthhtvg hrnhepfeffheduteegtdfhfeeugfevleffgfeiffekfeevfeffgeevjeekffekgfduledt necuffhomhgrihhnpehruhgshidqlhgrnhhgrdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheprhifvhesfhgrshhtmhgrihhlrdgtohhm pdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeejje eftdegseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheprhgvmhgtohesrhgv mhifohhrkhhsrdhnvght X-ME-Proxy: Feedback-ID: if0694934:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 Mar 2025 06:25:38 -0400 (EDT) From: Remco van 't Veer Date: Thu, 27 Mar 2025 11:25:00 +0100 Message-ID: <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse) CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7. * gnu/packages/ruby.scm (ruby-3.1.7): Add package. Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae --- Changes in this v2: * improve commit subject. gnu/packages/ruby.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2 diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 24407fbd58..875a1b9a10 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -29,7 +29,7 @@ ;;; Copyright © 2020 Tomás Ortín Fernández ;;; Copyright © 2021 Giovanni Biscuolo ;;; Copyright © 2022 Philip McGrath -;;; Copyright © 2022-2024 Remco van 't Veer +;;; Copyright © 2022-2025 Remco van 't Veer ;;; Copyright © 2022 Taiju HIGASHI ;;; Copyright © 2023 Yovan Naumovski ;;; Copyright © 2023, 2024 gemmaro @@ -250,6 +250,7 @@ (define-public ruby-3.1 (package (inherit ruby-3.0) (version "3.1.4") + (replacement ruby-3.1.7) (source (origin (method url-fetch) @@ -260,6 +261,22 @@ (define-public ruby-3.1 (base32 "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v")))))) ++;;; TODO: This newer version resolves serveral CVEs. Remove ++;;; after ungrafting ruby. +(define ruby-3.1.7 + (package + (inherit ruby-3.1) + (version "3.1.7") + (source + (origin + (method url-fetch) + (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" + (version-major+minor version) + "/ruby-" version ".tar.xz")) + (sha256 + (base32 + "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5")))))) + (define-public ruby-3.2 (package (inherit ruby-3.1)