diff mbox series

[bug#77304] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]

Message ID 70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net
State New
Headers
Series [bug#77304] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}] |

Commit Message

Remco van 't Veer March 27, 2025, 10 a.m. UTC 
  Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
* gnu/packages/ruby.scm (ruby-3.1.7): Add package.

Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
---
 gnu/packages/ruby.scm | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)


base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
diff mbox series

Patch

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..875a1b9a10 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@ 
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu>
 ;;; Copyright © 2022 Philip McGrath <philip@philipmcgrath.com>
-;;; Copyright © 2022-2024 Remco van 't Veer <remco@remworks.net>
+;;; Copyright © 2022-2025 Remco van 't Veer <remco@remworks.net>
 ;;; Copyright © 2022 Taiju HIGASHI <higashi@taiju.info>
 ;;; Copyright © 2023 Yovan Naumovski <yovan@gorski.stream>
 ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev@gmail.com>
@@ -250,6 +250,7 @@  (define-public ruby-3.1
   (package
     (inherit ruby-3.0)
     (version "3.1.4")
+    (replacement ruby-3.1.7)
     (source
      (origin
        (method url-fetch)
@@ -260,6 +261,22 @@  (define-public ruby-3.1
         (base32
          "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v"))))))
 
++;;; TODO: This newer version resolves serveral CVEs.  Remove
++;;; after ungrafting ruby.
+(define ruby-3.1.7
+  (package
+    (inherit ruby-3.1)
+    (version "3.1.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5"))))))
+
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)