From patchwork Thu Mar 27 10:00:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Remco van 't Veer X-Patchwork-Id: 40877 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B85FD27BBEB; Thu, 27 Mar 2025 10:02:42 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1F2F927BBEA for ; Thu, 27 Mar 2025 10:02:42 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txk3y-0003Cw-LB; Thu, 27 Mar 2025 06:02:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txk3q-00039Z-P0 for guix-patches@gnu.org; Thu, 27 Mar 2025 06:02:07 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txk3q-00036i-BV for guix-patches@gnu.org; Thu, 27 Mar 2025 06:02:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=+Rb54PqEQKPoD1Rb8pGEEf3yKQXpspOiuPXLBRC9JGY=; b=ZUml/FdGWRQr+f39Oek0nVthXeShmaOmWcuBaZ+W0/LP5ZRCqJFPYJeMvYQJoyi+vINwq2i820/cYUavSYu0DRWlsMO8DyEFRNkMWmf6KZzyElBzvvA2HKZiVO2WUXjNQdT8lShO3Suox2/LQwJYlm540eORrICixI5XuVHjbsrbymnFDKWrIObSrjVuffH+A0ABtPCkepB4azFqaZ24yi6qJxU2V5M/BnhyD6Er08VxUDkiIFTjRiEQzI/3cHcVx0bEKLa/IlG70ytJpNPRS6eBGAgu5zkB0YDmbWNTJUW8EleT7y55ilVS1/S2TMm3l+t5s4QkuwF1HwZfMYgNvA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txk3p-0000Li-Ci; Thu, 27 Mar 2025 06:02:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77304] [PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}] Resent-From: Remco van 't Veer Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, guix-patches@gnu.org Resent-Date: Thu, 27 Mar 2025 10:02:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 77304 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77304@debbugs.gnu.org Cc: Remco van 't Veer , Christopher Baines X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Christopher Baines Received: via spool by submit@debbugs.gnu.org id=B.17430697001119 (code B ref -1); Thu, 27 Mar 2025 10:02:04 +0000 Received: (at submit) by debbugs.gnu.org; 27 Mar 2025 10:01:40 +0000 Received: from localhost ([127.0.0.1]:47623 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txk3J-0000Gq-AD for submit@debbugs.gnu.org; Thu, 27 Mar 2025 06:01:39 -0400 Received: from lists.gnu.org ([2001:470:142::17]:44566) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txk3G-0000Ez-1B for submit@debbugs.gnu.org; Thu, 27 Mar 2025 06:01:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txk33-00026h-6K for guix-patches@gnu.org; Thu, 27 Mar 2025 06:01:19 -0400 Received: from fhigh-b4-smtp.messagingengine.com ([202.12.124.155]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txk2y-00033P-PD for guix-patches@gnu.org; Thu, 27 Mar 2025 06:01:16 -0400 Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50]) by mailfhigh.stl.internal (Postfix) with ESMTP id 287C72540064; Thu, 27 Mar 2025 06:01:08 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-10.internal (MEProxy); Thu, 27 Mar 2025 06:01:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :subject:subject:to:to; s=fm1; t=1743069668; x=1743156068; bh=+R b54PqEQKPoD1Rb8pGEEf3yKQXpspOiuPXLBRC9JGY=; b=nCAYn7ZmRzLekn942V lobmteLKECYQZAaKS/zoPQWca5NBaZPtM1zEkElbwQdlOBS7C/uYeXi9ziSMQ1/K 3nmNZ5ZmwWAqOJBfD1JxkVSfZocXyQ99sNqNK07l4Nb1LKHisJEC7olFDutvVF7C 8AGvCs2jw9VcmljYfkGEHhnplctr16+I3y5qAxsaXETVcr1hQQ1v+r4moEgaNnli m6rdCWR3dIrx+J+u7MlL1zq6mAcIeA8TlMj95B+ZYQoA/o1bhrXf2YNgd6doP1Ew KS5DhanTAg4LyryRBSvErEMe+vKdRnI+akTdBa9nnaivobjrThbTUnNZicbVNtUW l+Yg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1743069668; x=1743156068; bh=+Rb54PqEQKPoD1Rb8pGEEf3yKQXp spOiuPXLBRC9JGY=; b=J3dWvaNw5oOLh+I6dB+E8nJQhm/U82ZejeIp7Vrg37Z1 JwhQjCNCjR8/2vkQ/VGOhbHiugd02HjV3XOwMfmqVjGP/nElQpZzk0ixXie72JHp e0N0jYgIVr+nzkbhrgQU+M9FXtjYf9rzCLpre7/sLPlRB5RjCdBjWxLeItb1GPlO jM+UboMk4mvOpsCKznnZiNfEldPxLpi4LKJ/8tfnkKLF4a0jacn3pPr0qddiWM6u I7M+7iLm2m5xDelMjc013gmrJaJBtchxSXk6Lm5q3bYw8XtZbr07SsRSzdLLD2jx ZZGFZqzB/EYRF1jnnIHtYpBXEGE/tnUGVzGTLNr7WQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekuddvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffogggtgfesthekredtredtjeenucfhrhhomheptfgvmhgtohcuvhgrnhcukdht ucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvtheqnecuggftrfgrthhtvg hrnhepfeffheduteegtdfhfeeugfevleffgfeiffekfeevfeffgeevjeekffekgfduledt necuffhomhgrihhnpehruhgshidqlhgrnhhgrdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheprhifvhesfhgrshhtmhgrihhlrdgtohhm pdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehguh higidqphgrthgthhgvshesghhnuhdrohhrghdprhgtphhtthhopehrvghmtghosehrvghm fihorhhkshdrnhgvth X-ME-Proxy: Feedback-ID: if0694934:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 Mar 2025 06:01:07 -0400 (EDT) From: Remco van 't Veer Date: Thu, 27 Mar 2025 11:00:24 +0100 Message-ID: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Received-SPF: pass client-ip=202.12.124.155; envelope-from=rwv@fastmail.com; helo=fhigh-b4-smtp.messagingengine.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.007, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse) CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7. * gnu/packages/ruby.scm (ruby-3.1.7): Add package. Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae --- gnu/packages/ruby.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2 diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 24407fbd58..875a1b9a10 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -29,7 +29,7 @@ ;;; Copyright © 2020 Tomás Ortín Fernández ;;; Copyright © 2021 Giovanni Biscuolo ;;; Copyright © 2022 Philip McGrath -;;; Copyright © 2022-2024 Remco van 't Veer +;;; Copyright © 2022-2025 Remco van 't Veer ;;; Copyright © 2022 Taiju HIGASHI ;;; Copyright © 2023 Yovan Naumovski ;;; Copyright © 2023, 2024 gemmaro @@ -250,6 +250,7 @@ (define-public ruby-3.1 (package (inherit ruby-3.0) (version "3.1.4") + (replacement ruby-3.1.7) (source (origin (method url-fetch) @@ -260,6 +261,22 @@ (define-public ruby-3.1 (base32 "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v")))))) ++;;; TODO: This newer version resolves serveral CVEs. Remove ++;;; after ungrafting ruby. +(define ruby-3.1.7 + (package + (inherit ruby-3.1) + (version "3.1.7") + (source + (origin + (method url-fetch) + (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" + (version-major+minor version) + "/ruby-" version ".tar.xz")) + (sha256 + (base32 + "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5")))))) + (define-public ruby-3.2 (package (inherit ruby-3.1)