diff options
Diffstat (limited to 'meta/recipes-devtools/ruby')
-rw-r--r-- | meta/recipes-devtools/ruby/ruby.inc | 39 | ||||
-rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch | 68 | ||||
-rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch | 73 | ||||
-rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch | 52 | ||||
-rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch | 47 | ||||
-rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch | 97 | ||||
-rw-r--r-- | meta/recipes-devtools/ruby/ruby_3.1.3.bb (renamed from meta/recipes-devtools/ruby/ruby_3.1.2.bb) | 52 |
7 files changed, 383 insertions, 45 deletions
diff --git a/meta/recipes-devtools/ruby/ruby.inc b/meta/recipes-devtools/ruby/ruby.inc deleted file mode 100644 index ebff5efd1f..0000000000 --- a/meta/recipes-devtools/ruby/ruby.inc +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "An interpreter of object-oriented scripting language" -DESCRIPTION = "Ruby is an interpreted scripting language for quick \ -and easy object-oriented programming. It has many features to process \ -text files and to do system management tasks (as in Perl). \ -It is simple, straight-forward, and extensible. \ -" -HOMEPAGE = "http://www.ruby-lang.org/" -SECTION = "devel/ruby" -LICENSE = "Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=5b8c87559868796979806100db3f3805 \ - file://BSDL;md5=8b50bc6de8f586dc66790ba11d064d75 \ - file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://LEGAL;md5=f260190bc1e92e363f0ee3c0463d4c7c \ - " - -DEPENDS = "zlib openssl libyaml gdbm readline libffi" -DEPENDS:append:class-target = " ruby-native" - -SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" -SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ - file://0001-extmk-fix-cross-compilation-of-external-gems.patch \ - file://0002-Obey-LDFLAGS-for-the-link-of-libruby.patch \ - " -UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" - -inherit autotools ptest pkgconfig - - -# This snippet lets compiled extensions which rely on external libraries, -# such as zlib, compile properly. If we don't do this, then when extmk.rb -# runs, it uses the native libraries instead of the target libraries, and so -# none of the linking operations succeed -- which makes extconf.rb think -# that the libraries aren't available and hence that the extension can't be -# built. - -do_configure:prepend() { - sed -i "s#%%TARGET_CFLAGS%%#$CFLAGS#; s#%%TARGET_LDFLAGS%%#$LDFLAGS#" ${S}/common.mk - rm -rf ${S}/ruby/ -} diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch new file mode 100644 index 0000000000..d611c41dcc --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch @@ -0,0 +1,68 @@ +From db4bb57d4af6d097a0c29490536793d95f1d8983 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA <hsbt@ruby-lang.org> +Date: Mon, 24 Apr 2023 08:27:24 +0000 +Subject: [PATCH] Merge URI-0.12.1 + +CVE: CVE-2023-28755 + +Upstream-Status: Backport [https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/uri/rfc3986_parser.rb | 4 ++-- + lib/uri/version.rb | 2 +- + test/uri/test_common.rb | 11 +++++++++++ + 3 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 3e07de4..3c89311 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -3,8 +3,8 @@ module URI + class RFC3986_Parser # :nodoc: + # URI defined in RFC3986 + # this regexp is modified not to host is not empty string +- RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ ++ RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ + attr_reader :regexp + + def initialize +diff --git a/lib/uri/version.rb b/lib/uri/version.rb +index 82188e2..7497a7d 100644 +--- a/lib/uri/version.rb ++++ b/lib/uri/version.rb +@@ -1,6 +1,6 @@ + module URI + # :stopdoc: +- VERSION_CODE = '001100'.freeze ++ VERSION_CODE = '001201'.freeze + VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze + # :startdoc: + end +diff --git a/test/uri/test_common.rb b/test/uri/test_common.rb +index 5e30cda..1d34783 100644 +--- a/test/uri/test_common.rb ++++ b/test/uri/test_common.rb +@@ -78,6 +78,17 @@ class TestCommon < Test::Unit::TestCase + assert_raise(NoMethodError) { Object.new.URI("http://www.ruby-lang.org/") } + end + ++ def test_parse_timeout ++ pre = ->(n) { ++ 'https://example.com/dir/' + 'a' * (n * 100) + '/##.jpg' ++ } ++ assert_linear_performance((1..10).map {|i| i * 100}, rehearsal: 1000, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ URI.parse(uri) ++ end ++ end ++ end ++ + def test_encode_www_form_component + assert_equal("%00+%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F09%3A%3B%3C%3D%3E%3F%40" \ + "AZ%5B%5C%5D%5E_%60az%7B%7C%7D%7E", +-- +2.35.5 + diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch new file mode 100644 index 0000000000..cf24b13f53 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch @@ -0,0 +1,73 @@ +From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA <hsbt@ruby-lang.org> +Date: Wed, 29 Mar 2023 13:28:25 +0900 +Subject: [PATCH] CVE-2023-28756 + +CVE: CVE-2023-28756 +Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/time.gemspec | 2 +- + lib/time.rb | 6 +++--- + test/test_time.rb | 9 +++++++++ + 3 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/lib/time.gemspec b/lib/time.gemspec +index 72fba34..bada91a 100644 +--- a/lib/time.gemspec ++++ b/lib/time.gemspec +@@ -1,6 +1,6 @@ + Gem::Specification.new do |spec| + spec.name = "time" +- spec.version = "0.2.0" ++ spec.version = "0.2.2" + spec.authors = ["Tanaka Akira"] + spec.email = ["akr@fsij.org"] + +diff --git a/lib/time.rb b/lib/time.rb +index bd20a1a..6a13212 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -509,8 +509,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +@@ -701,7 +701,7 @@ class Time + # + # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise. + # +- # +fractional_digits+ specifies a number of digits to use for fractional ++ # +fraction_digits+ specifies a number of digits to use for fractional + # seconds. Its default value is 0. + # + # require 'time' +diff --git a/test/test_time.rb b/test/test_time.rb +index b50d841..23e8e10 100644 +--- a/test/test_time.rb ++++ b/test/test_time.rb +@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc: + assert_equal(true, t.utc?) + end + ++ def test_rfc2822_nonlinear ++ pre = ->(n) {"0 Feb 00 00 :00" + " " * n} ++ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s| ++ assert_raise(ArgumentError) do ++ Time.rfc2822(s) ++ end ++ end ++ end ++ + if defined?(Ractor) + def test_rfc2822_ractor + assert_ractor(<<~RUBY, require: 'time') +-- +2.25.1 + diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch new file mode 100644 index 0000000000..57a15d302e --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch @@ -0,0 +1,52 @@ +From 9c2eb12776c1b5df2517a7e618e5fe818cc3395e Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 15:53:01 +0800 +Subject: [PATCH] ruby: Fix quadratic backtracking on invalid relative URI + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1] +CVE: CVE-2023-36617 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + lib/uri/rfc2396_parser.rb | 4 ++-- + test/uri/test_parser.rb | 12 ++++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb +index 76a8f99..00c66cf 100644 +--- a/lib/uri/rfc2396_parser.rb ++++ b/lib/uri/rfc2396_parser.rb +@@ -497,8 +497,8 @@ module URI + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 03de137..01ed32a 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -63,4 +63,16 @@ class URI::TestParser < Test::Unit::TestCase + assert_equal("\u3042", p1.unescape('%e3%81%82'.force_encoding(Encoding::US_ASCII))) + assert_equal("\xe3\x83\x90\xe3\x83\x90", p1.unescape("\xe3\x83\x90%e3%83%90")) + end ++ ++ def test_rfc2822_parse_relative_uri ++ pre = ->(length) { ++ " " * length + "\0" ++ } ++ parser = URI::RFC2396_Parser.new ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ parser.split(uri) ++ end ++ end ++ end + end +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch new file mode 100644 index 0000000000..ff558183b6 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch @@ -0,0 +1,47 @@ +From eea5868120509c245216c4b5c2d4b5db1c593d0e Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 16:16:30 +0800 +Subject: [PATCH] ruby: Fix quadratic backtracking on invalid port number + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8] +CVE: CVE-2023-36617 +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + lib/uri/rfc3986_parser.rb | 2 +- + test/uri/test_parser.rb | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 3c89311..cde3ea7 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -101,7 +101,7 @@ module URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 01ed32a..81c2210 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -75,4 +75,14 @@ class URI::TestParser < Test::Unit::TestCase + end + end + end ++ ++ def test_rfc3986_port_check ++ pre = ->(length) {"\t" * length + "a"} ++ uri = URI.parse("http://my.example.com") ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port| ++ assert_raise(URI::InvalidComponentError) do ++ uri.port = port ++ end ++ end ++ end + end +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch new file mode 100644 index 0000000000..6f4b35a786 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch @@ -0,0 +1,97 @@ +From da7a0c7553ef7250ca665a3fecdc01dbaacbb43d Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Mon, 15 Apr 2024 11:40:00 +0000 +Subject: [PATCH] Filter marshaled objets + +CVE: CVE-2024-27281 +Upstream-Status: Backport [https://github.com/ruby/rdoc/commit/da7a0c7553ef7250ca665a3fecdc01dbaacbb43d] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb +index 5ba671c..c793e49 100644 +--- a/lib/rdoc/store.rb ++++ b/lib/rdoc/store.rb +@@ -556,9 +556,7 @@ class RDoc::Store + def load_cache + #orig_enc = @encoding + +- File.open cache_path, 'rb' do |io| +- @cache = Marshal.load io.read +- end ++ @cache = marshal_load(cache_path) + + load_enc = @cache[:encoding] + +@@ -615,9 +613,7 @@ class RDoc::Store + def load_class_data klass_name + file = class_file klass_name + +- File.open file, 'rb' do |io| +- Marshal.load io.read +- end ++ marshal_load(file) + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name) + error.set_backtrace e.backtrace +@@ -630,14 +626,10 @@ class RDoc::Store + def load_method klass_name, method_name + file = method_file klass_name, method_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj.parent = +- find_class_or_module(klass_name) || load_class(klass_name) unless +- obj.parent +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name) ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name + method_name) + error.set_backtrace e.backtrace +@@ -650,11 +642,9 @@ class RDoc::Store + def load_page page_name + file = page_file page_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, page_name) + error.set_backtrace e.backtrace +@@ -976,4 +966,21 @@ class RDoc::Store + @unique_modules + end + ++ private ++ def marshal_load(file) ++ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)} ++ end ++ ++ MarshalFilter = proc do |obj| ++ case obj ++ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text ++ else ++ unless obj.class.name.start_with?("RDoc::") ++ raise TypeError, "not permitted class: #{obj.class.name}" ++ end ++ end ++ obj ++ end ++ private_constant :MarshalFilter ++ + end +-- +2.35.5 diff --git a/meta/recipes-devtools/ruby/ruby_3.1.2.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index 38ba46731b..2ad3c9e207 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.2.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb @@ -1,8 +1,25 @@ -require ruby.inc - -DEPENDS:append:libc-musl = " libucontext" - -SRC_URI += " \ +SUMMARY = "An interpreter of object-oriented scripting language" +DESCRIPTION = "Ruby is an interpreted scripting language for quick \ +and easy object-oriented programming. It has many features to process \ +text files and to do system management tasks (as in Perl). \ +It is simple, straight-forward, and extensible. \ +" +HOMEPAGE = "http://www.ruby-lang.org/" +SECTION = "devel/ruby" +LICENSE = "Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=5b8c87559868796979806100db3f3805 \ + file://BSDL;md5=8b50bc6de8f586dc66790ba11d064d75 \ + file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://LEGAL;md5=f260190bc1e92e363f0ee3c0463d4c7c \ + " + +DEPENDS = "zlib openssl libyaml gdbm readline libffi" +DEPENDS:append:class-target = " ruby-native" + +SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" +SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ + file://0001-extmk-fix-cross-compilation-of-external-gems.patch \ + file://0002-Obey-LDFLAGS-for-the-link-of-libruby.patch \ file://remove_has_include_macros.patch \ file://run-ptest \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ @@ -12,9 +29,32 @@ SRC_URI += " \ file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ + file://CVE-2023-28756.patch \ + file://CVE-2023-28755.patch \ + file://CVE-2023-36617_1.patch \ + file://CVE-2023-36617_2.patch \ + file://CVE-2024-27281.patch \ " +UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" + +inherit autotools ptest pkgconfig + + +# This snippet lets compiled extensions which rely on external libraries, +# such as zlib, compile properly. If we don't do this, then when extmk.rb +# runs, it uses the native libraries instead of the target libraries, and so +# none of the linking operations succeed -- which makes extconf.rb think +# that the libraries aren't available and hence that the extension can't be +# built. + +do_configure:prepend() { + sed -i "s#%%TARGET_CFLAGS%%#$CFLAGS#; s#%%TARGET_LDFLAGS%%#$LDFLAGS#" ${S}/common.mk + rm -rf ${S}/ruby/ +} + +DEPENDS:append:libc-musl = " libucontext" -SRC_URI[sha256sum] = "61843112389f02b735428b53bb64cf988ad9fb81858b8248e22e57336f24a83e" +SRC_URI[sha256sum] = "5ea498a35f4cd15875200a52dde42b6eb179e1264e17d78732c3a57cd1c6ab9e" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" |