!175 [sync] PR-172: fix CVE-2024-35221

From: @openeuler-sync-bot 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu

backport-0001-CVE-2024-27281.patch

@@ -0,0 +1,97 @@
+From 32ff6ba0bebd8ea26f569da5fd23be2937f6a644 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Tue, 20 Feb 2024 17:30:25 +0900
+Subject: [PATCH] Filter marshaled objects
+
+Reference:https://github.com/ruby/rdoc/commit/32ff6ba0bebd8ea26f569da5fd23be2937f6a644
+Conflict:NA
+---
+ lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
+index 5ba671c..5b663d7 100644
+--- a/lib/rdoc/store.rb
++++ b/lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ class RDoc::Store
+   def load_cache
+     #orig_enc = @encoding
+ 
+-    File.open cache_path, 'rb' do |io|
+-      @cache = Marshal.load io.read
+-    end
++    @cache = marshal_load(cache_path)
+ 
+     load_enc = @cache[:encoding]
+ 
+@@ -615,9 +613,7 @@ class RDoc::Store
+   def load_class_data klass_name
+     file = class_file klass_name
+ 
+-    File.open file, 'rb' do |io|
+-      Marshal.load io.read
+-    end
++    marshal_load(file)
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name)
+     error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ class RDoc::Store
+   def load_method klass_name, method_name
+     file = method_file klass_name, method_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj.parent =
+-        find_class_or_module(klass_name) || load_class(klass_name) unless
+-          obj.parent
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name + method_name)
+     error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ class RDoc::Store
+   def load_page page_name
+     file = page_file page_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, page_name)
+     error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ class RDoc::Store
+     @unique_modules
+   end
+ 
++  private
++  def marshal_load(file)
++    File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++    case obj
++    when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++    else
++      unless obj.class.name.start_with("RDoc::")
++        raise TypeError, "not permitted class: #{obj.class.name}"
++      end
++    end
++    obj
++  end
++  private_constant :MarshalFilter
++
+ end
+-- 
+2.33.0
+
+

backport-0001-CVE-2024-35221.patch

@@ -0,0 +1,35 @@
+From c2812fb616a9a0f31bbc3906a8ec9bad9faec498 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Wed, 7 Feb 2024 12:26:31 -0800
+Subject: [PATCH] [rubygems/rubygems] Control whether YAML aliases are enabled
+ in Gem::SafeYAML.safe_load via a constant
+
+https://github.com/rubygems/rubygems/commit/6bedb1cb79
+
+Reference:https://github.com/ruby/ruby/commit/c2812fb616a9a0f31bbc3906a8ec9bad9faec498
+Conflict:use YAML module not Psych module.
+---
+ lib/rubygems/safe_yaml.rb | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+index 3a1ae3b..c536a45 100644
+--- a/lib/rubygems/safe_yaml.rb
++++ b/lib/rubygems/safe_yaml.rb
+@@ -24,8 +24,11 @@ module Gem
+       runtime
+     ].freeze
+ 
++    ALIASES = true # :nodoc:
++    private_constant :ALIASES
++
+     def self.safe_load(input)
+-      ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
++      ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES)
+     end
+ 
+     def self.load(input)
+-- 
+2.33.0
+
+

backport-0002-CVE-2024-27281.patch

@@ -0,0 +1,66 @@
+From 60a6d74ebdbb7d585e379526e5639932fdca2904 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Tue, 20 Feb 2024 17:59:57 +0900
+Subject: [PATCH] Use safe_load and safe_load_file for .rdoc_options
+
+Reference:https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904
+Conflict:NA
+---
+ lib/rdoc/rdoc.rb               | 5 +++--
+ test/rdoc/test_rdoc_options.rb | 6 +++---
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
+index 826451e..4da281b 100644
+--- a/lib/rdoc/rdoc.rb
++++ b/lib/rdoc/rdoc.rb
+@@ -162,11 +162,12 @@ class RDoc::RDoc
+     RDoc.load_yaml
+ 
+     begin
+-      options = YAML.load_file '.rdoc_options'
++      options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol]
+     rescue Psych::SyntaxError
++      raise RDoc::Error, "#{options_file} is not a valid rdoc options file"
+     end
+ 
+-    return RDoc::Options.new if options == false # Allow empty file.
++    return RDoc::Options.new unless options # Allow empty file.
+ 
+     raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless
+       RDoc::Options === options or Hash === options
+diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
+index 8adeced..c28f64c 100644
+--- a/test/rdoc/test_rdoc_options.rb
++++ b/test/rdoc/test_rdoc_options.rb
+@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase
+ 
+     @options.encoding = Encoding::IBM437
+ 
+-    options = YAML.load YAML.dump @options
++    options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
+ 
+     assert_equal Encoding::IBM437, options.encoding
+   end
+@@ -161,7 +161,7 @@ rdoc_include:
+ - /etc
+     YAML
+ 
+-    options = YAML.load yaml
++    options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
+ 
+     assert_empty options.rdoc_include
+     assert_empty options.static_path
+@@ -764,7 +764,7 @@ rdoc_include:
+ 
+       assert File.exist? '.rdoc_options'
+ 
+-      assert_equal @options, YAML.load(File.read('.rdoc_options'))
++      assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
+     end
+   end
+ 
+-- 
+2.33.0
+
+

backport-0002-CVE-2024-35221.patch

@@ -0,0 +1,39 @@
+From 5dcc7a03267216feaa587017ef5d6d075b62f75b Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Fri, 9 Feb 2024 10:15:40 -0800
+Subject: [PATCH] [rubygems/rubygems] Use a writer method on the module instead
+ of a constant
+
+https://github.com/rubygems/rubygems/commit/240d84eea3
+
+Reference:https://github.com/ruby/ruby/commit/5dcc7a03267216feaa587017ef5d6d075b62f75b
+Conflict:use YAML module not Psych module.
+---
+ lib/rubygems/safe_yaml.rb | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+index c536a45..9cf7c13 100644
+--- a/lib/rubygems/safe_yaml.rb
++++ b/lib/rubygems/safe_yaml.rb
+@@ -24,11 +24,13 @@ module Gem
+       runtime
+     ].freeze
+ 
+-    ALIASES = true # :nodoc:
+-    private_constant :ALIASES
++    @aliases_enabled = true
++    def self.aliases_enabled=(value)
++      @aliases_enabled = !!value
++    end
+ 
+     def self.safe_load(input)
+-      ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES)
++      ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled)
+     end
+ 
+     def self.load(input)
+-- 
+2.33.0
+
+

backport-0003-CVE-2024-27281.patch

@@ -0,0 +1,28 @@
+From a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Thu, 21 Mar 2024 13:18:13 +0900
+Subject: [PATCH] Fix NoMethodError for start_with
+
+Reference:https://github.com/ruby/rdoc/commit/a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e
+Conflict:NA
+---
+ lib/rdoc/store.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
+index 5b663d7..c793e49 100644
+--- a/lib/rdoc/store.rb
++++ b/lib/rdoc/store.rb
+@@ -975,7 +975,7 @@ class RDoc::Store
+     case obj
+     when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
+     else
+-      unless obj.class.name.start_with("RDoc::")
++      unless obj.class.name.start_with?("RDoc::")
+         raise TypeError, "not permitted class: #{obj.class.name}"
+       end
+     end
+-- 
+2.33.0
+
+

backport-0003-CVE-2024-35221.patch

@@ -0,0 +1,47 @@
+From 466ed0e1ace6ebf069d444d666f0db3f9224a4b9 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Sat, 10 Feb 2024 19:52:13 -0800
+Subject: [PATCH] [rubygems/rubygems] Add a test for safe yaml
+
+https://github.com/rubygems/rubygems/commit/148deade0a
+
+Reference:https://github.com/ruby/ruby/commit/466ed0e1ace6ebf069d444d666f0db3f9224a4b9
+Conflict:NA
+---
+ test/rubygems/test_gem_safe_yaml.rb | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+ create mode 100644 test/rubygems/test_gem_safe_yaml.rb
+
+diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb
+new file mode 100644
+index 0000000000..4f7e400132
+--- /dev/null
++++ b/test/rubygems/test_gem_safe_yaml.rb
+@@ -0,0 +1,23 @@
++# frozen_string_literal: true
++
++require_relative "helper"
++
++Gem.load_yaml
++
++class TestGemSafeYAML < Gem::TestCase
++  def test_aliases_enabled_by_default
++    assert_predicate Gem::SafeYAML, :aliases_enabled?
++    assert_equal({ "a" => "a", "b" => "a" }, Gem::SafeYAML.safe_load("a: &a a\nb: *a\n"))
++  end
++
++  def test_aliases_disabled
++    aliases_enabled = Gem::SafeYAML.aliases_enabled?
++    Gem::SafeYAML.aliases_enabled = false
++    refute_predicate Gem::SafeYAML, :aliases_enabled?
++    assert_raise Psych::AliasesNotEnabled do
++      Gem::SafeYAML.safe_load("a: &a\nb: *a\n")
++    end
++  ensure
++    Gem::SafeYAML.aliases_enabled = aliases_enabled
++  end
++end
+-- 
+2.33.0
+
+

backport-0004-CVE-2024-35221.patch

@@ -0,0 +1,37 @@
+From 997470b7b697d267109571d81081453acc73a2f9 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Wed, 14 Feb 2024 00:50:52 -0800
+Subject: [PATCH] [rubygems/rubygems] Commit missing new method
+
+https://github.com/rubygems/rubygems/commit/5265b4ce3d
+
+Reference:https://github.com/ruby/ruby/commit/997470b7b697d267109571d81081453acc73a2f9
+Conflict:NA
+---
+ lib/rubygems/safe_yaml.rb | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+index 9cf7c13..5f710b4 100644
+--- a/lib/rubygems/safe_yaml.rb
++++ b/lib/rubygems/safe_yaml.rb
+@@ -25,10 +25,14 @@ module Gem
+     ].freeze
+ 
+     @aliases_enabled = true
+-    def self.aliases_enabled=(value)
++    def self.aliases_enabled=(value) # :nodoc:
+       @aliases_enabled = !!value
+     end
+ 
++    def self.aliases_enabled? # :nodoc:
++      @aliases_enabled
++    end
++
+     def self.safe_load(input)
+       ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled)
+     end
+-- 
+2.33.0
+
+

backport-0005-CVE-2024-35221.patch

@@ -0,0 +1,32 @@
+From 8bc51a393acfb5af4e446799e51f73e61b0cfc8e Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins@segiddins.me>
+Date: Tue, 20 Feb 2024 11:03:28 -0800
+Subject: [PATCH] [rubygems/rubygems] Check for correct exception on older
+ psych versions
+
+https://github.com/rubygems/rubygems/commit/52de6eccf5
+
+Reference:https://github.com/ruby/ruby/commit/8bc51a393acfb5af4e446799e51f73e61b0cfc8e
+Conflict:NA
+---
+ test/rubygems/test_gem_safe_yaml.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb
+index 4f7e400132..02df9f97da 100644
+--- a/test/rubygems/test_gem_safe_yaml.rb
++++ b/test/rubygems/test_gem_safe_yaml.rb
+@@ -14,7 +14,8 @@ def test_aliases_disabled
+     aliases_enabled = Gem::SafeYAML.aliases_enabled?
+     Gem::SafeYAML.aliases_enabled = false
+     refute_predicate Gem::SafeYAML, :aliases_enabled?
+-    assert_raise Psych::AliasesNotEnabled do
++    expected_error = defined?(Psych::AliasesNotEnabled) ? Psych::AliasesNotEnabled : Psych::BadAlias
++    assert_raise expected_error do
+       Gem::SafeYAML.safe_load("a: &a\nb: *a\n")
+     end
+   ensure
+-- 
+2.33.0
+
+

backport-CVE-2023-36617.patch

@@ -0,0 +1,106 @@
+From 616926b55e306a0704254a7ddfd6e9834d06c7f2 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Thu, 29 Jun 2023 22:25:17 +0900
+Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997)
+
+* Merge URI-0.10.3
+
+* Merge URI-0.10.0.3 for Bundler
+---
+ .../vendor/uri/lib/uri/rfc2396_parser.rb      |  4 ++--
+ .../vendor/uri/lib/uri/rfc3986_parser.rb      |  2 +-
+ lib/uri/rfc2396_parser.rb                     |  4 ++--
+ lib/uri/rfc3986_parser.rb                     |  2 +-
+ test/uri/test_parser.rb                       | 22 +++++++++++++++++++
+ 5 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+index a0d62ed..7634e16 100644
+--- a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
++++ b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+@@ -504,8 +504,8 @@ module Bundler::URI
+       ret = {}
+ 
+       # for Bundler::URI::split
+-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ 
+       # for Bundler::URI::extract
+       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
+diff --git a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+index 07ef439..34093df 100644
+--- a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
++++ b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+@@ -106,7 +106,7 @@ module Bundler::URI
+         QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         OPAQUE: /\A(?:[^\/].*)?\z/,
+-        PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
++        PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
+       }
+     end
+ 
+diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
+index c719aa0..253c54b 100644
+--- a/lib/uri/rfc2396_parser.rb
++++ b/lib/uri/rfc2396_parser.rb
+@@ -491,8 +491,8 @@ module URI
+       ret = {}
+ 
+       # for URI::split
+-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ 
+       # for URI::extract
+       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
+diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
+index 145d845..5a9e44e 100644
+--- a/lib/uri/rfc3986_parser.rb
++++ b/lib/uri/rfc3986_parser.rb
+@@ -95,7 +95,7 @@ module URI
+         QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         OPAQUE: /\A(?:[^\/].*)?\z/,
+-        PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
++        PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
+       }
+     end
+ 
+diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb
+index 37e7107..e2f50cf 100644
+--- a/test/uri/test_parser.rb
++++ b/test/uri/test_parser.rb
+@@ -65,4 +65,26 @@ class URI::TestParser < Test::Unit::TestCase
+     assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com"))
+     assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]"))
+   end
++
++  def test_rfc2822_parse_relative_uri
++    pre = ->(length) {
++      " " * length + "\0"
++    }
++    parser = URI::RFC2396_Parser.new
++    assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri|
++      assert_raise(URI::InvalidURIError) do
++        parser.split(uri)
++      end
++    end
++  end
++
++  def test_rfc3986_port_check
++    pre = ->(length) {"\t" * length + "a"}
++    uri = URI.parse("http://my.example.com")
++    assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port|
++      assert_raise(URI::InvalidComponentError) do
++        uri.port = port
++      end
++    end
++  end
+ end
+-- 
+2.27.0
+

backport-CVE-2024-27280.patch

@@ -0,0 +1,86 @@
+From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Tue, 16 Nov 2021 17:39:32 +0900
+Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
+
+Reference:https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067
+Conflict:NA
+---
+ ext/stringio/stringio.c        |  2 +-
+ test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
+index 8df07e8..d1e0473 100644
+--- a/ext/stringio/stringio.c
++++ b/ext/stringio/stringio.c
+@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
+     len = RSTRING_LEN(str);
+     rest = pos - len;
+     if (cl > pos) {
+-	long ex = (rest < 0 ? cl-pos : cl+rest);
++	long ex = cl - (rest < 0 ? pos : len);
+ 	rb_str_modify_expand(str, ex);
+ 	rb_str_set_len(str, len + ex);
+ 	s = RSTRING_PTR(str);
+diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
+index e0b4504..144a9f4 100644
+--- a/test/stringio/test_stringio.rb
++++ b/test/stringio/test_stringio.rb
+@@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase
+     assert_equal("b""\0""a", s.string)
+   end
+ 
++  def test_ungetc_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetc('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_ungetbyte_pos
+     b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
+     s = StringIO.new( b )
+@@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase
+     assert_equal("b""\0""a", s.string)
+   end
+ 
++  def test_ungetbyte_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetbyte('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_frozen
+     s = StringIO.new
+     s.freeze
+@@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase
+   end
+ 
+   def test_overflow
+-    omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
++    return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+     limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
+     assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+     begin;
+       limit = #{limit}
+       ary = []
+-      while true
++      begin
+         x = "a"*0x100000
+         break if [x].pack("p").unpack("i!")[0] < 0
+         ary << x
+-        omit if ary.size > 100
+-      end
++      end while ary.size <= 100
+       s = StringIO.new(x)
+       s.gets("xxx", limit)
+       assert_equal(0x100000, s.pos)
+-- 
+2.27.0
+

backport-CVE-2024-27282.patch

@@ -0,0 +1,31 @@
+From 989a2355808a63fc45367785c82ffd46d18c900a Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 12 Apr 2024 15:01:47 +1000
+Subject: [PATCH] Fix Use-After-Free issue for Regexp
+
+Co-authored-by: Isaac Peka <7493006+isaac-peka@users.noreply.github.com>
+
+
+Reference:https://github.com/ruby/rdoc/commit/989a2355808a63fc45367785c82ffd46d18c900a
+Conflict:NA
+---
+ regexec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/regexec.c b/regexec.c
+index 73694ab14a..140691ad42 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -3449,8 +3449,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
+     CASE(OP_MEMORY_END_PUSH_REC)  MOP_IN(OP_MEMORY_END_PUSH_REC);
+       GET_MEMNUM_INC(mem, p);
+       STACK_GET_MEM_START(mem, stkp); /* should be before push mem-end. */
+-      STACK_PUSH_MEM_END(mem, s);
+       mem_start_stk[mem] = GET_STACK_INDEX(stkp);
++      STACK_PUSH_MEM_END(mem, s);
+       MOP_OUT;
+       JUMP;
+ 
+-- 
+2.33.0
+

backport-Dump-plain-objects-as-RDoc-Options.patch

@@ -0,0 +1,320 @@
+From 6cf6e1647b97256ad7f6f20e5d32fd0a0fe042d1 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Wed, 15 Sep 2021 17:26:14 +0900
+Subject: [PATCH] Dump plain objects as `RDoc::Options`
+
+So that the generated `.rdoc_options` file is loadable.
+
+Reference:https://github.com/ruby/rdoc/commit/6cf6e164
+---
+ lib/rdoc/options.rb            | 39 ++++++++++++++++++---------------
+ lib/rdoc/rdoc.rb               |  2 +-
+ test/rdoc/test_rdoc_options.rb | 40 +++++++++++++++++++++++-----------
+ test/rdoc/test_rdoc_rdoc.rb    | 11 +++++++++-
+ 4 files changed, 59 insertions(+), 33 deletions(-)
+
+diff --git a/lib/rdoc/options.rb b/lib/rdoc/options.rb
+index dadb694..a78116f 100644
+--- a/lib/rdoc/options.rb
++++ b/lib/rdoc/options.rb
+@@ -106,6 +106,7 @@ class RDoc::Options
+     generator_options
+     generators
+     op_dir
++    page_dir
+     option_parser
+     pipe
+     rdoc_include
+@@ -434,6 +435,7 @@ class RDoc::Options
+     @main_page      = map['main_page']      if map.has_key?('main_page')
+     @markup         = map['markup']         if map.has_key?('markup')
+     @op_dir         = map['op_dir']         if map.has_key?('op_dir')
++    @page_dir       = map['page_dir']       if map.has_key?('page_dir')
+     @show_hash      = map['show_hash']      if map.has_key?('show_hash')
+     @tab_width      = map['tab_width']      if map.has_key?('tab_width')
+     @template_dir   = map['template_dir']   if map.has_key?('template_dir')
+@@ -513,19 +515,22 @@ class RDoc::Options
+   ##
+   # For dumping YAML
+ 
+-  def encode_with coder # :nodoc:
++  def to_yaml(*options) # :nodoc:
+     encoding = @encoding ? @encoding.name : nil
+ 
+-    coder.add 'encoding', encoding
+-    coder.add 'static_path',  sanitize_path(@static_path)
+-    coder.add 'rdoc_include', sanitize_path(@rdoc_include)
++    yaml = {}
++    yaml['encoding'] = encoding
++    yaml['static_path'] = sanitize_path(@static_path)
++    yaml['rdoc_include'] = sanitize_path(@rdoc_include)
++    yaml['page_dir'] = (sanitize_path([@page_dir]).first if @page_dir)
+ 
+     ivars = instance_variables.map { |ivar| ivar.to_s[1..-1] }
+     ivars -= SPECIAL
+ 
+     ivars.sort.each do |ivar|
+-      coder.add ivar, instance_variable_get("@#{ivar}")
++      yaml[ivar] = instance_variable_get("@#{ivar}")
+     end
++    yaml.to_yaml
+   end
+ 
+   ##
+@@ -548,6 +553,11 @@ class RDoc::Options
+   # #template.
+ 
+   def finish
++    if @write_options then
++      write_options
++      exit
++    end
++
+     @op_dir ||= 'doc'
+ 
+     @rdoc_include << "." if @rdoc_include.empty?
+@@ -585,14 +595,14 @@ class RDoc::Options
+   def finish_page_dir
+     return unless @page_dir
+ 
+-    @files << @page_dir.to_s
++    @files << @page_dir
+ 
+-    page_dir = nil
++    page_dir = Pathname(@page_dir)
+     begin
+-      page_dir = @page_dir.expand_path.relative_path_from @root
++      page_dir = page_dir.expand_path.relative_path_from @root
+     rescue ArgumentError
+       # On Windows, sometimes crosses different drive letters.
+-      page_dir = @page_dir.expand_path
++      page_dir = page_dir.expand_path
+     end
+ 
+     @page_dir = page_dir
+@@ -847,7 +857,7 @@ Usage: #{opt.program_name} [options] [names...]
+              "such files at your project root.",
+              "NOTE: Do not use the same file name in",
+              "the page dir and the root of your project") do |page_dir|
+-        @page_dir = Pathname(page_dir)
++        @page_dir = page_dir
+       end
+ 
+       opt.separator nil
+@@ -1159,13 +1169,6 @@ Usage: #{opt.program_name} [options] [names...]
+ 
+     @files = argv.dup
+ 
+-    finish
+-
+-    if @write_options then
+-      write_options
+-      exit
+-    end
+-
+     self
+   end
+ 
+@@ -1278,7 +1281,7 @@ Usage: #{opt.program_name} [options] [names...]
+     File.open '.rdoc_options', 'w' do |io|
+       io.set_encoding Encoding::UTF_8
+ 
+-      YAML.dump self, io
++      io.print to_yaml
+     end
+   end
+ 
+diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
+index 6c69553..91eb861 100644
+--- a/lib/rdoc/rdoc.rb
++++ b/lib/rdoc/rdoc.rb
+@@ -469,11 +469,11 @@ The internal error was:
+ 
+     if RDoc::Options === options then
+       @options = options
+-      @options.finish
+     else
+       @options = load_options
+       @options.parse options
+     end
++    @options.finish
+ 
+     if @options.pipe then
+       handle_pipe
+diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
+index c28f64c..5a34a97 100644
+--- a/test/rdoc/test_rdoc_options.rb
++++ b/test/rdoc/test_rdoc_options.rb
+@@ -55,11 +55,8 @@ class TestRDocOptions < RDoc::TestCase
+     refute @options.dry_run
+   end
+ 
+-  def test_encode_with
+-    coder = {}
+-    class << coder; alias add []=; end
+-
+-    @options.encode_with coder
++  def test_to_yaml
++    coder = YAML.load(@options.to_yaml)
+ 
+     encoding = 'UTF-8'
+ 
+@@ -89,10 +86,9 @@ class TestRDocOptions < RDoc::TestCase
+     assert_equal expected, coder
+   end
+ 
+-  def test_encode_with_trim_paths
++  def test_to_yaml_trim_paths
+     subdir = nil
+-    coder = {}
+-    class << coder; alias add []=; end
++    coder = nil
+ 
+     temp_dir do |dir|
+       FileUtils.mkdir 'project'
+@@ -113,7 +109,7 @@ class TestRDocOptions < RDoc::TestCase
+           --include /
+         ]
+ 
+-        @options.encode_with coder
++        coder = YAML.load(@options.to_yaml)
+       end
+     end
+ 
+@@ -145,7 +141,9 @@ class TestRDocOptions < RDoc::TestCase
+ 
+     @options.encoding = Encoding::IBM437
+ 
+-    options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
++    options = @options.to_yaml
++    options = YAML.safe_load(options, permitted_classes: [Symbol])
++    options = RDoc::Options.new(options)
+ 
+     assert_equal Encoding::IBM437, options.encoding
+   end
+@@ -154,14 +152,15 @@ class TestRDocOptions < RDoc::TestCase
+     RDoc.load_yaml
+ 
+     yaml = <<-YAML
+---- !ruby/object:RDoc::Options
++---
+ static_path:
+ - /etc
+ rdoc_include:
+ - /etc
+     YAML
+ 
+-    options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
++    options = YAML.safe_load(yaml, permitted_classes: [Symbol])
++    options = RDoc::Options.new(options)
+ 
+     assert_empty options.rdoc_include
+     assert_empty options.static_path
+@@ -243,6 +242,7 @@ rdoc_include:
+ 
+   def test_parse_default
+     @options.parse []
++    @options.finish
+ 
+     assert_equal RDoc::Generator::Darkfish,             @options.generator
+     assert_equal 'darkfish',                            @options.template
+@@ -502,6 +502,7 @@ rdoc_include:
+ 
+     out, err = capture_output do
+       @options.parse %W[--page-dir #{Dir.tmpdir}]
++      @options.finish
+     end
+ 
+     assert_empty out
+@@ -530,6 +531,7 @@ rdoc_include:
+ 
+       out, err = capture_output do
+         @options.parse %W[--page-dir #{abs_page_dir} --root #{abs_root}]
++        @options.finish
+       end
+ 
+       assert_empty out
+@@ -558,6 +560,8 @@ rdoc_include:
+     assert_empty err
+ 
+     assert_equal Pathname(Dir.tmpdir), @options.root
++
++    @options.finish
+     assert_includes @options.rdoc_include, @options.root.to_s
+   end
+ 
+@@ -602,6 +606,7 @@ rdoc_include:
+     assert_empty out
+     assert_equal "could not find template NONEXISTENT\n", err
+ 
++    @options.finish
+     assert_equal 'darkfish', @options.template
+     assert_match %r%rdoc/generator/template/darkfish$%, @options.template_dir
+   end
+@@ -668,6 +673,7 @@ rdoc_include:
+     Dir.chdir tmpdir do
+       e = assert_raise SystemExit do
+         @options.parse %w[--write-options]
++        @options.finish
+       end
+ 
+       assert_equal 0, e.status
+@@ -764,7 +770,9 @@ rdoc_include:
+ 
+       assert File.exist? '.rdoc_options'
+ 
+-      assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
++      options = File.read('.rdoc_options')
++      options = YAML.safe_load(options, permitted_classes: [Symbol])
++      assert_equal @options, RDoc::Options.new(options)
+     end
+   end
+ 
+@@ -792,4 +800,10 @@ rdoc_include:
+     @options.visibility = :all
+     assert_equal :private, @options.visibility
+   end
++
++  class DummyCoder < Hash
++    alias add :[]=
++    def tag=(tag)
++    end
++  end
+ end
+diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
+index 7b84bb6..940934f 100644
+--- a/test/rdoc/test_rdoc_rdoc.rb
++++ b/test/rdoc/test_rdoc_rdoc.rb
+@@ -147,12 +147,20 @@ class TestRDocRDoc < RDoc::TestCase
+   def test_load_options_partial_override
+     temp_dir do
+       File.open '.rdoc_options', 'w' do |io|
+-        io.write "markup: Markdown"
++        io.puts "markup: Markdown"
++        io.puts "encoding: iso-8859-1"
++        io.puts "static_path: [static]"
++        io.puts "rdoc_include: [.]"
++        io.puts "page_dir: pages"
+       end
+ 
+       options = @rdoc.load_options
+ 
+       assert_equal 'Markdown', options.markup
++      assert_equal Encoding::ISO_8859_1, options.encoding
++      assert_equal ["static"], options.static_path
++      assert_equal ["."], options.rdoc_include
++      assert_equal "pages", options.page_dir
+     end
+   end
+ 
+@@ -312,6 +320,7 @@ class TestRDocRDoc < RDoc::TestCase
+     top_level = nil
+     temp_dir do |dir|
+       @rdoc.options.parse %W[--root #{test_path}]
++      @rdoc.options.finish
+ 
+       File.open 'include.txt', 'w' do |io|
+         io.puts ':include: test.txt'
+-- 
+2.27.0
+

backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch

@@ -0,0 +1,62 @@
+From 3926ad578c312ddd2ff5221b96ef077b9e24e612 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Thu, 9 Mar 2023 15:42:07 +0900
+Subject: [PATCH] [rubygems/rubygems] Drop to support Psych 3.0 bundled at Ruby
+ 2.5
+
+https://github.com/rubygems/rubygems/commit/a6650c2c96
+
+Reference:https://github.com/ruby/ruby/commit/3926ad578c312ddd2ff5221b96ef077b9e24e612
+Conflict:use YAML module not Psych module.
+---
+ lib/rubygems/safe_yaml.rb | 32 +++++---------------------------
+ 1 file changed, 5 insertions(+), 27 deletions(-)
+
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+index e905052..702d3c7 100644
+--- a/lib/rubygems/safe_yaml.rb
++++ b/lib/rubygems/safe_yaml.rb
+@@ -24,34 +24,12 @@ module Gem
+       runtime
+     ].freeze
+ 
+-    if ::YAML.respond_to? :safe_load
+-      def self.safe_load(input)
+-        if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0.pre1')
+-          ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
+-        else
+-          ::YAML.safe_load(input, PERMITTED_CLASSES, PERMITTED_SYMBOLS, true)
+-        end
+-      end
+-
+-      def self.load(input)
+-        if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0.pre1')
+-          ::YAML.safe_load(input, permitted_classes: [::Symbol])
+-        else
+-          ::YAML.safe_load(input, [::Symbol])
+-        end
+-      end
+-    else
+-      unless Gem::Deprecate.skip
+-        warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+-      end
+-
+-      def self.safe_load(input, *args)
+-        ::YAML.load input
+-      end
++    def self.safe_load(input)
++      ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
++    end
+ 
+-      def self.load(input)
+-        ::YAML.load input
+-      end
++    def self.load(input)
++      ::YAML.safe_load(input, permitted_classes: [::Symbol])
+     end
+   end
+ end
+-- 
+2.33.0
+
+

ruby.spec

@@ -33,7 +33,7 @@
 
 Name:      ruby
 Version:   %{ruby_version}
-Release:   130
+Release:   135
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@@ -187,6 +187,19 @@ Patch6015: backport-0002-CVE-2023-28755.patch
 Patch6016: backport-0001-CVE-2023-28756.patch
 Patch6017: backport-0002-CVE-2023-28756.patch
 Patch6018: backport-0003-CVE-2023-28756.patch
+Patch6019: backport-CVE-2023-36617.patch
+Patch6020: backport-CVE-2024-27280.patch
+Patch6021: backport-0001-CVE-2024-27281.patch
+Patch6022: backport-0002-CVE-2024-27281.patch
+Patch6023: backport-0003-CVE-2024-27281.patch
+Patch6024: backport-CVE-2024-27282.patch
+Patch6025: backport-Dump-plain-objects-as-RDoc-Options.patch
+Patch6026: backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch
+Patch6027: backport-0001-CVE-2024-35221.patch
+Patch6028: backport-0002-CVE-2024-35221.patch
+Patch6029: backport-0003-CVE-2024-35221.patch
+Patch6030: backport-0004-CVE-2024-35221.patch
+Patch6031: backport-0005-CVE-2024-35221.patch
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -1185,6 +1198,21 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
 
 %changelog
+* Tue Jun 18 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-135
+- fix CVE-2024-35221
+
+* Mon May 27 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-134
+- Dump plain objects as RDoc::Options so that the generated .rdoc_options file is loadable
+
+* Mon May 6 2024 zhoupengcheng11 <zhoupengcheng11@huawei.com> - 3.0.3-133
+- fix CVE-2024-27282
+
+* Tue Mar 26 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-132
+- fix CVE-2024-27280 and CVE-2024-27281
+
+* Sat Jul 08 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-131
+- fix CVE-2023-36617
+
 * Fri Jun 02 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-130
 - remove rubygem-power_assert