packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:b51192135605d5a8b416b3a4f3f9c5133492384e
Branches Tags
packages:main
..
compare: packages:a6c81a2e1c541fe92c0d48b381400cb69c30b85a
Branches Tags
packages:main

No commits in common. "b51192135605d5a8b416b3a4f3f9c5133492384e" and "a6c81a2e1c541fe92c0d48b381400cb69c30b85a" have entirely different histories.
b511921356 ... a6c81a2e1c

14 changed files with 1 additions and 1015 deletions
Show Stats Expand all files Collapse all files

97
backport-0001-CVE-2024-27281.patch
View File

@ -1,97 +0,0 @@
From 32ff6ba0bebd8ea26f569da5fd23be2937f6a644 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Tue, 20 Feb 2024 17:30:25 +0900
Subject: [PATCH] Filter marshaled objects
Reference:https://github.com/ruby/rdoc/commit/32ff6ba0bebd8ea26f569da5fd23be2937f6a644
Conflict:NA
---
lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++-------------------
1 file changed, 26 insertions(+), 19 deletions(-)
diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
index 5ba671c..5b663d7 100644
--- a/lib/rdoc/store.rb
+++ b/lib/rdoc/store.rb
@@ -556,9 +556,7 @@ class RDoc::Store
def load_cache
#orig_enc = @encoding
- File.open cache_path, 'rb' do |io|
- @cache = Marshal.load io.read
- end
+ @cache = marshal_load(cache_path)
load_enc = @cache[:encoding]
@@ -615,9 +613,7 @@ class RDoc::Store
def load_class_data klass_name
file = class_file klass_name
- File.open file, 'rb' do |io|
- Marshal.load io.read
- end
+ marshal_load(file)
rescue Errno::ENOENT => e
error = MissingFileError.new(self, file, klass_name)
error.set_backtrace e.backtrace
@@ -630,14 +626,10 @@ class RDoc::Store
def load_method klass_name, method_name
file = method_file klass_name, method_name
- File.open file, 'rb' do |io|
- obj = Marshal.load io.read
- obj.store = self
- obj.parent =
- find_class_or_module(klass_name) || load_class(klass_name) unless
- obj.parent
- obj
- end
+ obj = marshal_load(file)
+ obj.store = self
+ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
+ obj
rescue Errno::ENOENT => e
error = MissingFileError.new(self, file, klass_name + method_name)
error.set_backtrace e.backtrace
@@ -650,11 +642,9 @@ class RDoc::Store
def load_page page_name
file = page_file page_name
- File.open file, 'rb' do |io|
- obj = Marshal.load io.read
- obj.store = self
- obj
- end
+ obj = marshal_load(file)
+ obj.store = self
+ obj
rescue Errno::ENOENT => e
error = MissingFileError.new(self, file, page_name)
error.set_backtrace e.backtrace
@@ -976,4 +966,21 @@ class RDoc::Store
@unique_modules
end
+ private
+ def marshal_load(file)
+ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
+ end
+
+ MarshalFilter = proc do |obj|
+ case obj
+ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
+ else
+ unless obj.class.name.start_with("RDoc::")
+ raise TypeError, "not permitted class: #{obj.class.name}"
+ end
+ end
+ obj
+ end
+ private_constant :MarshalFilter
+
end
--
2.33.0

35
backport-0001-CVE-2024-35221.patch
View File

@ -1,35 +0,0 @@
From c2812fb616a9a0f31bbc3906a8ec9bad9faec498 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Wed, 7 Feb 2024 12:26:31 -0800
Subject: [PATCH] [rubygems/rubygems] Control whether YAML aliases are enabled
in Gem::SafeYAML.safe_load via a constant
https://github.com/rubygems/rubygems/commit/6bedb1cb79
Reference:https://github.com/ruby/ruby/commit/c2812fb616a9a0f31bbc3906a8ec9bad9faec498
Conflict:use YAML module not Psych module.
---
lib/rubygems/safe_yaml.rb | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
index 3a1ae3b..c536a45 100644
--- a/lib/rubygems/safe_yaml.rb
+++ b/lib/rubygems/safe_yaml.rb
@@ -24,8 +24,11 @@ module Gem
runtime
].freeze
+ ALIASES = true # :nodoc:
+ private_constant :ALIASES
+
def self.safe_load(input)
- ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
+ ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES)
end
def self.load(input)
--
2.33.0

66
backport-0002-CVE-2024-27281.patch
View File

@ -1,66 +0,0 @@
From 60a6d74ebdbb7d585e379526e5639932fdca2904 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Tue, 20 Feb 2024 17:59:57 +0900
Subject: [PATCH] Use safe_load and safe_load_file for .rdoc_options
Reference:https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904
Conflict:NA
---
lib/rdoc/rdoc.rb | 5 +++--
test/rdoc/test_rdoc_options.rb | 6 +++---
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
index 826451e..4da281b 100644
--- a/lib/rdoc/rdoc.rb
+++ b/lib/rdoc/rdoc.rb
@@ -162,11 +162,12 @@ class RDoc::RDoc
RDoc.load_yaml
begin
- options = YAML.load_file '.rdoc_options'
+ options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol]
rescue Psych::SyntaxError
+ raise RDoc::Error, "#{options_file} is not a valid rdoc options file"
end
- return RDoc::Options.new if options == false # Allow empty file.
+ return RDoc::Options.new unless options # Allow empty file.
raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless
RDoc::Options === options or Hash === options
diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
index 8adeced..c28f64c 100644
--- a/test/rdoc/test_rdoc_options.rb
+++ b/test/rdoc/test_rdoc_options.rb
@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase
@options.encoding = Encoding::IBM437
- options = YAML.load YAML.dump @options
+ options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
assert_equal Encoding::IBM437, options.encoding
end
@@ -161,7 +161,7 @@ rdoc_include:
- /etc
YAML
- options = YAML.load yaml
+ options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
assert_empty options.rdoc_include
assert_empty options.static_path
@@ -764,7 +764,7 @@ rdoc_include:
assert File.exist? '.rdoc_options'
- assert_equal @options, YAML.load(File.read('.rdoc_options'))
+ assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
end
end
--
2.33.0

39
backport-0002-CVE-2024-35221.patch
View File

@ -1,39 +0,0 @@
From 5dcc7a03267216feaa587017ef5d6d075b62f75b Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Fri, 9 Feb 2024 10:15:40 -0800
Subject: [PATCH] [rubygems/rubygems] Use a writer method on the module instead
of a constant
https://github.com/rubygems/rubygems/commit/240d84eea3
Reference:https://github.com/ruby/ruby/commit/5dcc7a03267216feaa587017ef5d6d075b62f75b
Conflict:use YAML module not Psych module.
---
lib/rubygems/safe_yaml.rb | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
index c536a45..9cf7c13 100644
--- a/lib/rubygems/safe_yaml.rb
+++ b/lib/rubygems/safe_yaml.rb
@@ -24,11 +24,13 @@ module Gem
runtime
].freeze
- ALIASES = true # :nodoc:
- private_constant :ALIASES
+ @aliases_enabled = true
+ def self.aliases_enabled=(value)
+ @aliases_enabled = !!value
+ end
def self.safe_load(input)
- ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES)
+ ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled)
end
def self.load(input)
--
2.33.0

28
backport-0003-CVE-2024-27281.patch
View File

@ -1,28 +0,0 @@
From a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Thu, 21 Mar 2024 13:18:13 +0900
Subject: [PATCH] Fix NoMethodError for start_with
Reference:https://github.com/ruby/rdoc/commit/a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e
Conflict:NA
---
lib/rdoc/store.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
index 5b663d7..c793e49 100644
--- a/lib/rdoc/store.rb
+++ b/lib/rdoc/store.rb
@@ -975,7 +975,7 @@ class RDoc::Store
case obj
when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
else
- unless obj.class.name.start_with("RDoc::")
+ unless obj.class.name.start_with?("RDoc::")
raise TypeError, "not permitted class: #{obj.class.name}"
end
end
--
2.33.0

47
backport-0003-CVE-2024-35221.patch
View File

@ -1,47 +0,0 @@
From 466ed0e1ace6ebf069d444d666f0db3f9224a4b9 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Sat, 10 Feb 2024 19:52:13 -0800
Subject: [PATCH] [rubygems/rubygems] Add a test for safe yaml
https://github.com/rubygems/rubygems/commit/148deade0a
Reference:https://github.com/ruby/ruby/commit/466ed0e1ace6ebf069d444d666f0db3f9224a4b9
Conflict:NA
---
test/rubygems/test_gem_safe_yaml.rb | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
create mode 100644 test/rubygems/test_gem_safe_yaml.rb
diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb
new file mode 100644
index 0000000000..4f7e400132
--- /dev/null
+++ b/test/rubygems/test_gem_safe_yaml.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative "helper"
+
+Gem.load_yaml
+
+class TestGemSafeYAML < Gem::TestCase
+ def test_aliases_enabled_by_default
+ assert_predicate Gem::SafeYAML, :aliases_enabled?
+ assert_equal({ "a" => "a", "b" => "a" }, Gem::SafeYAML.safe_load("a: &a a\nb: *a\n"))
+ end
+
+ def test_aliases_disabled
+ aliases_enabled = Gem::SafeYAML.aliases_enabled?
+ Gem::SafeYAML.aliases_enabled = false
+ refute_predicate Gem::SafeYAML, :aliases_enabled?
+ assert_raise Psych::AliasesNotEnabled do
+ Gem::SafeYAML.safe_load("a: &a\nb: *a\n")
+ end
+ ensure
+ Gem::SafeYAML.aliases_enabled = aliases_enabled
+ end
+end
--
2.33.0

37
backport-0004-CVE-2024-35221.patch
View File

@ -1,37 +0,0 @@
From 997470b7b697d267109571d81081453acc73a2f9 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Wed, 14 Feb 2024 00:50:52 -0800
Subject: [PATCH] [rubygems/rubygems] Commit missing new method
https://github.com/rubygems/rubygems/commit/5265b4ce3d
Reference:https://github.com/ruby/ruby/commit/997470b7b697d267109571d81081453acc73a2f9
Conflict:NA
---
lib/rubygems/safe_yaml.rb | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
index 9cf7c13..5f710b4 100644
--- a/lib/rubygems/safe_yaml.rb
+++ b/lib/rubygems/safe_yaml.rb
@@ -25,10 +25,14 @@ module Gem
].freeze
@aliases_enabled = true
- def self.aliases_enabled=(value)
+ def self.aliases_enabled=(value) # :nodoc:
@aliases_enabled = !!value
end
+ def self.aliases_enabled? # :nodoc:
+ @aliases_enabled
+ end
+
def self.safe_load(input)
::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled)
end
--
2.33.0

32
backport-0005-CVE-2024-35221.patch
View File

@ -1,32 +0,0 @@
From 8bc51a393acfb5af4e446799e51f73e61b0cfc8e Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Tue, 20 Feb 2024 11:03:28 -0800
Subject: [PATCH] [rubygems/rubygems] Check for correct exception on older
psych versions
https://github.com/rubygems/rubygems/commit/52de6eccf5
Reference:https://github.com/ruby/ruby/commit/8bc51a393acfb5af4e446799e51f73e61b0cfc8e
Conflict:NA
---
test/rubygems/test_gem_safe_yaml.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb
index 4f7e400132..02df9f97da 100644
--- a/test/rubygems/test_gem_safe_yaml.rb
+++ b/test/rubygems/test_gem_safe_yaml.rb
@@ -14,7 +14,8 @@ def test_aliases_disabled
aliases_enabled = Gem::SafeYAML.aliases_enabled?
Gem::SafeYAML.aliases_enabled = false
refute_predicate Gem::SafeYAML, :aliases_enabled?
- assert_raise Psych::AliasesNotEnabled do
+ expected_error = defined?(Psych::AliasesNotEnabled) ? Psych::AliasesNotEnabled : Psych::BadAlias
+ assert_raise expected_error do
Gem::SafeYAML.safe_load("a: &a\nb: *a\n")
end
ensure
--
2.33.0

106
backport-CVE-2023-36617.patch
View File

@ -1,106 +0,0 @@
From 616926b55e306a0704254a7ddfd6e9834d06c7f2 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Thu, 29 Jun 2023 22:25:17 +0900
Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997)
* Merge URI-0.10.3
* Merge URI-0.10.0.3 for Bundler
---
.../vendor/uri/lib/uri/rfc2396_parser.rb | 4 ++--
.../vendor/uri/lib/uri/rfc3986_parser.rb | 2 +-
lib/uri/rfc2396_parser.rb | 4 ++--
lib/uri/rfc3986_parser.rb | 2 +-
test/uri/test_parser.rb | 22 +++++++++++++++++++
5 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
index a0d62ed..7634e16 100644
--- a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
@@ -504,8 +504,8 @@ module Bundler::URI
ret = {}
# for Bundler::URI::split
- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
# for Bundler::URI::extract
ret[:URI_REF] = Regexp.new(pattern[:URI_REF])
diff --git a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
index 07ef439..34093df 100644
--- a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
@@ -106,7 +106,7 @@ module Bundler::URI
QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
OPAQUE: /\A(?:[^\/].*)?\z/,
- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
}
end
diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
index c719aa0..253c54b 100644
--- a/lib/uri/rfc2396_parser.rb
+++ b/lib/uri/rfc2396_parser.rb
@@ -491,8 +491,8 @@ module URI
ret = {}
# for URI::split
- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
# for URI::extract
ret[:URI_REF] = Regexp.new(pattern[:URI_REF])
diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
index 145d845..5a9e44e 100644
--- a/lib/uri/rfc3986_parser.rb
+++ b/lib/uri/rfc3986_parser.rb
@@ -95,7 +95,7 @@ module URI
QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
OPAQUE: /\A(?:[^\/].*)?\z/,
- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
}
end
diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb
index 37e7107..e2f50cf 100644
--- a/test/uri/test_parser.rb
+++ b/test/uri/test_parser.rb
@@ -65,4 +65,26 @@ class URI::TestParser < Test::Unit::TestCase
assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com"))
assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]"))
end
+
+ def test_rfc2822_parse_relative_uri
+ pre = ->(length) {
+ " " * length + "\0"
+ }
+ parser = URI::RFC2396_Parser.new
+ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri|
+ assert_raise(URI::InvalidURIError) do
+ parser.split(uri)
+ end
+ end
+ end
+
+ def test_rfc3986_port_check
+ pre = ->(length) {"\t" * length + "a"}
+ uri = URI.parse("http://my.example.com")
+ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port|
+ assert_raise(URI::InvalidComponentError) do
+ uri.port = port
+ end
+ end
+ end
end
--
2.27.0

86
backport-CVE-2024-27280.patch
View File

@ -1,86 +0,0 @@
From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 16 Nov 2021 17:39:32 +0900
Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
Reference:https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067
Conflict:NA
---
ext/stringio/stringio.c | 2 +-
test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
index 8df07e8..d1e0473 100644
--- a/ext/stringio/stringio.c
+++ b/ext/stringio/stringio.c
@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
len = RSTRING_LEN(str);
rest = pos - len;
if (cl > pos) {
- long ex = (rest < 0 ? cl-pos : cl+rest);
+ long ex = cl - (rest < 0 ? pos : len);
rb_str_modify_expand(str, ex);
rb_str_set_len(str, len + ex);
s = RSTRING_PTR(str);
diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
index e0b4504..144a9f4 100644
--- a/test/stringio/test_stringio.rb
+++ b/test/stringio/test_stringio.rb
@@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase
assert_equal("b""\0""a", s.string)
end
+ def test_ungetc_fill
+ count = 100
+ s = StringIO.new
+ s.print 'a' * count
+ s.ungetc('b' * (count * 5))
+ assert_equal((count * 5), s.string.size)
+ assert_match(/\Ab+\z/, s.string)
+ end
+
def test_ungetbyte_pos
b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
s = StringIO.new( b )
@@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase
assert_equal("b""\0""a", s.string)
end
+ def test_ungetbyte_fill
+ count = 100
+ s = StringIO.new
+ s.print 'a' * count
+ s.ungetbyte('b' * (count * 5))
+ assert_equal((count * 5), s.string.size)
+ assert_match(/\Ab+\z/, s.string)
+ end
+
def test_frozen
s = StringIO.new
s.freeze
@@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase
end
def test_overflow
- omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+ return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
begin;
limit = #{limit}
ary = []
- while true
+ begin
x = "a"*0x100000
break if [x].pack("p").unpack("i!")[0] < 0
ary << x
- omit if ary.size > 100
- end
+ end while ary.size <= 100
s = StringIO.new(x)
s.gets("xxx", limit)
assert_equal(0x100000, s.pos)
--
2.27.0

31
backport-CVE-2024-27282.patch
View File

@ -1,31 +0,0 @@
From 989a2355808a63fc45367785c82ffd46d18c900a Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 12 Apr 2024 15:01:47 +1000
Subject: [PATCH] Fix Use-After-Free issue for Regexp
Co-authored-by: Isaac Peka <7493006+isaac-peka@users.noreply.github.com>
Reference:https://github.com/ruby/rdoc/commit/989a2355808a63fc45367785c82ffd46d18c900a
Conflict:NA
---
regexec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/regexec.c b/regexec.c
index 73694ab14a..140691ad42 100644
--- a/regexec.c
+++ b/regexec.c
@@ -3449,8 +3449,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
CASE(OP_MEMORY_END_PUSH_REC) MOP_IN(OP_MEMORY_END_PUSH_REC);
GET_MEMNUM_INC(mem, p);
STACK_GET_MEM_START(mem, stkp); /* should be before push mem-end. */
- STACK_PUSH_MEM_END(mem, s);
mem_start_stk[mem] = GET_STACK_INDEX(stkp);
+ STACK_PUSH_MEM_END(mem, s);
MOP_OUT;
JUMP;
--
2.33.0

320
backport-Dump-plain-objects-as-RDoc-Options.patch
View File

@ -1,320 +0,0 @@
From 6cf6e1647b97256ad7f6f20e5d32fd0a0fe042d1 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Wed, 15 Sep 2021 17:26:14 +0900
Subject: [PATCH] Dump plain objects as `RDoc::Options`
So that the generated `.rdoc_options` file is loadable.
Reference:https://github.com/ruby/rdoc/commit/6cf6e164
---
lib/rdoc/options.rb | 39 ++++++++++++++++++---------------
lib/rdoc/rdoc.rb | 2 +-
test/rdoc/test_rdoc_options.rb | 40 +++++++++++++++++++++++-----------
test/rdoc/test_rdoc_rdoc.rb | 11 +++++++++-
4 files changed, 59 insertions(+), 33 deletions(-)
diff --git a/lib/rdoc/options.rb b/lib/rdoc/options.rb
index dadb694..a78116f 100644
--- a/lib/rdoc/options.rb
+++ b/lib/rdoc/options.rb
@@ -106,6 +106,7 @@ class RDoc::Options
generator_options
generators
op_dir
+ page_dir
option_parser
pipe
rdoc_include
@@ -434,6 +435,7 @@ class RDoc::Options
@main_page = map['main_page'] if map.has_key?('main_page')
@markup = map['markup'] if map.has_key?('markup')
@op_dir = map['op_dir'] if map.has_key?('op_dir')
+ @page_dir = map['page_dir'] if map.has_key?('page_dir')
@show_hash = map['show_hash'] if map.has_key?('show_hash')
@tab_width = map['tab_width'] if map.has_key?('tab_width')
@template_dir = map['template_dir'] if map.has_key?('template_dir')
@@ -513,19 +515,22 @@ class RDoc::Options
##
# For dumping YAML
- def encode_with coder # :nodoc:
+ def to_yaml(*options) # :nodoc:
encoding = @encoding ? @encoding.name : nil
- coder.add 'encoding', encoding
- coder.add 'static_path', sanitize_path(@static_path)
- coder.add 'rdoc_include', sanitize_path(@rdoc_include)
+ yaml = {}
+ yaml['encoding'] = encoding
+ yaml['static_path'] = sanitize_path(@static_path)
+ yaml['rdoc_include'] = sanitize_path(@rdoc_include)
+ yaml['page_dir'] = (sanitize_path([@page_dir]).first if @page_dir)
ivars = instance_variables.map { |ivar| ivar.to_s[1..-1] }
ivars -= SPECIAL
ivars.sort.each do |ivar|
- coder.add ivar, instance_variable_get("@#{ivar}")
+ yaml[ivar] = instance_variable_get("@#{ivar}")
end
+ yaml.to_yaml
end
##
@@ -548,6 +553,11 @@ class RDoc::Options
# #template.
def finish
+ if @write_options then
+ write_options
+ exit
+ end
+
@op_dir ||= 'doc'
@rdoc_include << "." if @rdoc_include.empty?
@@ -585,14 +595,14 @@ class RDoc::Options
def finish_page_dir
return unless @page_dir
- @files << @page_dir.to_s
+ @files << @page_dir
- page_dir = nil
+ page_dir = Pathname(@page_dir)
begin
- page_dir = @page_dir.expand_path.relative_path_from @root
+ page_dir = page_dir.expand_path.relative_path_from @root
rescue ArgumentError
# On Windows, sometimes crosses different drive letters.
- page_dir = @page_dir.expand_path
+ page_dir = page_dir.expand_path
end
@page_dir = page_dir
@@ -847,7 +857,7 @@ Usage: #{opt.program_name} [options] [names...]
"such files at your project root.",
"NOTE: Do not use the same file name in",
"the page dir and the root of your project") do |page_dir|
- @page_dir = Pathname(page_dir)
+ @page_dir = page_dir
end
opt.separator nil
@@ -1159,13 +1169,6 @@ Usage: #{opt.program_name} [options] [names...]
@files = argv.dup
- finish
-
- if @write_options then
- write_options
- exit
- end
-
self
end
@@ -1278,7 +1281,7 @@ Usage: #{opt.program_name} [options] [names...]
File.open '.rdoc_options', 'w' do |io|
io.set_encoding Encoding::UTF_8
- YAML.dump self, io
+ io.print to_yaml
end
end
diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
index 6c69553..91eb861 100644
--- a/lib/rdoc/rdoc.rb
+++ b/lib/rdoc/rdoc.rb
@@ -469,11 +469,11 @@ The internal error was:
if RDoc::Options === options then
@options = options
- @options.finish
else
@options = load_options
@options.parse options
end
+ @options.finish
if @options.pipe then
handle_pipe
diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
index c28f64c..5a34a97 100644
--- a/test/rdoc/test_rdoc_options.rb
+++ b/test/rdoc/test_rdoc_options.rb
@@ -55,11 +55,8 @@ class TestRDocOptions < RDoc::TestCase
refute @options.dry_run
end
- def test_encode_with
- coder = {}
- class << coder; alias add []=; end
-
- @options.encode_with coder
+ def test_to_yaml
+ coder = YAML.load(@options.to_yaml)
encoding = 'UTF-8'
@@ -89,10 +86,9 @@ class TestRDocOptions < RDoc::TestCase
assert_equal expected, coder
end
- def test_encode_with_trim_paths
+ def test_to_yaml_trim_paths
subdir = nil
- coder = {}
- class << coder; alias add []=; end
+ coder = nil
temp_dir do |dir|
FileUtils.mkdir 'project'
@@ -113,7 +109,7 @@ class TestRDocOptions < RDoc::TestCase
--include /
]
- @options.encode_with coder
+ coder = YAML.load(@options.to_yaml)
end
end
@@ -145,7 +141,9 @@ class TestRDocOptions < RDoc::TestCase
@options.encoding = Encoding::IBM437
- options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
+ options = @options.to_yaml
+ options = YAML.safe_load(options, permitted_classes: [Symbol])
+ options = RDoc::Options.new(options)
assert_equal Encoding::IBM437, options.encoding
end
@@ -154,14 +152,15 @@ class TestRDocOptions < RDoc::TestCase
RDoc.load_yaml
yaml = <<-YAML
---- !ruby/object:RDoc::Options
+---
static_path:
- /etc
rdoc_include:
- /etc
YAML
- options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
+ options = YAML.safe_load(yaml, permitted_classes: [Symbol])
+ options = RDoc::Options.new(options)
assert_empty options.rdoc_include
assert_empty options.static_path
@@ -243,6 +242,7 @@ rdoc_include:
def test_parse_default
@options.parse []
+ @options.finish
assert_equal RDoc::Generator::Darkfish, @options.generator
assert_equal 'darkfish', @options.template
@@ -502,6 +502,7 @@ rdoc_include:
out, err = capture_output do
@options.parse %W[--page-dir #{Dir.tmpdir}]
+ @options.finish
end
assert_empty out
@@ -530,6 +531,7 @@ rdoc_include:
out, err = capture_output do
@options.parse %W[--page-dir #{abs_page_dir} --root #{abs_root}]
+ @options.finish
end
assert_empty out
@@ -558,6 +560,8 @@ rdoc_include:
assert_empty err
assert_equal Pathname(Dir.tmpdir), @options.root
+
+ @options.finish
assert_includes @options.rdoc_include, @options.root.to_s
end
@@ -602,6 +606,7 @@ rdoc_include:
assert_empty out
assert_equal "could not find template NONEXISTENT\n", err
+ @options.finish
assert_equal 'darkfish', @options.template
assert_match %r%rdoc/generator/template/darkfish$%, @options.template_dir
end
@@ -668,6 +673,7 @@ rdoc_include:
Dir.chdir tmpdir do
e = assert_raise SystemExit do
@options.parse %w[--write-options]
+ @options.finish
end
assert_equal 0, e.status
@@ -764,7 +770,9 @@ rdoc_include:
assert File.exist? '.rdoc_options'
- assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
+ options = File.read('.rdoc_options')
+ options = YAML.safe_load(options, permitted_classes: [Symbol])
+ assert_equal @options, RDoc::Options.new(options)
end
end
@@ -792,4 +800,10 @@ rdoc_include:
@options.visibility = :all
assert_equal :private, @options.visibility
end
+
+ class DummyCoder < Hash
+ alias add :[]=
+ def tag=(tag)
+ end
+ end
end
diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
index 7b84bb6..940934f 100644
--- a/test/rdoc/test_rdoc_rdoc.rb
+++ b/test/rdoc/test_rdoc_rdoc.rb
@@ -147,12 +147,20 @@ class TestRDocRDoc < RDoc::TestCase
def test_load_options_partial_override
temp_dir do
File.open '.rdoc_options', 'w' do |io|
- io.write "markup: Markdown"
+ io.puts "markup: Markdown"
+ io.puts "encoding: iso-8859-1"
+ io.puts "static_path: [static]"
+ io.puts "rdoc_include: [.]"
+ io.puts "page_dir: pages"
end
options = @rdoc.load_options
assert_equal 'Markdown', options.markup
+ assert_equal Encoding::ISO_8859_1, options.encoding
+ assert_equal ["static"], options.static_path
+ assert_equal ["."], options.rdoc_include
+ assert_equal "pages", options.page_dir
end
end
@@ -312,6 +320,7 @@ class TestRDocRDoc < RDoc::TestCase
top_level = nil
temp_dir do |dir|
@rdoc.options.parse %W[--root #{test_path}]
+ @rdoc.options.finish
File.open 'include.txt', 'w' do |io|
io.puts ':include: test.txt'
--
2.27.0

62
backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch
View File

@ -1,62 +0,0 @@
From 3926ad578c312ddd2ff5221b96ef077b9e24e612 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Thu, 9 Mar 2023 15:42:07 +0900
Subject: [PATCH] [rubygems/rubygems] Drop to support Psych 3.0 bundled at Ruby
2.5
https://github.com/rubygems/rubygems/commit/a6650c2c96
Reference:https://github.com/ruby/ruby/commit/3926ad578c312ddd2ff5221b96ef077b9e24e612
Conflict:use YAML module not Psych module.
---
lib/rubygems/safe_yaml.rb | 32 +++++---------------------------
1 file changed, 5 insertions(+), 27 deletions(-)
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
index e905052..702d3c7 100644
--- a/lib/rubygems/safe_yaml.rb
+++ b/lib/rubygems/safe_yaml.rb
@@ -24,34 +24,12 @@ module Gem
runtime
].freeze
- if ::YAML.respond_to? :safe_load
- def self.safe_load(input)
- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0.pre1')
- ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
- else
- ::YAML.safe_load(input, PERMITTED_CLASSES, PERMITTED_SYMBOLS, true)
- end
- end
-
- def self.load(input)
- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0.pre1')
- ::YAML.safe_load(input, permitted_classes: [::Symbol])
- else
- ::YAML.safe_load(input, [::Symbol])
- end
- end
- else
- unless Gem::Deprecate.skip
- warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
- end
-
- def self.safe_load(input, *args)
- ::YAML.load input
- end
+ def self.safe_load(input)
+ ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
+ end
- def self.load(input)
- ::YAML.load input
- end
+ def self.load(input)
+ ::YAML.safe_load(input, permitted_classes: [::Symbol])
end
end
end
--
2.33.0

30
ruby.spec
View File

@ -33,7 +33,7 @@
Name: ruby
Version: %{ruby_version}
Release: 135
Release: 130
Summary: Object-oriented scripting language interpreter
License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
URL: https://www.ruby-lang.org/en/
@ -187,19 +187,6 @@ Patch6015: backport-0002-CVE-2023-28755.patch
Patch6016: backport-0001-CVE-2023-28756.patch
Patch6017: backport-0002-CVE-2023-28756.patch
Patch6018: backport-0003-CVE-2023-28756.patch
Patch6019: backport-CVE-2023-36617.patch
Patch6020: backport-CVE-2024-27280.patch
Patch6021: backport-0001-CVE-2024-27281.patch
Patch6022: backport-0002-CVE-2024-27281.patch
Patch6023: backport-0003-CVE-2024-27281.patch
Patch6024: backport-CVE-2024-27282.patch
Patch6025: backport-Dump-plain-objects-as-RDoc-Options.patch
Patch6026: backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch
Patch6027: backport-0001-CVE-2024-35221.patch
Patch6028: backport-0002-CVE-2024-35221.patch
Patch6029: backport-0003-CVE-2024-35221.patch
Patch6030: backport-0004-CVE-2024-35221.patch
Patch6031: backport-0005-CVE-2024-35221.patch
Provides: %{name}-libs = %{version}-%{release}
Obsoletes: %{name}-libs < %{version}-%{release}
@ -1198,21 +1185,6 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
%doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
%changelog
* Tue Jun 18 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-135
- fix CVE-2024-35221
* Mon May 27 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-134
- Dump plain objects as RDoc::Options so that the generated .rdoc_options file is loadable
* Mon May 6 2024 zhoupengcheng11 <zhoupengcheng11@huawei.com> - 3.0.3-133
- fix CVE-2024-27282
* Tue Mar 26 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-132
- fix CVE-2024-27280 and CVE-2024-27281
* Sat Jul 08 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-131
- fix CVE-2023-36617
* Fri Jun 02 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-130
- remove rubygem-power_assert