diff --git a/SOURCES/ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch b/SOURCES/ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch deleted file mode 100644 index 2dc17e3..0000000 --- a/SOURCES/ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 346e147ba6480839b87046e9a9efab0bf6ed3660 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?V=C3=ADt=20Ondruch?= -Date: Wed, 10 Aug 2016 17:35:48 +0200 -Subject: [PATCH] Rely on ldd to detect glibc. - -This is just workaround, since we know we are quite sure this will be successful -on Red Hat platforms. - -This workaround rhbz#1361037 ---- - test/fiddle/helper.rb | 92 --------------------------------------------------- - 1 file changed, 92 deletions(-) - -diff --git a/test/fiddle/helper.rb b/test/fiddle/helper.rb -index 1da3d93..65148a1 100644 ---- a/test/fiddle/helper.rb -+++ b/test/fiddle/helper.rb -@@ -6,95 +6,6 @@ - - libc_so = libm_so = nil - --case RUBY_PLATFORM --when /cygwin/ -- libc_so = "cygwin1.dll" -- libm_so = "cygwin1.dll" --when /linux/ -- libdir = '/lib' -- case [0].pack('L!').size -- when 4 -- # 32-bit ruby -- libdir = '/lib32' if File.directory? '/lib32' -- when 8 -- # 64-bit ruby -- libdir = '/lib64' if File.directory? '/lib64' -- end -- libc_so = File.join(libdir, "libc.so.6") -- libm_so = File.join(libdir, "libm.so.6") --when /mingw/, /mswin/ -- require "rbconfig" -- crtname = RbConfig::CONFIG["RUBY_SO_NAME"][/msvc\w+/] || 'ucrtbase' -- libc_so = libm_so = "#{crtname}.dll" --when /darwin/ -- libc_so = "/usr/lib/libc.dylib" -- libm_so = "/usr/lib/libm.dylib" --when /kfreebsd/ -- libc_so = "/lib/libc.so.0.1" -- libm_so = "/lib/libm.so.1" --when /gnu/ #GNU/Hurd -- libc_so = "/lib/libc.so.0.3" -- libm_so = "/lib/libm.so.6" --when /mirbsd/ -- libc_so = "/usr/lib/libc.so.41.10" -- libm_so = "/usr/lib/libm.so.7.0" --when /freebsd/ -- libc_so = "/lib/libc.so.7" -- libm_so = "/lib/libm.so.5" --when /bsd|dragonfly/ -- libc_so = "/usr/lib/libc.so" -- libm_so = "/usr/lib/libm.so" --when /solaris/ -- libdir = '/lib' -- case [0].pack('L!').size -- when 4 -- # 32-bit ruby -- libdir = '/lib' if File.directory? '/lib' -- when 8 -- # 64-bit ruby -- libdir = '/lib/64' if File.directory? '/lib/64' -- end -- libc_so = File.join(libdir, "libc.so") -- libm_so = File.join(libdir, "libm.so") --when /aix/ -- pwd=Dir.pwd -- libc_so = libm_so = "#{pwd}/libaixdltest.so" -- unless File.exist? libc_so -- cobjs=%w!strcpy.o! -- mobjs=%w!floats.o sin.o! -- funcs=%w!sin sinf strcpy strncpy! -- expfile='dltest.exp' -- require 'tmpdir' -- Dir.mktmpdir do |dir| -- begin -- Dir.chdir dir -- %x!/usr/bin/ar x /usr/lib/libc.a #{cobjs.join(' ')}! -- %x!/usr/bin/ar x /usr/lib/libm.a #{mobjs.join(' ')}! -- %x!echo "#{funcs.join("\n")}\n" > #{expfile}! -- require 'rbconfig' -- if RbConfig::CONFIG["GCC"] = 'yes' -- lflag='-Wl,' -- else -- lflag='' -- end -- flags="#{lflag}-bE:#{expfile} #{lflag}-bnoentry -lm" -- %x!#{RbConfig::CONFIG["LDSHARED"]} -o #{libc_so} #{(cobjs+mobjs).join(' ')} #{flags}! -- ensure -- Dir.chdir pwd -- end -- end -- end --else -- libc_so = ARGV[0] if ARGV[0] && ARGV[0][0] == ?/ -- libm_so = ARGV[1] if ARGV[1] && ARGV[1][0] == ?/ -- if( !(libc_so && libm_so) ) -- $stderr.puts("libc and libm not found: #{$0} ") -- end --end -- --libc_so = nil if !libc_so || (libc_so[0] == ?/ && !File.file?(libc_so)) --libm_so = nil if !libm_so || (libm_so[0] == ?/ && !File.file?(libm_so)) -- - if !libc_so || !libm_so - ruby = EnvUtil.rubybin - ldd = `ldd #{ruby}` --- -2.9.2 - diff --git a/SOURCES/ruby-2.6.9-cgi-0.1.1-cookie-parse-not-decode-names.patch b/SOURCES/ruby-2.6.9-cgi-0.1.1-cookie-parse-not-decode-names.patch new file mode 100644 index 0000000..ba3bb3b --- /dev/null +++ b/SOURCES/ruby-2.6.9-cgi-0.1.1-cookie-parse-not-decode-names.patch @@ -0,0 +1,42 @@ +From e2c0652dff671dc6e16a80887e781edc0abc8454 Mon Sep 17 00:00:00 2001 +From: usa +Date: Wed, 24 Nov 2021 11:41:55 +0000 +Subject: [PATCH 2/2] When parsing cookies, only decode the values + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/cgi/cookie.rb | 1 - + test/cgi/test_cgi_cookie.rb | 5 +++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb +index a2155edb77..009566bb92 100644 +--- a/lib/cgi/cookie.rb ++++ b/lib/cgi/cookie.rb +@@ -165,7 +165,6 @@ def self.parse(raw_cookie) + raw_cookie.split(/;\s?/).each do |pairs| + name, values = pairs.split('=',2) + next unless name and values +- name = CGI.unescape(name) + values ||= "" + values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } + if cookies.has_key?(name) +diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb +index 115a57e4a1..985cc0d7a1 100644 +--- a/test/cgi/test_cgi_cookie.rb ++++ b/test/cgi/test_cgi_cookie.rb +@@ -101,6 +101,11 @@ def test_cgi_cookie_parse + end + end + ++ def test_cgi_cookie_parse_not_decode_name ++ cookie_str = "%66oo=baz;foo=bar" ++ cookies = CGI::Cookie.parse(cookie_str) ++ assert_equal({"%66oo" => ["baz"], "foo" => ["bar"]}, cookies) ++ end + + def test_cgi_cookie_arrayinterface + cookie = CGI::Cookie.new('name1', 'a', 'b', 'c') +-- +2.36.1 + diff --git a/SOURCES/ruby-2.6.9-date-2.0.1-parse-length-limit.patch b/SOURCES/ruby-2.6.9-date-2.0.1-parse-length-limit.patch new file mode 100644 index 0000000..22ba7eb --- /dev/null +++ b/SOURCES/ruby-2.6.9-date-2.0.1-parse-length-limit.patch @@ -0,0 +1,918 @@ +From d5753ec513fa5a4bdcf59fa298642fd0d3a3c364 Mon Sep 17 00:00:00 2001 +From: Yusuke Endoh +Date: Fri, 12 Nov 2021 12:11:13 +0900 +Subject: [PATCH 1/2] Add length limit option for methods that parses date + strings + +This patch fixes CVE-2021-41817 and created from the commit +. +We didn't merge the files included in the original commit below, as those are +for rebasing date gem version. + +* ext/date/date.gemspec +* ext/date/lib/date.rb + +== Original commit message == + +`Date.parse` now raises an ArgumentError when a given date string is +longer than 128. You can configure the limit by giving `limit` keyword +arguments like `Date.parse(str, limit: 1000)`. If you pass `limit: nil`, +the limit is disabled. + +Not only `Date.parse` but also the following methods are changed. + +* Date._parse +* Date.parse +* DateTime.parse +* Date._iso8601 +* Date.iso8601 +* DateTime.iso8601 +* Date._rfc3339 +* Date.rfc3339 +* DateTime.rfc3339 +* Date._xmlschema +* Date.xmlschema +* DateTime.xmlschema +* Date._rfc2822 +* Date.rfc2822 +* DateTime.rfc2822 +* Date._rfc822 +* Date.rfc822 +* DateTime.rfc822 +* Date._jisx0301 +* Date.jisx0301 +* DateTime.jisx0301 +--- + ext/date/date_core.c | 384 +++++++++++++++++++++++++++-------- + test/date/test_date_parse.rb | 29 +++ + 2 files changed, 325 insertions(+), 88 deletions(-) + +diff --git a/ext/date/date_core.c b/ext/date/date_core.c +index c250633426..177ea0f6c5 100644 +--- a/ext/date/date_core.c ++++ b/ext/date/date_core.c +@@ -4290,12 +4290,37 @@ date_s_strptime(int argc, VALUE *argv, VALUE klass) + + VALUE date__parse(VALUE str, VALUE comp); + ++static size_t ++get_limit(VALUE opt) ++{ ++ if (!NIL_P(opt)) { ++ VALUE limit = rb_hash_aref(opt, ID2SYM(rb_intern("limit"))); ++ if (NIL_P(limit)) return SIZE_MAX; ++ return NUM2SIZET(limit); ++ } ++ return 128; ++} ++ ++static void ++check_limit(VALUE str, VALUE opt) ++{ ++ StringValue(str); ++ size_t slen = RSTRING_LEN(str); ++ size_t limit = get_limit(opt); ++ if (slen > limit) { ++ rb_raise(rb_eArgError, ++ "string length (%"PRI_SIZE_PREFIX"u) exceeds the limit %"PRI_SIZE_PREFIX"u", slen, limit); ++ } ++} ++ + static VALUE + date_s__parse_internal(int argc, VALUE *argv, VALUE klass) + { +- VALUE vstr, vcomp, hash; ++ VALUE vstr, vcomp, hash, opt; + +- rb_scan_args(argc, argv, "11", &vstr, &vcomp); ++ rb_scan_args(argc, argv, "11:", &vstr, &vcomp, &opt); ++ if (!NIL_P(opt)) argc--; ++ check_limit(vstr, opt); + StringValue(vstr); + if (!rb_enc_str_asciicompat_p(vstr)) + rb_raise(rb_eArgError, +@@ -4320,7 +4345,7 @@ date_s__parse_internal(int argc, VALUE *argv, VALUE klass) + + /* + * call-seq: +- * Date._parse(string[, comp=true]) -> hash ++ * Date._parse(string[, comp=true], limit: 128) -> hash + * + * Parses the given representation of date and time, and returns a + * hash of parsed elements. This method does not function as a +@@ -4331,6 +4356,10 @@ date_s__parse_internal(int argc, VALUE *argv, VALUE klass) + * it full. + * + * Date._parse('2001-02-03') #=> {:year=>2001, :mon=>2, :mday=>3} ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s__parse(int argc, VALUE *argv, VALUE klass) +@@ -4340,7 +4369,7 @@ date_s__parse(int argc, VALUE *argv, VALUE klass) + + /* + * call-seq: +- * Date.parse(string='-4712-01-01'[, comp=true[, start=Date::ITALY]]) -> date ++ * Date.parse(string='-4712-01-01'[, comp=true[, start=Date::ITALY]], limit: 128) -> date + * + * Parses the given representation of date and time, and creates a + * date object. This method does not function as a validator. +@@ -4352,13 +4381,18 @@ date_s__parse(int argc, VALUE *argv, VALUE klass) + * Date.parse('2001-02-03') #=> # + * Date.parse('20010203') #=> # + * Date.parse('3rd Feb 2001') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_parse(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, comp, sg; ++ VALUE str, comp, sg, opt; + +- rb_scan_args(argc, argv, "03", &str, &comp, &sg); ++ rb_scan_args(argc, argv, "03:", &str, &comp, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4370,11 +4404,12 @@ date_s_parse(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE argv2[2], hash; +- +- argv2[0] = str; +- argv2[1] = comp; +- hash = date_s__parse(2, argv2, klass); ++ int argc2 = 2; ++ VALUE argv2[3]; ++ argv2[0] = str; ++ argv2[1] = comp; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__parse(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } +@@ -4388,19 +4423,28 @@ VALUE date__jisx0301(VALUE); + + /* + * call-seq: +- * Date._iso8601(string) -> hash ++ * Date._iso8601(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__iso8601(VALUE klass, VALUE str) ++date_s__iso8601(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__iso8601(str); + } + + /* + * call-seq: +- * Date.iso8601(string='-4712-01-01'[, start=Date::ITALY]) -> date ++ * Date.iso8601(string='-4712-01-01'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical ISO 8601 formats. +@@ -4408,13 +4452,18 @@ date_s__iso8601(VALUE klass, VALUE str) + * Date.iso8601('2001-02-03') #=> # + * Date.iso8601('20010203') #=> # + * Date.iso8601('2001-W05-6') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_iso8601(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4424,38 +4473,56 @@ date_s_iso8601(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__iso8601(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__iso8601(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._rfc3339(string) -> hash ++ * Date._rfc3339(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__rfc3339(VALUE klass, VALUE str) ++date_s__rfc3339(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__rfc3339(str); + } + + /* + * call-seq: +- * Date.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> date ++ * Date.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical RFC 3339 formats. + * + * Date.rfc3339('2001-02-03T04:05:06+07:00') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_rfc3339(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4465,38 +4532,56 @@ date_s_rfc3339(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc3339(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__rfc3339(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._xmlschema(string) -> hash ++ * Date._xmlschema(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__xmlschema(VALUE klass, VALUE str) ++date_s__xmlschema(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__xmlschema(str); + } + + /* + * call-seq: +- * Date.xmlschema(string='-4712-01-01'[, start=Date::ITALY]) -> date ++ * Date.xmlschema(string='-4712-01-01'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical XML Schema formats. + * + * Date.xmlschema('2001-02-03') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_xmlschema(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4506,41 +4591,58 @@ date_s_xmlschema(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__xmlschema(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__xmlschema(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._rfc2822(string) -> hash +- * Date._rfc822(string) -> hash ++ * Date._rfc2822(string, limit: 128) -> hash ++ * Date._rfc822(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__rfc2822(VALUE klass, VALUE str) ++date_s__rfc2822(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__rfc2822(str); + } + + /* + * call-seq: +- * Date.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> date +- * Date.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> date ++ * Date.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> date ++ * Date.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical RFC 2822 formats. + * + * Date.rfc2822('Sat, 3 Feb 2001 00:00:00 +0000') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_rfc2822(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); + + switch (argc) { + case 0: +@@ -4550,39 +4652,56 @@ date_s_rfc2822(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc2822(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__rfc2822(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._httpdate(string) -> hash ++ * Date._httpdate(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__httpdate(VALUE klass, VALUE str) ++date_s__httpdate(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__httpdate(str); + } + + /* + * call-seq: +- * Date.httpdate(string='Mon, 01 Jan -4712 00:00:00 GMT'[, start=Date::ITALY]) -> date ++ * Date.httpdate(string='Mon, 01 Jan -4712 00:00:00 GMT'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some RFC 2616 format. + * + * Date.httpdate('Sat, 03 Feb 2001 00:00:00 GMT') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_httpdate(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); + + switch (argc) { + case 0: +@@ -4592,38 +4711,56 @@ date_s_httpdate(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__httpdate(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__httpdate(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * Date._jisx0301(string) -> hash ++ * Date._jisx0301(string, limit: 128) -> hash + * + * Returns a hash of parsed elements. ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE +-date_s__jisx0301(VALUE klass, VALUE str) ++date_s__jisx0301(int argc, VALUE *argv, VALUE klass) + { ++ VALUE str, opt; ++ ++ rb_scan_args(argc, argv, "1:", &str, &opt); ++ check_limit(str, opt); ++ + return date__jisx0301(str); + } + + /* + * call-seq: +- * Date.jisx0301(string='-4712-01-01'[, start=Date::ITALY]) -> date ++ * Date.jisx0301(string='-4712-01-01'[, start=Date::ITALY], limit: 128) -> date + * + * Creates a new Date object by parsing from a string according to + * some typical JIS X 0301 formats. + * + * Date.jisx0301('H13.02.03') #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + date_s_jisx0301(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -4633,7 +4770,11 @@ date_s_jisx0301(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__jisx0301(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ if (!NIL_P(opt)) argv2[argc2++] = opt; ++ VALUE hash = date_s__jisx0301(argc2, argv2, klass); + return d_new_by_frags(klass, hash, sg); + } + } +@@ -7925,7 +8066,7 @@ datetime_s_strptime(int argc, VALUE *argv, VALUE klass) + + /* + * call-seq: +- * DateTime.parse(string='-4712-01-01T00:00:00+00:00'[, comp=true[, start=Date::ITALY]]) -> datetime ++ * DateTime.parse(string='-4712-01-01T00:00:00+00:00'[, comp=true[, start=Date::ITALY]], limit: 128) -> datetime + * + * Parses the given representation of date and time, and creates a + * DateTime object. This method does not function as a validator. +@@ -7939,13 +8080,18 @@ datetime_s_strptime(int argc, VALUE *argv, VALUE klass) + * #=> # + * DateTime.parse('3rd Feb 2001 04:05:06 PM') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_parse(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, comp, sg; ++ VALUE str, comp, sg, opt; + +- rb_scan_args(argc, argv, "03", &str, &comp, &sg); ++ rb_scan_args(argc, argv, "03:", &str, &comp, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -7957,18 +8103,20 @@ datetime_s_parse(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE argv2[2], hash; +- +- argv2[0] = str; +- argv2[1] = comp; +- hash = date_s__parse(2, argv2, klass); ++ int argc2 = 2; ++ VALUE argv2[3]; ++ argv2[0] = str; ++ argv2[1] = comp; ++ argv2[2] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__parse(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.iso8601(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.iso8601(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical ISO 8601 formats. +@@ -7979,13 +8127,18 @@ datetime_s_parse(int argc, VALUE *argv, VALUE klass) + * #=> # + * DateTime.iso8601('2001-W05-6T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_iso8601(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -7995,27 +8148,37 @@ datetime_s_iso8601(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__iso8601(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2--; ++ VALUE hash = date_s__iso8601(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.rfc3339(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical RFC 3339 formats. + * + * DateTime.rfc3339('2001-02-03T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_rfc3339(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8025,27 +8188,37 @@ datetime_s_rfc3339(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc3339(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__rfc3339(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.xmlschema(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.xmlschema(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical XML Schema formats. + * + * DateTime.xmlschema('2001-02-03T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_xmlschema(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8055,28 +8228,38 @@ datetime_s_xmlschema(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__xmlschema(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__xmlschema(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> datetime +- * DateTime.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY]) -> datetime ++ * DateTime.rfc2822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> datetime ++ * DateTime.rfc822(string='Mon, 1 Jan -4712 00:00:00 +0000'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical RFC 2822 formats. + * + * DateTime.rfc2822('Sat, 3 Feb 2001 04:05:06 +0700') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_rfc2822(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8086,7 +8269,12 @@ datetime_s_rfc2822(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__rfc2822(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__rfc2822(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } +@@ -8100,13 +8288,18 @@ datetime_s_rfc2822(int argc, VALUE *argv, VALUE klass) + * + * DateTime.httpdate('Sat, 03 Feb 2001 04:05:06 GMT') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_httpdate(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8116,27 +8309,37 @@ datetime_s_httpdate(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__httpdate(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__httpdate(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } + + /* + * call-seq: +- * DateTime.jisx0301(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY]) -> datetime ++ * DateTime.jisx0301(string='-4712-01-01T00:00:00+00:00'[, start=Date::ITALY], limit: 128) -> datetime + * + * Creates a new DateTime object by parsing from a string according to + * some typical JIS X 0301 formats. + * + * DateTime.jisx0301('H13.02.03T04:05:06+07:00') + * #=> # ++ * ++ * Raise an ArgumentError when the string length is longer than _limit_. ++ * You can stop this check by passing `limit: nil`, but note that ++ * it may take a long time to parse. + */ + static VALUE + datetime_s_jisx0301(int argc, VALUE *argv, VALUE klass) + { +- VALUE str, sg; ++ VALUE str, sg, opt; + +- rb_scan_args(argc, argv, "02", &str, &sg); ++ rb_scan_args(argc, argv, "02:", &str, &sg, &opt); ++ if (!NIL_P(opt)) argc--; + + switch (argc) { + case 0: +@@ -8146,7 +8349,12 @@ datetime_s_jisx0301(int argc, VALUE *argv, VALUE klass) + } + + { +- VALUE hash = date_s__jisx0301(klass, str); ++ int argc2 = 1; ++ VALUE argv2[2]; ++ argv2[0] = str; ++ argv2[1] = opt; ++ if (!NIL_P(opt)) argc2++; ++ VALUE hash = date_s__jisx0301(argc2, argv2, klass); + return dt_new_by_frags(klass, hash, sg); + } + } +@@ -9297,19 +9505,19 @@ Init_date_core(void) + rb_define_singleton_method(cDate, "strptime", date_s_strptime, -1); + rb_define_singleton_method(cDate, "_parse", date_s__parse, -1); + rb_define_singleton_method(cDate, "parse", date_s_parse, -1); +- rb_define_singleton_method(cDate, "_iso8601", date_s__iso8601, 1); ++ rb_define_singleton_method(cDate, "_iso8601", date_s__iso8601, -1); + rb_define_singleton_method(cDate, "iso8601", date_s_iso8601, -1); +- rb_define_singleton_method(cDate, "_rfc3339", date_s__rfc3339, 1); ++ rb_define_singleton_method(cDate, "_rfc3339", date_s__rfc3339, -1); + rb_define_singleton_method(cDate, "rfc3339", date_s_rfc3339, -1); +- rb_define_singleton_method(cDate, "_xmlschema", date_s__xmlschema, 1); ++ rb_define_singleton_method(cDate, "_xmlschema", date_s__xmlschema, -1); + rb_define_singleton_method(cDate, "xmlschema", date_s_xmlschema, -1); +- rb_define_singleton_method(cDate, "_rfc2822", date_s__rfc2822, 1); +- rb_define_singleton_method(cDate, "_rfc822", date_s__rfc2822, 1); ++ rb_define_singleton_method(cDate, "_rfc2822", date_s__rfc2822, -1); ++ rb_define_singleton_method(cDate, "_rfc822", date_s__rfc2822, -1); + rb_define_singleton_method(cDate, "rfc2822", date_s_rfc2822, -1); + rb_define_singleton_method(cDate, "rfc822", date_s_rfc2822, -1); +- rb_define_singleton_method(cDate, "_httpdate", date_s__httpdate, 1); ++ rb_define_singleton_method(cDate, "_httpdate", date_s__httpdate, -1); + rb_define_singleton_method(cDate, "httpdate", date_s_httpdate, -1); +- rb_define_singleton_method(cDate, "_jisx0301", date_s__jisx0301, 1); ++ rb_define_singleton_method(cDate, "_jisx0301", date_s__jisx0301, -1); + rb_define_singleton_method(cDate, "jisx0301", date_s_jisx0301, -1); + + #ifndef NDEBUG +diff --git a/test/date/test_date_parse.rb b/test/date/test_date_parse.rb +index ac0eb85ca7..f9b160ee8c 100644 +--- a/test/date/test_date_parse.rb ++++ b/test/date/test_date_parse.rb +@@ -1,6 +1,7 @@ + # frozen_string_literal: true + require 'test/unit' + require 'date' ++require 'timeout' + + class TestDateParse < Test::Unit::TestCase + +@@ -1122,4 +1123,32 @@ def test_given_string + assert_equal(s0, s) + end + ++ def test_length_limit ++ assert_raise(ArgumentError) { Date._parse("1" * 1000) } ++ assert_raise(ArgumentError) { Date._iso8601("1" * 1000) } ++ assert_raise(ArgumentError) { Date._rfc3339("1" * 1000) } ++ assert_raise(ArgumentError) { Date._xmlschema("1" * 1000) } ++ assert_raise(ArgumentError) { Date._rfc2822("1" * 1000) } ++ assert_raise(ArgumentError) { Date._rfc822("1" * 1000) } ++ assert_raise(ArgumentError) { Date._jisx0301("1" * 1000) } ++ ++ assert_raise(ArgumentError) { Date.parse("1" * 1000) } ++ assert_raise(ArgumentError) { Date.iso8601("1" * 1000) } ++ assert_raise(ArgumentError) { Date.rfc3339("1" * 1000) } ++ assert_raise(ArgumentError) { Date.xmlschema("1" * 1000) } ++ assert_raise(ArgumentError) { Date.rfc2822("1" * 1000) } ++ assert_raise(ArgumentError) { Date.rfc822("1" * 1000) } ++ assert_raise(ArgumentError) { Date.jisx0301("1" * 1000) } ++ ++ assert_raise(ArgumentError) { DateTime.parse("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.iso8601("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.rfc3339("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.xmlschema("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.rfc2822("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.rfc822("1" * 1000) } ++ assert_raise(ArgumentError) { DateTime.jisx0301("1" * 1000) } ++ ++ assert_raise(ArgumentError) { Date._parse("Jan " + "9" * 1000000) } ++ assert_raise(Timeout::Error) { Timeout.timeout(1) { Date._parse("Jan " + "9" * 1000000, limit: nil) } } ++ end + end +-- +2.36.1 + diff --git a/SOURCES/ruby-3.0.3-fiddle-1.0.8-Rely-on-hard-coded-lib-name-to-detect-glibc.patch b/SOURCES/ruby-3.0.3-fiddle-1.0.8-Rely-on-hard-coded-lib-name-to-detect-glibc.patch new file mode 100644 index 0000000..3fa0747 --- /dev/null +++ b/SOURCES/ruby-3.0.3-fiddle-1.0.8-Rely-on-hard-coded-lib-name-to-detect-glibc.patch @@ -0,0 +1,25 @@ +From a267a40be7844224c5f000530bd3e8e906f1acea Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Wed, 10 Mar 2021 13:48:00 -0800 +Subject: [PATCH] Do not use a libdir for glibc, it breaks Linux PPC64 (#70) + +Fixes [Bug #12666] +--- + test/fiddle/helper.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/fiddle/helper.rb b/test/fiddle/helper.rb +index f38f903..a6e2019 100644 +--- a/test/fiddle/helper.rb ++++ b/test/fiddle/helper.rb +@@ -20,8 +20,8 @@ + # 64-bit ruby + libdir = '/lib64' if File.directory? '/lib64' + end +- libc_so = File.join(libdir, "libc.so.6") +- libm_so = File.join(libdir, "libm.so.6") ++ libc_so = "libc.so.6" ++ libm_so = "libm.so.6" + when /mingw/, /mswin/ + require "rbconfig" + crtname = RbConfig::CONFIG["RUBY_SO_NAME"][/msvc\w+/] || 'ucrtbase' diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index d2cdffa..6ffd3e0 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 109 +%global release 110 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} @@ -103,8 +103,8 @@ Source14: test_systemtap.rb # The load directive is supported since RPM 4.12, i.e. F21+. The build process # fails on older Fedoras. -%{?load:%{SOURCE4}} -%{?load:%{SOURCE5}} +%{load:%{SOURCE4}} +%{load:%{SOURCE5}} # Fix ruby_version abuse. # https://bugs.ruby-lang.org/issues/11002 @@ -130,10 +130,9 @@ Patch6: ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch # Use miniruby to regenerate prelude.c. # https://bugs.ruby-lang.org/issues/10554 Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch -# Workaround "an invalid stdio handle" error on PPC, due to recently introduced -# hardening features of glibc (rhbz#1361037). -# https://bugs.ruby-lang.org/issues/12666 -Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch +# Fix a fiddle import test on an optimized glibc on Power 9. +# https://bugs.ruby-lang.org/issues/12666#note-13 +Patch9: ruby-3.0.3-fiddle-1.0.8-Rely-on-hard-coded-lib-name-to-detect-glibc.patch # Add Gem.operating_system_defaults to allow packagers to override defaults. # https://github.com/rubygems/rubygems/pull/2116 Patch10: ruby-2.5.0-Add-Gem.operating_system_defaults.patch @@ -188,6 +187,17 @@ Patch31: ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch # to arbitrary host. # https://bugzilla.redhat.com/show_bug.cgi?id=1980825 Patch32: ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch +# CVE-2021-41817: Fix by adding a length limit option for methods that parses +# date strings. +# https://bugzilla.redhat.com/show_bug.cgi?id=2025104 +# https://github.com/ruby/date/commit/4f9b8e946ba98f0a1774f8e677baa4a45637ebb3 +Patch33: ruby-2.6.9-date-2.0.1-parse-length-limit.patch +# CVE-2021-41819: CGI::Cookie.parse that no longer decodes cookie names to +# prevent spoofing security prefixes in cookie names. +# https://bugzilla.redhat.com/show_bug.cgi?id=2026757 +# https://github.com/ruby/ruby/commit/02c341c9bc5879eae568ed2ba02cf227ed948199 +# https://github.com/ruby/cgi/commit/84dedc6fbb2a210ec070c35bc607b89003701fa2 +Patch34: ruby-2.6.9-cgi-0.1.1-cookie-parse-not-decode-names.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -590,6 +600,8 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch30 -p1 %patch31 -p1 %patch32 -p1 +%patch33 -p1 +%patch34 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1142,6 +1154,15 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Fri Jul 08 2022 Jun Aruga - 2.5.9-110 +- Fix FTBFS due to an incompatible load directive. +- Fix a fiddle import test on an optimized glibc on Power 9. +- Fix by adding length limit option for methods that parses date strings. + Resolves: CVE-2021-41817 +- CGI::Cookie.parse no longer decodes cookie names to prevent spoofing security + prefixes in cookie names. + Resolves: CVE-2021-41819 + * Wed Feb 16 2022 Jarek Prokop - 2.5.9-109 - Properly fix command injection vulnerability in Rdoc. Related: CVE-2021-31799