From 29eb113cb05560f26da302d432984531be0737fc Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 11 Nov 2025 15:46:18 +0000
Subject: [PATCH] import UBI ruby-3.3.8-4.module+el9.7.0+23096+6a95897f

---
 SOURCES/rpm_test_helper.rb                    |   2 +-
 ...by-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch | 126 ++++++++++++++++++
 SPECS/ruby.spec                               |  20 +--
 3 files changed, 139 insertions(+), 9 deletions(-)
 create mode 100644 SOURCES/ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch

diff --git a/SOURCES/rpm_test_helper.rb b/SOURCES/rpm_test_helper.rb
index 671ca55..3b09fa4 100644
--- a/SOURCES/rpm_test_helper.rb
+++ b/SOURCES/rpm_test_helper.rb
@@ -52,7 +52,7 @@ module RPMTestHelper
         s.description = "Fake gemspec helper for testing Rubygem Generators".freeze
         s.email = ["example@example.com".freeze]
         s.files = ["LICENSE.txt".freeze, "lib/#{gem_info.name}.rb".freeze, "#{gem_info.name}.gemspec".freeze]
-        s.homepage = "https://pkgs.fedoraproject.org/rpms/ruby".freeze
+        s.homepage = "https://gitlab.com/redhat".freeze
         s.licenses = ["MIT".freeze]
         s.required_ruby_version = Gem::Requirement.new(">= 2.5.0".freeze)
         s.rubygems_version = "3.3.5".freeze
diff --git a/SOURCES/ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch b/SOURCES/ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
new file mode 100644
index 0000000..19fff7d
--- /dev/null
+++ b/SOURCES/ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
@@ -0,0 +1,126 @@
+From 113727fa85749a9625838e378dcd4a749d40b0c5 Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Tue, 8 Apr 2025 15:03:06 +0200
+Subject: [PATCH] Fix the tests using SHA-1 Probabilistic Signature Scheme
+ (PSS) parameters.
+
+Fedora OpenSSL 3.5 on rawhide stopped accepting SHA-1 PSS[1] parameters.
+This is different from the SHA-1 signatures which Fedora OpenSSL stopped
+accepting since Fedora 41.[2]
+
+This commit fixes the following test failures related to the SHA-1 PSS
+parameters with Fedora OpenSSL 3.5.
+Note these failures are the downstream Fedora OpenSSL RPM specific. The tests
+pass without this commit with the upstream OpenSSL 3.5.
+
+```
+$ rpm -q openssl-libs openssl-devel
+openssl-libs-3.5.0-2.fc43.x86_64
+openssl-devel-3.5.0-2.fc43.x86_64
+
+$ bundle exec rake test
+...
+E
+===============================================================================================
+Error: test_sign_verify_options(OpenSSL::TestPKeyRSA): OpenSSL::PKey::PKeyError: EVP_PKEY_CTX_ctrl_str(ctx, "rsa_mgf1_md", "SHA1"): digest not allowed (digest=SHA1)
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'Hash#each'
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::PKey::PKey#sign'
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::TestPKeyRSA#test_sign_verify_options'
+     110:       "rsa_pss_saltlen" => 20,
+     111:       "rsa_mgf1_md" => "SHA1"
+     112:     }
+  => 113:     sig_pss = key.sign("SHA256", data, pssopts)
+     114:     assert_equal 256, sig_pss.bytesize
+     115:     assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
+     116:     assert_equal true, key.verify_pss("SHA256", sig_pss, data,
+===============================================================================================
+E
+===============================================================================================
+Error: test_sign_verify_pss(OpenSSL::TestPKeyRSA): OpenSSL::PKey::RSAError: digest not allowed (digest=SHA1)
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::PKey::RSA#sign_pss'
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::TestPKeyRSA#test_sign_verify_pss'
+     188:     data = "Sign me!"
+     189:     invalid_data = "Sign me?"
+     190:
+  => 191:     signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1")
+     192:     assert_equal 256, signature.bytesize
+     193:     assert_equal true,
+     194:       key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
+===============================================================================================
+...
+577 tests, 4186 assertions, 0 failures, 2 errors, 0 pendings, 3 omissions, 0 notifications
+```
+
+[1] https://en.wikipedia.org/wiki/Probabilistic_signature_scheme
+[2] https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
+---
+ test/openssl/test_pkey_rsa.rb | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
+index 61c55c60b2..9661cef419 100644
+--- a/test/openssl/test_pkey_rsa.rb
++++ b/test/openssl/test_pkey_rsa.rb
+@@ -99,13 +99,13 @@ def test_sign_verify_options
+     pssopts = {
+       "rsa_padding_mode" => "pss",
+       "rsa_pss_saltlen" => 20,
+-      "rsa_mgf1_md" => "SHA1"
++      "rsa_mgf1_md" => "SHA256"
+     }
+     sig_pss = key.sign("SHA256", data, pssopts)
+     assert_equal 128, sig_pss.bytesize
+     assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
+     assert_equal true, key.verify_pss("SHA256", sig_pss, data,
+-                                      salt_length: 20, mgf1_hash: "SHA1")
++                                      salt_length: 20, mgf1_hash: "SHA256")
+     # Defaults to PKCS #1 v1.5 padding => verification failure
+     assert_equal false, key.verify("SHA256", sig_pss, data)
+ 
+@@ -179,31 +179,31 @@ def test_sign_verify_pss
+     data = "Sign me!"
+     invalid_data = "Sign me?"
+ 
+-    signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1")
++    signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA256")
+     assert_equal 128, signature.bytesize
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
+     assert_equal false,
+-      key.verify_pss("SHA256", signature, invalid_data, salt_length: 20, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, invalid_data, salt_length: 20, mgf1_hash: "SHA256")
+ 
+-    signature = key.sign_pss("SHA256", data, salt_length: :digest, mgf1_hash: "SHA1")
++    signature = key.sign_pss("SHA256", data, salt_length: :digest, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: 32, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 32, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
+     assert_equal false,
+-      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA256")
+ 
+-    signature = key.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA1")
++    signature = key.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: 94, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 94, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
+ 
+     assert_raise(OpenSSL::PKey::RSAError) {
+-      key.sign_pss("SHA256", data, salt_length: 95, mgf1_hash: "SHA1")
++      key.sign_pss("SHA256", data, salt_length: 95, mgf1_hash: "SHA256")
+     }
+   end
+ 
+-- 
+2.48.1
+
diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec
index 2c435e7..090c47e 100644
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@@ -277,6 +277,9 @@ Patch9: ruby-3.3.0-Disable-syntax-suggest-test-case.patch
 # Make sure hardeding flags are correctly applied.
 # https://bugs.ruby-lang.org/issues/20520
 Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch
+# Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters.
+# https://github.com/ruby/openssl/pull/879
+Patch13: ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %{?with_rubypick:Suggests: rubypick}
@@ -752,6 +755,7 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch -P 6 -p1
 %patch -P 9 -p1
 %patch -P 12 -p1
+%patch -P 13 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -1752,28 +1756,28 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 %changelog
 * Fri Apr 11 2025 Jarek Prokop <jprokop@redhat.com> - 3.3.8-4
 - Upgrade to Ruby 3.3.8.
-  Resolves: RHEL-86933
+  Resolves: RHEL-68631
 - Fix Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186)
 - Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
-  Resolves: RHEL-87182
+  Resolves: RHEL-86109
 - Fix userinfo leakage in URI#join, URI#merge and URI#+. (CVE-2025-27221)
 
 * Wed Sep 04 2024 Jarek Prokop <jprokop@redhat.com> - 3.3.5-3
 - Upgrade to Ruby 3.3.5
-  Resolves: RHEL-57577
+  Resolves: RHEL-55411
 - Fix DoS vulnerability in rexml.
   (CVE-2024-39908)
   (CVE-2024-41946)
   (CVE-2024-43398)
-  Resolves: RHEL-57574
-  Resolves: RHEL-57571
-  Resolves: RHEL-57579
+  Resolves: RHEL-57575
+  Resolves: RHEL-57572
+  Resolves: RHEL-57068
 - Fix REXML DoS when parsing an XML having many specific characters such as
   whitespace character, >] and ]>.
   (CVE-2024-41123)
-  Resolves: RHEL-57568
+  Resolves: RHEL-57569
 - Fix incorrect symlink for rubygem-irb's library.
-  Resolves: RHEL-57598
+  Resolves: RHEL-42646
 
 * Mon May 20 2024 Jarek Prokop <jprokop@redhat.com> - 3.3.1-2
 - Upgrade to Ruby 3.3.1.