From 7a80435212e2f056c51a5dca930c4a56dd13439d Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 19 May 2026 19:01:09 +0000 Subject: [PATCH] import UBI ruby-3.0.7-166.el9_7 --- ....1-Fix-test-session-reuse-but-expire.patch | 28 -------- ...rb-fix-test_session_reuse_but_expire.patch | 29 ++++++++ ...eserialization-bypass-CVE-2026-41316.patch | 68 +++++++++++++++++++ ...on-1-encoded-as-0-is-allowed-by-PKIX.patch | 61 +++++++++++++++++ ...rb-Remove-the-assertions-of-the-time.patch | 62 +++++++++++++++++ SPECS/ruby.spec | 38 ++++++++--- 6 files changed, 247 insertions(+), 39 deletions(-) delete mode 100644 SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch create mode 100644 SOURCES/ruby-3.4.0-ruby-net-http-test_https.rb-fix-test_session_reuse_but_expire.patch create mode 100644 SOURCES/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch create mode 100644 SOURCES/rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch create mode 100644 SOURCES/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch diff --git a/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch b/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch deleted file mode 100644 index d1ebe30..0000000 --- a/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1816c142a4d66a75c23ccf6fd89a06cbe422e34f Mon Sep 17 00:00:00 2001 -From: "NARUSE, Yui" -Date: Sat, 3 Feb 2024 22:35:44 +0900 -Subject: [PATCH] Fix test session reuse but expire (#9824) - -* OpenSSL 3.2.1 30 Jan 2024 is also broken - -Import 45064610725ddd81a5ea3775da35aa46985bc789 from ruby_3_3 branch -tentatively. ---- - test/net/http/test_https.rb | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb -index 7b97e39586..aef748dfa0 100644 ---- a/test/net/http/test_https.rb -+++ b/test/net/http/test_https.rb -@@ -178,6 +178,7 @@ def test_session_reuse - def test_session_reuse_but_expire - # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h. - skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/ -+ omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 3.2.') - - http = Net::HTTP.new("localhost", config("port")) - http.use_ssl = true --- -2.44.0 - diff --git a/SOURCES/ruby-3.4.0-ruby-net-http-test_https.rb-fix-test_session_reuse_but_expire.patch b/SOURCES/ruby-3.4.0-ruby-net-http-test_https.rb-fix-test_session_reuse_but_expire.patch new file mode 100644 index 0000000..be0b60c --- /dev/null +++ b/SOURCES/ruby-3.4.0-ruby-net-http-test_https.rb-fix-test_session_reuse_but_expire.patch @@ -0,0 +1,29 @@ +From 960a0cdc544a226fed31c8988edb4fefe6990154 Mon Sep 17 00:00:00 2001 +From: MSP-Greg +Date: Thu, 20 Jun 2024 19:33:06 -0500 +Subject: [PATCH] [ruby/net-http] test_https.rb - fix + test_session_reuse_but_expire + +https://github.com/ruby/net-http/commit/5544243c41 +--- + test/net/http/test_https.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb +index 7b97e39586..a2f17ce336 100644 +--- a/test/net/http/test_https.rb ++++ b/test/net/http/test_https.rb +@@ -183,11 +183,11 @@ def test_session_reuse_but_expire + http.use_ssl = true + http.cert_store = TEST_STORE + +- http.ssl_timeout = -1 ++ http.ssl_timeout = 1 + http.start + http.get("/") + http.finish +- ++ sleep 1.25 + http.start + http.get("/") + diff --git a/SOURCES/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch b/SOURCES/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch new file mode 100644 index 0000000..cd527de --- /dev/null +++ b/SOURCES/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch @@ -0,0 +1,68 @@ +From 9bdf63dd97e56edd9eba4e2a95623798ed472d86 Mon Sep 17 00:00:00 2001 +From: Takashi Kokubun +Date: Tue, 21 Apr 2026 16:27:44 +0900 +Subject: [PATCH] Prohibit def_method on marshal-loaded ERB instances + +Extends the @_init guard to def_method so that an ERB object created +via Marshal.load (which bypasses initialize) raises ArgumentError +instead of evaluating arbitrary source. def_module and def_class both +delegate to def_method and are covered by the same check. + +Co-authored-by: Tristan Madani +--- + lib/erb.rb | 3 +++ + test/erb/test_erb.rb | 27 +++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/lib/erb.rb b/lib/erb.rb +index d2ea64ab60..6c5efad513 100644 +--- a/lib/erb.rb ++++ b/lib/erb.rb +@@ -939,6 +939,9 @@ def new_toplevel(vars = nil) + # erb.def_method(MyClass, 'render(arg1, arg2)', filename) + # print MyClass.new.render('foo', 123) + def def_method(mod, methodname, fname='(ERB)') ++ unless @_init.equal?(self.class.singleton_class) ++ raise ArgumentError, "not initialized" ++ end + src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n" + mod.module_eval do + eval(src, binding, fname, -1) +diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb +index d3e9b6c944..e5f2d97f1c 100644 +--- a/test/erb/test_erb.rb ++++ b/test/erb/test_erb.rb +@@ -701,6 +701,33 @@ def test_prohibited_marshal_load + erb = Marshal.load(Marshal.dump(erb)) + assert_raise(ArgumentError) {erb.result} + end ++ ++ def test_prohibited_marshal_load_def_method ++ erb = ERB.allocate ++ erb.instance_variable_set(:@src, "") ++ erb.instance_variable_set(:@lineno, 1) ++ erb.instance_variable_set(:@_init, true) ++ erb = Marshal.load(Marshal.dump(erb)) ++ assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')} ++ end ++ ++ def test_prohibited_marshal_load_def_module ++ erb = ERB.allocate ++ erb.instance_variable_set(:@src, "") ++ erb.instance_variable_set(:@lineno, 1) ++ erb.instance_variable_set(:@_init, true) ++ erb = Marshal.load(Marshal.dump(erb)) ++ assert_raise(ArgumentError) {erb.def_module} ++ end ++ ++ def test_prohibited_marshal_load_def_class ++ erb = ERB.allocate ++ erb.instance_variable_set(:@src, "") ++ erb.instance_variable_set(:@lineno, 1) ++ erb.instance_variable_set(:@_init, true) ++ erb = Marshal.load(Marshal.dump(erb)) ++ assert_raise(ArgumentError) {erb.def_class} ++ end + end + + class TestERBCoreWOStrScan < TestERBCore diff --git a/SOURCES/rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch b/SOURCES/rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch new file mode 100644 index 0000000..09c8e68 --- /dev/null +++ b/SOURCES/rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch @@ -0,0 +1,61 @@ +From b7ce8df9f0d03a590adbddaaa5f5ce4442e696ec Mon Sep 17 00:00:00 2001 +From: Job Snijders +Date: Mon, 25 Mar 2024 12:20:13 +0000 +Subject: [PATCH] Only CSR version 1 (encoded as 0) is allowed by PKIX + standards + +RFC 2986, section 4.1 only defines version 1 for CSRs. This version +is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version +to anything but 1 fails. + +Do not attempt to generate a CSR with invalid version (which now fails) +and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its +subject rather than using an invalid version. + +This commit fixes the following error. + +``` + 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError: +X509_REQ_set_version: passed invalid argument +/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version=' +/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr' +/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in +`test_version' + 40: req = OpenSSL::X509::Request.new(req.to_der) + 41: assert_equal(0, req.version) + 42: + => 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) + 44: assert_equal(1, req.version) + 45: req = OpenSSL::X509::Request.new(req.to_der) + 46: assert_equal(1, req.version) +``` +--- + test/openssl/test_x509req.rb | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb +index ee9c678fbb..2a14afc9a1 100644 +--- a/test/openssl/test_x509req.rb ++++ b/test/openssl/test_x509req.rb +@@ -39,11 +39,6 @@ def test_version + assert_equal(0, req.version) + req = OpenSSL::X509::Request.new(req.to_der) + assert_equal(0, req.version) +- +- req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) +- assert_equal(1, req.version) +- req = OpenSSL::X509::Request.new(req.to_der) +- assert_equal(1, req.version) + end + + def test_subject +@@ -106,8 +101,8 @@ def test_sign_and_verify_rsa_sha1 + assert_equal(false, req.verify(@rsa2048)) + assert_equal(false, request_error_returns_false { req.verify(@dsa256) }) + assert_equal(false, request_error_returns_false { req.verify(@dsa512) }) +- req.version = 1 ++ req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar") + assert_equal(false, req.verify(@rsa1024)) + end + + def test_sign_and_verify_rsa_md5 diff --git a/SOURCES/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch b/SOURCES/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch new file mode 100644 index 0000000..b24adb9 --- /dev/null +++ b/SOURCES/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch @@ -0,0 +1,62 @@ +From 561b56fcb552654e7c9449959f49fbc014798a58 Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Tue, 12 Mar 2024 14:39:05 +0100 +Subject: [PATCH] test_asn1.rb: Remove the assertions of the time string format + without second. + +This commit fixes the following errors in the tests. +Because the OpenSSL project changed the code to make the time string format +without second invalid. So, we drop the assertions. + +``` +1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime' + 430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) + 431: # LibreSSL 3.6.0 requires the seconds element + 432: return if libressl? + => 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b, + 434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) + 435: # not implemented + 436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, + +2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime' + 408: end + 409: # Seconds is omitted. LibreSSL 3.6.0 requires it + 410: return if libressl? + => 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b, + 412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) + 413: # not implemented + 414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b, +``` +--- + test/openssl/test_asn1.rb | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb +index af069cad6e..b5cf1adfd8 100644 +--- a/test/openssl/test_asn1.rb ++++ b/test/openssl/test_asn1.rb +@@ -405,9 +405,6 @@ def test_set + def test_utctime + encode_decode_test B(%w{ 17 0D }) + "160908234339Z".b, + OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 39)) +- # Seconds is omitted +- decode_test B(%w{ 17 0B }) + "1609082343Z".b, +- OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) + begin + # possible range of UTCTime is 1969-2068 currently + encode_decode_test B(%w{ 17 0D }) + "690908234339Z".b, +@@ -433,8 +430,6 @@ def test_generalizedtime + OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29)) + encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b, + OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) +- decode_test B(%w{ 18 0D }) + "201612081934Z".b, +- OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) + # not implemented + # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, + # OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30")) diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index a3462b7..891e8bb 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 165 +%global release 166 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -293,10 +293,6 @@ Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch # https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416 # https://bugs.ruby-lang.org/issues/20106 Patch69: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch -# Fix `TestNetHTTPS#test_session_reuse_but_expire` test failure cause by -# to OpenSSL 3.2 -# https://github.com/ruby/ruby/commit/64b6a018a38f200c957fdbbe7d0cbe0e64781c9f -Patch70: ruby-3.3.1-Fix-test-session-reuse-but-expire.patch # Tests not included, this Ruby release does not include REXML tests. # https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f Patch71: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch @@ -339,6 +335,18 @@ Patch76: rubygem-cgi-0.3.5.1-Fix-DoS-in-CGI-Cookie-parse-CVE-2025-27219.patch # Fix ReDoS in CGI::Util#escapeElement. (CVE-2025-27220) # https://github.com/ruby/cgi/commit/bfa69e120df4e0131bb05df6c5e05c1dc982cd37 Patch77: rubygem-cgi-0.3.5.1-Fix-ReDoS-in-CGI-CVE-2025-27220.patch +# Only CSR version 1 (encoded as 0) is allowed by PKIX standards +# https://github.com/ruby/openssl/pull/747 +Patch78: rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch +# Remove the assertions of the time string format without second. +# https://github.com/ruby/openssl/pull/728 +Patch79: rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch +# Fix test_session_reuse_but_expire test failure for Net::HTTPS. +# https://github.com/ruby/ruby/commit/9f4b45fbf7981a57fd82436ebec8a50ec3d3fdc9 +Patch80: ruby-3.4.0-ruby-net-http-test_https.rb-fix-test_session_reuse_but_expire.patch +# Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316) +# https://github.com/ruby/erb/commit/ef61b591b270f8ba58d47f12472a1c53a77b4d61 +Patch81: rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -355,6 +363,7 @@ BuildRequires: readline-devel # Needed to pass test_set_program_name(TestRubyOptions) BuildRequires: procps %{?with_systemtap:BuildRequires: %{_bindir}/dtrace} +%{?with_systemtap:BuildRequires: systemtap-sdt-devel} # RubyGems test suite optional dependencies. %{?with_git:BuildRequires: git} %{?with_cmake:BuildRequires: %{_bindir}/cmake} @@ -811,13 +820,16 @@ rm -rf ext/fiddle/libffi* %patch67 -p1 %patch68 -p1 %patch69 -p1 -%patch70 -p1 %patch72 -p1 %patch73 -p1 %patch74 -p1 %patch75 -p1 %patch76 -p1 %patch77 -p1 +%patch78 -p1 +%patch79 -p1 +%patch80 -p1 +%patch81 -p1 # Instead of adjusting patch's directory, use the following form where # we first enter the correct directory, this allows more general application @@ -1600,21 +1612,25 @@ make runruby TESTRUN_SCRIPT=" \ %changelog +* Mon Apr 27 2026 Jarek Prokop - 3.0.7-166 +- Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316) + Resolves: RHEL-171254 + * Fri Apr 11 2025 Jarek Prokop - 3.0.7-165 - Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219) - Resolves: RHEL-87183 + Resolves: RHEL-86104 - Fix ReDoS in CGI::Util#escapeElement. (CVE-2025-27220) - Resolves: RHEL-87184 + Resolves: RHEL-86130 * Thu Mar 06 2025 Jarek Prokop - 3.0.7-164 - Undefine GC compaction methods on ppc64le. - Resolves: RHEL-83135 + Resolves: RHEL-83136 - Fix printing warnings when using IRB from a script. - Resolves: RHEL-83137 + Resolves: RHEL-83044 * Tue Nov 26 2024 Jarek Prokop - 3.0.7-163 - Fix REXML ReDoS vulnerability. (CVE-2024-49761) - Resolves: RHEL-68521 + Resolves: RHEL-68525 * Tue Apr 30 2024 Jun Aruga - 3.0.7-162 - Upgrade to Ruby 3.0.7.