import UBI ruby-3.3.10-6.module+el9.7.0+24248+66578cbb

2026-05-19 08:11:15 +00:00 · 2026-05-19 08:11:15 +00:00 · 9872ebc4dc
commit 9872ebc4dc
parent d1a84de6c1
2 changed files with 103 additions and 2 deletions
--- a/SOURCES/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch
+++ b/SOURCES/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch
@ -0,0 +1,90 @@
+From a53f3d57d1c70f35534c457de2c471d84a55956a Mon Sep 17 00:00:00 2001
+From: Takashi Kokubun <takashikkbn@gmail.com>
+Date: Tue, 21 Apr 2026 16:27:44 +0900
+Subject: [PATCH 1/2] [ruby/erb] Prohibit def_method on marshal-loaded ERB
+ instances
+
+Extends the @_init guard to def_method so that an ERB object created
+via Marshal.load (which bypasses initialize) raises ArgumentError
+instead of evaluating arbitrary source. def_module and def_class both
+delegate to def_method and are covered by the same check.
+
+Co-authored-by: Tristan Madani <TristanInSec@gmail.com>
+---
+ lib/erb.rb           |  3 +++
+ test/erb/test_erb.rb | 27 +++++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/lib/erb.rb b/lib/erb.rb
+index bc1615d7da..a7317c0856 100644
+--- a/lib/erb.rb
+++ b/lib/erb.rb
+@@ -463,6 +463,9 @@ def new_toplevel(vars = nil)
+   #   erb.def_method(MyClass, 'render(arg1, arg2)', filename)
+   #   print MyClass.new.render('foo', 123)
+   def def_method(mod, methodname, fname='(ERB)')
+    unless @_init.equal?(self.class.singleton_class)
+      raise ArgumentError, "not initialized"
+    end
+     src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
+     mod.module_eval do
+       eval(src, binding, fname, -1)
+diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb
+index 555345a140..1266b64e41 100644
+--- a/test/erb/test_erb.rb
+++ b/test/erb/test_erb.rb
+@@ -714,6 +714,33 @@ def test_prohibited_marshal_load
+     assert_raise(ArgumentError) {erb.result}
+   end
+ 
+  def test_prohibited_marshal_load_def_method
+    erb = ERB.allocate
+    erb.instance_variable_set(:@src, "")
+    erb.instance_variable_set(:@lineno, 1)
+    erb.instance_variable_set(:@_init, true)
+    erb = Marshal.load(Marshal.dump(erb))
+    assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')}
+  end
+
+  def test_prohibited_marshal_load_def_module
+    erb = ERB.allocate
+    erb.instance_variable_set(:@src, "")
+    erb.instance_variable_set(:@lineno, 1)
+    erb.instance_variable_set(:@_init, true)
+    erb = Marshal.load(Marshal.dump(erb))
+    assert_raise(ArgumentError) {erb.def_module}
+  end
+
+  def test_prohibited_marshal_load_def_class
+    erb = ERB.allocate
+    erb.instance_variable_set(:@src, "")
+    erb.instance_variable_set(:@lineno, 1)
+    erb.instance_variable_set(:@_init, true)
+    erb = Marshal.load(Marshal.dump(erb))
+    assert_raise(ArgumentError) {erb.def_class}
+  end
+
+   def test_multi_line_comment_lineno
+     erb = ERB.new(<<~EOS)
+       <%= __LINE__ %>
+
+From 2f223e90edf40f5d537760cb26c77b608bddff36 Mon Sep 17 00:00:00 2001
+From: Takashi Kokubun <takashikkbn@gmail.com>
+Date: Tue, 21 Apr 2026 17:14:06 +0900
+Subject: [PATCH 2/2] [ruby/erb] Version 4.0.3.1
+
+---
+ lib/erb/version.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/erb/version.rb b/lib/erb/version.rb
+index 295fc5fa6f..85e2a79def 100644
+--- a/lib/erb/version.rb
+++ b/lib/erb/version.rb
+@@ -1,5 +1,5 @@
+ # frozen_string_literal: true
+ class ERB
+-  VERSION = '4.0.3'
+  VERSION = '4.0.3.1'
+   private_constant :VERSION
+ end
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@ -60,7 +60,7 @@
 %global digest_version 3.1.1
 %global drb_version 2.2.0
 %global english_version 0.8.0
-%global erb_version 4.0.3
+%global erb_version 4.0.3.1
 %global error_highlight_version 0.6.0
 %global etc_version 1.4.3
 %global fcntl_version 1.1.0
@ -169,7 +169,7 @@
 Summary: An interpreter of object-oriented scripting language
 Name: ruby
 Version: %{ruby_version}%{?development_release}
-Release: 5%{?dist}
+Release: 6%{?dist}
 # Licenses, which are likely not included in binary RPMs:
 # Apache-2.0:
 #   benchmark/gc/redblack.rb
@ -281,6 +281,12 @@ Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.p
 # Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters.
 # https://github.com/ruby/openssl/pull/879
 Patch13: ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
+# Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316)
+# Include the version bump here as that's the only change from 4.0.3 to 4.0.3.1
+# and is expected to be included in next Ruby 3.3.
+# https://github.com/ruby/ruby/commit/a53f3d57d1c70f35534c457de2c471d84a55956a
+# https://github.com/ruby/ruby/commit/2f223e90edf40f5d537760cb26c77b608bddff36
+Patch14: rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %{?with_rubypick:Suggests: rubypick}
@ -757,6 +763,7 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch -P 9 -p1
 %patch -P 12 -p1
 %patch -P 13 -p1
+%patch -P 14 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1755,6 +1762,10 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \


 %changelog
+* Tue Apr 28 2026 Jarek Prokop <jprokop@redhat.com> - 3.3.10-6
+- Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316)
+  Resolves: RHEL-171255
+
 * Wed Nov 05 2025 Jun Aruga <jaruga@redhat.com> - 3.3.10-5
 - Upgrade to Ruby 3.3.10.
  Resolves: RHEL-127912