import Oracle_OSS ruby-3.3.10-12.el10_1

ruby.spec

@@ -60,7 +60,7 @@
 %global digest_version 3.1.1
 %global drb_version 2.2.0
 %global english_version 0.8.0
-%global erb_version 4.0.3
+%global erb_version 4.0.3.1
 %global error_highlight_version 0.6.0
 %global etc_version 1.4.3
 %global fcntl_version 1.1.0
@@ -173,7 +173,7 @@
 Summary: An interpreter of object-oriented scripting language
 Name: ruby
 Version: %{ruby_version}%{?development_release}
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Licenses, which are likely not included in binary RPMs:
 # Apache-2.0:
 #   benchmark/gc/redblack.rb
@@ -293,6 +293,12 @@ Patch15: ruby-3.4.0-openssl-fix-test-provider-in-fips.patch
 # Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters.
 # https://github.com/ruby/openssl/pull/879
 Patch16: ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
+# Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316)
+# Include the version bump here as that's the only change from 4.0.3 to 4.0.3.1
+# and is expected to be included in next Ruby 3.3.
+# https://github.com/ruby/ruby/commit/a53f3d57d1c70f35534c457de2c471d84a55956a
+# https://github.com/ruby/ruby/commit/2f223e90edf40f5d537760cb26c77b608bddff36
+Patch17: rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %{?with_rubypick:Suggests: rubypick}
@@ -776,6 +782,7 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch 13 -p1
 %patch 15 -p1
 %patch 16 -p1
+%patch 17 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -1781,6 +1788,10 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 
 
 %changelog
+* Tue Apr 28 2026 Jarek Prokop <jprokop@redhat.com> - 3.3.10-12
+- Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316)
+  Resolves: RHEL-171244
+
 * Thu Nov 13 2025 Jun Aruga <jaruga@redhat.com> - 3.3.10-11
 - Upgrade to Ruby 3.3.10.
   Resolves: RHEL-130160

rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch

@@ -0,0 +1,90 @@
+From a53f3d57d1c70f35534c457de2c471d84a55956a Mon Sep 17 00:00:00 2001
+From: Takashi Kokubun <takashikkbn@gmail.com>
+Date: Tue, 21 Apr 2026 16:27:44 +0900
+Subject: [PATCH 1/2] [ruby/erb] Prohibit def_method on marshal-loaded ERB
+ instances
+
+Extends the @_init guard to def_method so that an ERB object created
+via Marshal.load (which bypasses initialize) raises ArgumentError
+instead of evaluating arbitrary source. def_module and def_class both
+delegate to def_method and are covered by the same check.
+
+Co-authored-by: Tristan Madani <TristanInSec@gmail.com>
+---
+ lib/erb.rb           |  3 +++
+ test/erb/test_erb.rb | 27 +++++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/lib/erb.rb b/lib/erb.rb
+index bc1615d7da..a7317c0856 100644
+--- a/lib/erb.rb
++++ b/lib/erb.rb
+@@ -463,6 +463,9 @@ def new_toplevel(vars = nil)
+   #   erb.def_method(MyClass, 'render(arg1, arg2)', filename)
+   #   print MyClass.new.render('foo', 123)
+   def def_method(mod, methodname, fname='(ERB)')
++    unless @_init.equal?(self.class.singleton_class)
++      raise ArgumentError, "not initialized"
++    end
+     src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
+     mod.module_eval do
+       eval(src, binding, fname, -1)
+diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb
+index 555345a140..1266b64e41 100644
+--- a/test/erb/test_erb.rb
++++ b/test/erb/test_erb.rb
+@@ -714,6 +714,33 @@ def test_prohibited_marshal_load
+     assert_raise(ArgumentError) {erb.result}
+   end
+ 
++  def test_prohibited_marshal_load_def_method
++    erb = ERB.allocate
++    erb.instance_variable_set(:@src, "")
++    erb.instance_variable_set(:@lineno, 1)
++    erb.instance_variable_set(:@_init, true)
++    erb = Marshal.load(Marshal.dump(erb))
++    assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')}
++  end
++
++  def test_prohibited_marshal_load_def_module
++    erb = ERB.allocate
++    erb.instance_variable_set(:@src, "")
++    erb.instance_variable_set(:@lineno, 1)
++    erb.instance_variable_set(:@_init, true)
++    erb = Marshal.load(Marshal.dump(erb))
++    assert_raise(ArgumentError) {erb.def_module}
++  end
++
++  def test_prohibited_marshal_load_def_class
++    erb = ERB.allocate
++    erb.instance_variable_set(:@src, "")
++    erb.instance_variable_set(:@lineno, 1)
++    erb.instance_variable_set(:@_init, true)
++    erb = Marshal.load(Marshal.dump(erb))
++    assert_raise(ArgumentError) {erb.def_class}
++  end
++
+   def test_multi_line_comment_lineno
+     erb = ERB.new(<<~EOS)
+       <%= __LINE__ %>
+
+From 2f223e90edf40f5d537760cb26c77b608bddff36 Mon Sep 17 00:00:00 2001
+From: Takashi Kokubun <takashikkbn@gmail.com>
+Date: Tue, 21 Apr 2026 17:14:06 +0900
+Subject: [PATCH 2/2] [ruby/erb] Version 4.0.3.1
+
+---
+ lib/erb/version.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/erb/version.rb b/lib/erb/version.rb
+index 295fc5fa6f..85e2a79def 100644
+--- a/lib/erb/version.rb
++++ b/lib/erb/version.rb
+@@ -1,5 +1,5 @@
+ # frozen_string_literal: true
+ class ERB
+-  VERSION = '4.0.3'
++  VERSION = '4.0.3.1'
+   private_constant :VERSION
+ end