diff --git a/operating_system.rb b/operating_system.rb old mode 100644 new mode 100755 diff --git a/rpm_test_helper.rb b/rpm_test_helper.rb old mode 100644 new mode 100755 diff --git a/ruby.spec b/ruby.spec index f1c22ad..7788c5c 100644 --- a/ruby.spec +++ b/ruby.spec @@ -60,7 +60,7 @@ %global digest_version 3.1.1 %global drb_version 2.2.0 %global english_version 0.8.0 -%global erb_version 4.0.3 +%global erb_version 4.0.3.1 %global error_highlight_version 0.6.0 %global etc_version 1.4.3 %global fcntl_version 1.1.0 @@ -173,7 +173,7 @@ Summary: An interpreter of object-oriented scripting language Name: ruby Version: %{ruby_version}%{?development_release} -Release: 11%{?dist} +Release: 12%{?dist} # Licenses, which are likely not included in binary RPMs: # Apache-2.0: # benchmark/gc/redblack.rb @@ -293,6 +293,12 @@ Patch15: ruby-3.4.0-openssl-fix-test-provider-in-fips.patch # Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters. # https://github.com/ruby/openssl/pull/879 Patch16: ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch +# Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316) +# Include the version bump here as that's the only change from 4.0.3 to 4.0.3.1 +# and is expected to be included in next Ruby 3.3. +# https://github.com/ruby/ruby/commit/a53f3d57d1c70f35534c457de2c471d84a55956a +# https://github.com/ruby/ruby/commit/2f223e90edf40f5d537760cb26c77b608bddff36 +Patch17: rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?with_rubypick:Suggests: rubypick} @@ -776,6 +782,7 @@ analysis result in RBS format, a standard type description format for Ruby %patch 13 -p1 %patch 15 -p1 %patch 16 -p1 +%patch 17 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1781,6 +1788,10 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ %changelog +* Tue Apr 28 2026 Jarek Prokop - 3.3.10-12 +- Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316) + Resolves: RHEL-171244 + * Thu Nov 13 2025 Jun Aruga - 3.3.10-11 - Upgrade to Ruby 3.3.10. Resolves: RHEL-130160 diff --git a/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch b/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch new file mode 100644 index 0000000..0e0fcd9 --- /dev/null +++ b/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch @@ -0,0 +1,90 @@ +From a53f3d57d1c70f35534c457de2c471d84a55956a Mon Sep 17 00:00:00 2001 +From: Takashi Kokubun +Date: Tue, 21 Apr 2026 16:27:44 +0900 +Subject: [PATCH 1/2] [ruby/erb] Prohibit def_method on marshal-loaded ERB + instances + +Extends the @_init guard to def_method so that an ERB object created +via Marshal.load (which bypasses initialize) raises ArgumentError +instead of evaluating arbitrary source. def_module and def_class both +delegate to def_method and are covered by the same check. + +Co-authored-by: Tristan Madani +--- + lib/erb.rb | 3 +++ + test/erb/test_erb.rb | 27 +++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/lib/erb.rb b/lib/erb.rb +index bc1615d7da..a7317c0856 100644 +--- a/lib/erb.rb ++++ b/lib/erb.rb +@@ -463,6 +463,9 @@ def new_toplevel(vars = nil) + # erb.def_method(MyClass, 'render(arg1, arg2)', filename) + # print MyClass.new.render('foo', 123) + def def_method(mod, methodname, fname='(ERB)') ++ unless @_init.equal?(self.class.singleton_class) ++ raise ArgumentError, "not initialized" ++ end + src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n" + mod.module_eval do + eval(src, binding, fname, -1) +diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb +index 555345a140..1266b64e41 100644 +--- a/test/erb/test_erb.rb ++++ b/test/erb/test_erb.rb +@@ -714,6 +714,33 @@ def test_prohibited_marshal_load + assert_raise(ArgumentError) {erb.result} + end + ++ def test_prohibited_marshal_load_def_method ++ erb = ERB.allocate ++ erb.instance_variable_set(:@src, "") ++ erb.instance_variable_set(:@lineno, 1) ++ erb.instance_variable_set(:@_init, true) ++ erb = Marshal.load(Marshal.dump(erb)) ++ assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')} ++ end ++ ++ def test_prohibited_marshal_load_def_module ++ erb = ERB.allocate ++ erb.instance_variable_set(:@src, "") ++ erb.instance_variable_set(:@lineno, 1) ++ erb.instance_variable_set(:@_init, true) ++ erb = Marshal.load(Marshal.dump(erb)) ++ assert_raise(ArgumentError) {erb.def_module} ++ end ++ ++ def test_prohibited_marshal_load_def_class ++ erb = ERB.allocate ++ erb.instance_variable_set(:@src, "") ++ erb.instance_variable_set(:@lineno, 1) ++ erb.instance_variable_set(:@_init, true) ++ erb = Marshal.load(Marshal.dump(erb)) ++ assert_raise(ArgumentError) {erb.def_class} ++ end ++ + def test_multi_line_comment_lineno + erb = ERB.new(<<~EOS) + <%= __LINE__ %> + +From 2f223e90edf40f5d537760cb26c77b608bddff36 Mon Sep 17 00:00:00 2001 +From: Takashi Kokubun +Date: Tue, 21 Apr 2026 17:14:06 +0900 +Subject: [PATCH 2/2] [ruby/erb] Version 4.0.3.1 + +--- + lib/erb/version.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/erb/version.rb b/lib/erb/version.rb +index 295fc5fa6f..85e2a79def 100644 +--- a/lib/erb/version.rb ++++ b/lib/erb/version.rb +@@ -1,5 +1,5 @@ + # frozen_string_literal: true + class ERB +- VERSION = '4.0.3' ++ VERSION = '4.0.3.1' + private_constant :VERSION + end diff --git a/rubygems.con b/rubygems.con old mode 100644 new mode 100755 diff --git a/rubygems.prov b/rubygems.prov old mode 100644 new mode 100755 diff --git a/rubygems.req b/rubygems.req old mode 100644 new mode 100755 diff --git a/test_openssl_fips.rb b/test_openssl_fips.rb old mode 100644 new mode 100755 diff --git a/test_rubygems_con.rb b/test_rubygems_con.rb old mode 100644 new mode 100755 diff --git a/test_rubygems_prov.rb b/test_rubygems_prov.rb old mode 100644 new mode 100755 diff --git a/test_rubygems_req.rb b/test_rubygems_req.rb old mode 100644 new mode 100755 diff --git a/test_systemtap.rb b/test_systemtap.rb old mode 100644 new mode 100755