rpms/ruby
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI ruby-3.3.8-10.el10_0

Browse Source
This commit is contained in:
eabdullin 2025-05-26 11:25:37 +00:00
parent b664fc6a8d
commit e14f967fb8
6 changed files with 284 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
ruby-3.3.7.tar.xz
ruby-3.3.8.tar.xz

61
ruby-3.4.0-openssl-fix-test-provider-in-fips.patch Normal file
View File

@ -0,0 +1,61 @@
From 570582fb78bc4adaafba44f47465507f649fa9dc Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Thu, 5 Sep 2024 20:06:37 +0200
Subject: [PATCH] [ruby/openssl] Fix test_provider.rb in FIPS.
https://github.com/ruby/openssl/commit/7bdbc52100
---
test/openssl/test_provider.rb | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
index 4e050b4bc2..e27968602a 100644
--- a/test/openssl/test_provider.rb
+++ b/test/openssl/test_provider.rb
@@ -1,6 +1,6 @@
# frozen_string_literal: true
require_relative 'utils'
-if defined?(OpenSSL) && defined?(OpenSSL::Provider) && !OpenSSL.fips_mode
+if defined?(OpenSSL) && defined?(OpenSSL::Provider)
class OpenSSL::TestProvider < OpenSSL::TestCase
def test_openssl_provider_name_inspect
@@ -13,14 +13,22 @@ def test_openssl_provider_name_inspect
def test_openssl_provider_names
omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
+ # We expect the following providers are loaded in the cases:
+ # * Non-FIPS: default
+ # * FIPS: fips, base
+ # Use the null provider to test the added provider.
+ # See provider(7) - OPENSSL PROVIDERS to see the list of providers, and
+ # OSSL_PROVIDER-null(7) to check the details of the null provider.
with_openssl <<-'end;'
- base_provider = OpenSSL::Provider.load("base")
- assert_equal(2, OpenSSL::Provider.provider_names.size)
- assert_includes(OpenSSL::Provider.provider_names, "base")
+ num = OpenSSL::Provider.provider_names.size
- assert_equal(true, base_provider.unload)
- assert_equal(1, OpenSSL::Provider.provider_names.size)
- assert_not_includes(OpenSSL::Provider.provider_names, "base")
+ added_provider = OpenSSL::Provider.load("null")
+ assert_equal(num + 1, OpenSSL::Provider.provider_names.size)
+ assert_includes(OpenSSL::Provider.provider_names, "null")
+
+ assert_equal(true, added_provider.unload)
+ assert_equal(num, OpenSSL::Provider.provider_names.size)
+ assert_not_includes(OpenSSL::Provider.provider_names, "null")
end;
end
@@ -35,6 +43,9 @@ def test_unloaded_openssl_provider
def test_openssl_legacy_provider
omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
+ # The legacy provider is not supported on FIPS.
+ omit_on_fips
+
with_openssl(<<-'end;')
begin
OpenSSL::Provider.load("legacy")

58
ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch Normal file
View File

@ -0,0 +1,58 @@
From 02c40367d918d3bc42098e1fcfe0c822319f4d37 Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Thu, 8 Feb 2024 18:53:32 +0100
Subject: [PATCH] [ruby/openssl] test_provider.rb: Make a legacy provider test
optional.
In some cases such as OpenSSL package in FreeBSD[1], the legacy provider is not
installed intentionally. So, we omit a test depending the legacy provider if the
legacy provider is not loadable.
For the test_openssl_provider_names test, we use base provider[2] instead of
legacy provider, because we would expect the base provider is always loadable
in OpenSSL 3 for now.
* [1] https://www.freshports.org/security/openssl/
* [2] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
https://github.com/ruby/openssl/commit/7223da7730
---
test/openssl/test_provider.rb | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
index 7361a0e250..4e050b4bc2 100644
--- a/test/openssl/test_provider.rb
+++ b/test/openssl/test_provider.rb
@@ -14,13 +14,13 @@ def test_openssl_provider_name_inspect
def test_openssl_provider_names
omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
with_openssl <<-'end;'
- legacy_provider = OpenSSL::Provider.load("legacy")
+ base_provider = OpenSSL::Provider.load("base")
assert_equal(2, OpenSSL::Provider.provider_names.size)
- assert_includes(OpenSSL::Provider.provider_names, "legacy")
+ assert_includes(OpenSSL::Provider.provider_names, "base")
- assert_equal(true, legacy_provider.unload)
+ assert_equal(true, base_provider.unload)
assert_equal(1, OpenSSL::Provider.provider_names.size)
- assert_not_includes(OpenSSL::Provider.provider_names, "legacy")
+ assert_not_includes(OpenSSL::Provider.provider_names, "base")
end;
end
@@ -36,7 +36,12 @@ def test_unloaded_openssl_provider
def test_openssl_legacy_provider
omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
with_openssl(<<-'end;')
- OpenSSL::Provider.load("legacy")
+ begin
+ OpenSSL::Provider.load("legacy")
+ rescue OpenSSL::Provider::ProviderError
+ omit "Only for OpenSSL with legacy provider"
+ end
+
algo = "RC4"
data = "a" * 1000
key = OpenSSL::Random.random_bytes(16)

126
ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch Normal file
View File

@ -0,0 +1,126 @@
From 113727fa85749a9625838e378dcd4a749d40b0c5 Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Tue, 8 Apr 2025 15:03:06 +0200
Subject: [PATCH] Fix the tests using SHA-1 Probabilistic Signature Scheme
(PSS) parameters.
Fedora OpenSSL 3.5 on rawhide stopped accepting SHA-1 PSS[1] parameters.
This is different from the SHA-1 signatures which Fedora OpenSSL stopped
accepting since Fedora 41.[2]
This commit fixes the following test failures related to the SHA-1 PSS
parameters with Fedora OpenSSL 3.5.
Note these failures are the downstream Fedora OpenSSL RPM specific. The tests
pass without this commit with the upstream OpenSSL 3.5.
```
$ rpm -q openssl-libs openssl-devel
openssl-libs-3.5.0-2.fc43.x86_64
openssl-devel-3.5.0-2.fc43.x86_64
$ bundle exec rake test
...
E
===============================================================================================
Error: test_sign_verify_options(OpenSSL::TestPKeyRSA): OpenSSL::PKey::PKeyError: EVP_PKEY_CTX_ctrl_str(ctx, "rsa_mgf1_md", "SHA1"): digest not allowed (digest=SHA1)
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'Hash#each'
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::PKey::PKey#sign'
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::TestPKeyRSA#test_sign_verify_options'
110: "rsa_pss_saltlen" => 20,
111: "rsa_mgf1_md" => "SHA1"
112: }
=> 113: sig_pss = key.sign("SHA256", data, pssopts)
114: assert_equal 256, sig_pss.bytesize
115: assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
116: assert_equal true, key.verify_pss("SHA256", sig_pss, data,
===============================================================================================
E
===============================================================================================
Error: test_sign_verify_pss(OpenSSL::TestPKeyRSA): OpenSSL::PKey::RSAError: digest not allowed (digest=SHA1)
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::PKey::RSA#sign_pss'
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::TestPKeyRSA#test_sign_verify_pss'
188: data = "Sign me!"
189: invalid_data = "Sign me?"
190:
=> 191: signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1")
192: assert_equal 256, signature.bytesize
193: assert_equal true,
194: key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
===============================================================================================
...
577 tests, 4186 assertions, 0 failures, 2 errors, 0 pendings, 3 omissions, 0 notifications
```
[1] https://en.wikipedia.org/wiki/Probabilistic_signature_scheme
[2] https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
---
test/openssl/test_pkey_rsa.rb | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
index 61c55c60b2..9661cef419 100644
--- a/test/openssl/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@@ -99,13 +99,13 @@ def test_sign_verify_options
pssopts = {
"rsa_padding_mode" => "pss",
"rsa_pss_saltlen" => 20,
- "rsa_mgf1_md" => "SHA1"
+ "rsa_mgf1_md" => "SHA256"
}
sig_pss = key.sign("SHA256", data, pssopts)
assert_equal 128, sig_pss.bytesize
assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
assert_equal true, key.verify_pss("SHA256", sig_pss, data,
- salt_length: 20, mgf1_hash: "SHA1")
+ salt_length: 20, mgf1_hash: "SHA256")
# Defaults to PKCS #1 v1.5 padding => verification failure
assert_equal false, key.verify("SHA256", sig_pss, data)
@@ -179,31 +179,31 @@ def test_sign_verify_pss
data = "Sign me!"
invalid_data = "Sign me?"
- signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1")
+ signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA256")
assert_equal 128, signature.bytesize
assert_equal true,
- key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA256")
assert_equal true,
- key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
assert_equal false,
- key.verify_pss("SHA256", signature, invalid_data, salt_length: 20, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, invalid_data, salt_length: 20, mgf1_hash: "SHA256")
- signature = key.sign_pss("SHA256", data, salt_length: :digest, mgf1_hash: "SHA1")
+ signature = key.sign_pss("SHA256", data, salt_length: :digest, mgf1_hash: "SHA256")
assert_equal true,
- key.verify_pss("SHA256", signature, data, salt_length: 32, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, data, salt_length: 32, mgf1_hash: "SHA256")
assert_equal true,
- key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
assert_equal false,
- key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA256")
- signature = key.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA1")
+ signature = key.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256")
assert_equal true,
- key.verify_pss("SHA256", signature, data, salt_length: 94, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, data, salt_length: 94, mgf1_hash: "SHA256")
assert_equal true,
- key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
+ key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
assert_raise(OpenSSL::PKey::RSAError) {
- key.sign_pss("SHA256", data, salt_length: 95, mgf1_hash: "SHA1")
+ key.sign_pss("SHA256", data, salt_length: 95, mgf1_hash: "SHA256")
}
end
--
2.48.1

44
ruby.spec
View File

@ -1,6 +1,6 @@
%global major_version 3
%global minor_version 3
%global teeny_version 7
%global teeny_version 8
%global major_minor_version %{major_version}.%{minor_version}
%global ruby_version %{major_minor_version}.%{teeny_version}
@ -52,7 +52,7 @@
%global abbrev_version 0.1.2
%global base64_version 0.2.0
%global benchmark_version 0.3.0
%global cgi_version 0.4.1
%global cgi_version 0.4.2
%global csv_version 3.2.8
%global date_version 3.3.4
%global delegate_version 0.3.1
@ -107,7 +107,7 @@
%global tmpdir_version 0.2.0
%global tsort_version 0.2.0
%global un_version 0.3.0
%global uri_version 0.13.1
%global uri_version 0.13.2
%global weakref_version 0.1.3
%global win32ole_version 1.8.10
%global yaml_version 0.3.0
@ -125,9 +125,9 @@
# Bundled gems.
%global debug_version 1.9.2
%global net_ftp_version 0.3.4
%global net_imap_version 0.4.9.1
%global net_imap_version 0.4.19
%global net_pop_version 0.1.2
%global net_smtp_version 0.4.0.1
%global net_smtp_version 0.5.1
%global matrix_version 0.4.2
%global minitest_version 5.20.0
%global power_assert_version 2.0.3
@ -173,7 +173,7 @@
Summary: An interpreter of object-oriented scripting language
Name: ruby
Version: %{ruby_version}%{?development_release}
Release: 9%{?dist}
Release: 10%{?dist}
# Licenses, which are likely not included in binary RPMs:
# Apache-2.0:
# benchmark/gc/redblack.rb
@ -190,7 +190,7 @@ Release: 9%{?dist}
# https://github.com/flori/json/pull/567
#
# Licenses under review:
# .bundle/gems/net-imap-0.4.9/LICENSE.txt
# .bundle/gems/net-imap-0.4.19/LICENSE.txt
# https://gitlab.com/fedora/legal/fedora-license-data/-/issues/506
#
# BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c, addr2line.c:2652
@ -285,6 +285,17 @@ Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.p
# https://github.com/ruby/openssl/pull/710
# https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb
Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch
# test_provider.rb: Make a legacy provider test optional.
# https://github.com/ruby/openssl/pull/721
# https://github.com/ruby/ruby/commit/eb4082284aace391a16a389a70eeaf1e7db5c542
Patch14: ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch
# Fix test_provider.rb in FIPS.
# https://github.com/ruby/openssl/pull/794
# https://github.com/ruby/ruby/commit/ad742de79bcce53290005429868f63c51cbeb0f2
Patch15: ruby-3.4.0-openssl-fix-test-provider-in-fips.patch
# Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters.
# https://github.com/ruby/openssl/pull/879
Patch16: ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%{?with_rubypick:Suggests: rubypick}
@ -303,6 +314,11 @@ BuildRequires: zlib-devel
%{?with_gmp:BuildRequires: gmp-devel}
%{?with_systemtap:BuildRequires: %{_bindir}/dtrace}
%{?with_systemtap:BuildRequires: systemtap-sdt-devel}
# Despite pulling what we'd expect to need, there is a missing dependency
# in systemtap, where pulling in %%{_bindir}/dtrace does not pull in also
# the python3-pyparsing package that is required for full functionality.
# Workaround: RHEL-86248
%{?with_systemtap:BuildRequires: python3-pyparsing}
%{?with_yjit:BuildRequires: %{_bindir}/rustc}
# Install section
@ -766,6 +782,9 @@ analysis result in RBS format, a standard type description format for Ruby
%patch 9 -p1
%patch 12 -p1
%patch 13 -p1
%patch 14 -p1
%patch 15 -p1
%patch 16 -p1
# Provide an example of usage of the tapset:
cp -a %{SOURCE3} .
@ -1613,12 +1632,15 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
# net-imap
%dir %{gem_instdir net-imap}
%{gem_instdir net-imap}/Gemfile
%license %{gem_instdir net-imap}/BSDL
%license %{gem_instdir net-imap}/COPYING
%license %{gem_instdir net-imap}/LICENSE.txt
%doc %{gem_instdir net-imap}/README.md
%{gem_instdir net-imap}/Rakefile
%{gem_instdir net-imap}/docs
%{gem_libdir net-imap}
%{gem_instdir net-imap}/rakelib
%{gem_instdir net-imap}/sample
%{gem_spec net-imap}
# net-pop
@ -1768,6 +1790,14 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
%changelog
* Mon Apr 14 2025 Jarek Prokop <jprokop@redhat.com> - 3.3.8-10
- Upgrade to Ruby 3.3.8.
Resolves: RHEL-87342
- Fix Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186)
- Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
Resolves: RHEL-86116
- Fix userinfo leakage in URI#join, URI#merge and URI#+. (CVE-2025-27221)
* Thu Jan 30 2025 Jun Aruga <jaruga@redhat.com> - 3.3.7-9
- Upgrade to Ruby 3.3.7
Resolves: RHEL-77994

2
sources
View File

@ -1 +1 @@
SHA512 (ruby-3.3.7.tar.xz) = 4082a7684c1b0d53a0ce493f79568e851d37a864f59c58b2e0c273b2659e0ca75318ddff939fdf5e9d0a3eeba1b6d8f03bf88afb49a5ffd77714f1c8a7dfdd55
SHA512 (ruby-3.3.8.tar.xz) = 71c2f3ac9955e088fa885fd2ff695e67362a770a5d33e5160081eda3dd298ca2c692e299b03d757caecfbc94043fedc4ad093de84c505585d480cb36bbf978b9