This commit fixes the following failures in OpenSSL FIPS using the
`OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment.
```
$ cat /etc/redhat-release
CentOS Stream release 9
$ rpm -q openssl
openssl-3.0.7-24.el9.x86_64
$ pwd
/builddir/build/BUILD/ruby-3.1.2
$ make runruby 'TESTRUN_SCRIPT= \
-I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \
/builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose'
...
1) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]:
assert_separately failed with error message
pid 2043890 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| from -:in `require'
2) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]:
assert_separately failed with error message
pid 2043891 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| from -:in `require'
Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s.
12 tests, 57 assertions, 2 failures, 0 errors, 1 skips
ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux]
make: *** [uncommon.mk:1249: runruby] Error 2
```
Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too.
The error happened by applying the patch
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
rewriting the `ossl_pkey_read_generic` properly.
The error didn't happen without the patch.
```
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 Beta (Plow)
$ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'"
/builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>'
from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative'
from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>'
from -e:1:in `require'
from -e:1:in `<main>'
```
Related: RHEL-5590
This commit was cherry-picked from Fedora rawhide
<f8ef5964d0?branch=rawhide>.
This fixes the test failures related to the Singapore time zone like below.
```
2) Failure:
TestTimeTZ#test_asia_singapore [/builddir/build/BUILD/ruby-3.0.4/test/ruby/test_time_tz.rb:143]:
TZ=Asia/Singapore Time.local(1981, 12, 31, 23, 59, 59).
<"1981-12-31 23:59:59 +0730"> expected but was
<"1982-01-01 00:29:59 +0800">.
```
Related: RHEL-5590
This commit was cherry-picked from Fedora rawhide
<ad7f78b5c8?branch=rawhide>.
This fixes the test failures related to the Amsterdam time zone like below.
```
1)
Time.local timezone changes correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam' FAILED
Expected [0, 0, 0, 16, 5, 1940, 4, 137, true, "WEST"] == [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
to be truthy but was false
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:13:in `block (5 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:12:in `block (4 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/local_spec.rb:5:in `<top (required)>'
```
Related: RHEL-5590
This commit was cherry-picked from Fedora rawhide
<79d75fdcdd?branch=rawhide>.
This fixes the following test failure.
```
1) Failure:
TestGemSourceGit#test_checkout_submodules [/builddir/build/BUILD/ruby-3.0.4/test/rubygems/test_gem_source_git.rb:72]:
fatal: transport 'file' not allowed
fatal: clone of '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/b' into submodule path '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/a/b' failed
```
Related: RHEL-5590
The commit is a cherry-pick from Fedora rawhide 6b2ff68f33447f7769ad8265b0dd966f007eab9c .
The same comment on the changelog 3.0.1-138 was wrong.
The purpose is to synchronize with Fedora rawhide 63065e7db7a3b02085280efbc783435ae40b9f1a .
Related: rhbz#1938942
- Fix command injection vulnerability in RDoc. (CVE-2021-31799)
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
(CVE-2021-31810)
- Fix StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
- Fix dependencies of gems with explicit source installed from a
different source. (CVE-2020-36327)
Related: rhbz#1938942
Rebased from Fedora rawhide, commit: 6b2ff68.
* Except "Fix FTBFS due to an incompatible load" as that is included as
a separate commit to highlight the change.
* Add missing `rubygem-` prefix for bundled provide of 'connection_pool'.
* Pass ldflags to gem install via CONFIGURE_ARGS
* Remove IRB dependency from rubygem-rdoc.
* Fix flaky excon test suite.
* Properly support DWARF5 debug information.
Related: rhbz#1920533
* Bundle OpenSSL into StdLib.
* Fix SEGFAULT in rubygem-shoulda-matchers test suite.
* Provide `gem.build_complete` file for binary gems.
* Re-enable test suite.
* ruby-default-gems have to depend on rubygem(io-console) due to
reline.
* Fix SEGFAULT preventing rubygem-unicode to build on armv7hl.
* Add support for reworked RubyGems plugins.
* Use proper path for plugin wrappers.
* Extract RSS and REXML into separate subpackages, because they were
moved from default gems to bundled gems.
* Drop Net::Telnet and XMLRPC packages, because they were dropped from
Ruby.
Resolves: rhbz#1938942
Because setting the option makes some tests stable that are currently randomly
failing with error on especially s390x and aarch64.
We observed the failing tests are calling `assert_in_out_err` method
calling `invoke_ruby` calling method.
Then when the `th_stdout.join(timeout)` or `th_stderr.join(timeout)` returns
`nil` as thread timeout in `invoke_ruby` method, it causes the error. [1][2]
The `test_timeout_scale` macro is to set the environment variable
`RUBY_TEST_TIMEOUT_SCALE` to increase the timeout in `apply_timeout_scale`
method as <new timeout> = <timeout> * <timeout scale>.
As an example, `TestBugReporter#test_bug_reporter_add` test's
maximum thread timeout was 56+ seconds for the default timeout 10 seconds. [3]
In this case setting `RUBY_TEST_TIMEOUT_SCALE=6` (6 * 10 = 60) is good enough
for 56+ seconds.
[1] https://github.com/ruby/ruby/blob/v2_7_1/tool/lib/envutil.rb#L149
[2] https://bugs.ruby-lang.org/issues/16492#note-8
[3] https://bugs.ruby-lang.org/issues/16492#note-4
Related: rhbz#1947938
This is needed to compile zlib support. I think it is by accident available in the original buildroot, but not in mine.
I think it is better to explicitly name it.
Related: rhbz#1688758
Jun Aruga
Vít Ondruch
Jarek Prokop
Pavel Valena
Arjen Heidinga
Troy Dawson
Florian Weimer
Igor Gnatenko