Commit Graph

636 Commits

Author SHA1 Message Date
Jun Aruga
ae8660b889 Upgrade to Ruby 3.1.5.
* Upgrade to Ruby 3.1.5.
  Resolves: RHEL-33978
* Fix buffer overread vulnerability in StringIO.
  Resolves: RHEL-34129
* Fix RCE vulnerability with .rdoc_options in RDoc.
  Resolves: RHEL-34121
* Fix arbitrary memory address read vulnerability with Regex search.
  Resolves: RHEL-33871
2024-04-30 14:41:23 +02:00
Jarek Prokop
0244600d1a Upgrade to Ruby 3.1.4.
Fix HTTP response splitting in CGI.
Fix ReDos vulnerability in URI.
Fix ReDos vulnerability in Time.
Make RDoc soft dependency in IRB.

Rebased from latest Ruby 3.1 present in Fedora 37, commit:
4048f893da1d56ed65667e7f15405224653c83e2

Resolves: RHEL-5586
Resolves: RHEL-5591
Resolves: RHEL-28919
Resolves: RHEL-5612
Resolves: RHEL-28920
Resolves: RHEL-5613
2024-03-20 11:28:47 +01:00
Jun Aruga
03fd963481 Disable Fiddle test cases making use of FFI closure.
This commit was cherry-picked from Fedora rawhide
<c2026da175>.
In our observation, the libffi issue may happen randomly.

Fiddle::Closure object is making use of FFI closure
from libffi. When such object is created (instantiated) in Ruby,
and then the process forks on an SELinux-enabled system, the memory
will become corrupted. That is usually not a problem until the
The garbage collector sweeps the object and tries to free it, in which case the
Ruby process will fail with signal SIGABRT.

Tests in test/fiddle/test_closure.rb, test/fiddle/test_func.rb,
and test/fiddle/test_function.rb use the `Fiddle::Closure` class
directly and fiddle/test_import.rb use the class indirectly through
`bind_function` method, therefore they are disabled to prevent
introducing the problematic object into the Ruby GC during test suite
execution instead of relying on that fork and subsequent
garbage collection will not happen.

If an FFI closure object is allocated in Ruby
and the `fork` function is used afterward, the memory
pointing to the closure gets corrupted, and if Ruby GC
tries to collect the object in that state, a SIGABRT
error occurs.

The minimal Ruby reproducer for the issue is the following:
~~~
$ cat fiddle_fork.rb
require 'fiddle/closure'
require 'fiddle/struct'

Fiddle::Closure.new(Fiddle::TYPE_VOID, [])

fork { }

GC.start
~~~

We allocate an unused Closure object,
so it is free for the GC to pick up. Before we call `GC.start`
we fork the process as that corrupts the memory.

Running this with ruby-3.1.2-167.fc37.x86_64 on SELinux enabled system:
~~~
$ ruby fiddle_fork.rb
Aborted (core dumped)
~~~

Such issues may appear at random (depending on the use of forking and GC)
in larger applications that use Fiddle::Closure but can be spotted by the
following functions appearing in the coredump backtrace:
~~~
0x00007f6284d3e5b3 in dlfree (mem=<optimized out>) at ../src/dlmalloc.c:4350
0x00007f6284d6d0b1 in dealloc () from /usr/lib64/ruby/fiddle.so
0x00007f6295e432ec in finalize_list () from /lib64/libruby.so.3.1
0x00007f6295e43420 in finalize_deferred.lto_priv () from /lib64/libruby.so.3.1
0x00007f6295e4ff1c in gc_start_internal.lto_priv () from /lib64/libruby.so.3.1
~~~

Possible solutions to prevent Ruby from crashing:
* Do not use Fiddle::Closure.
* Use the Fiddle::Closure object only in isolated subprocess that
  will not fork further.
* Enable static trampolines in libffi as noted in bugzilla comment:
  <https://bugzilla.redhat.com/show_bug.cgi?id=2040380#c9>

See related discussion on
<https://bugzilla.redhat.com/show_bug.cgi?id=2040380>

Ruby upstream ticket:
<https://bugs.ruby-lang.org/issues/18914>

Ruby Fiddle ticket:
<https://github.com/ruby/fiddle/issues/102>

Related: RHEL-5590
2023-12-07 18:28:14 +09:00
Jun Aruga
59242d8ce8 ssl: use ffdhe2048 from RFC 7919 as the default DH group parameter
This commit fixes the following failures in OpenSSL FIPS using the
`OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment.

```
$ cat /etc/redhat-release
CentOS Stream release 9

$ rpm -q openssl
openssl-3.0.7-24.el9.x86_64

$ pwd
/builddir/build/BUILD/ruby-3.1.2

$ make runruby 'TESTRUN_SCRIPT= \
   -I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \
   /builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose'
...
  1) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]:
assert_separately failed with error message
pid 2043890 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| 	from -:in `require'
  2) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]:
assert_separately failed with error message
pid 2043891 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| 	from -:in `require'

Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s.
12 tests, 57 assertions, 2 failures, 0 errors, 1 skips

ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux]
make: *** [uncommon.mk:1249: runruby] Error 2
```

Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too.
The error happened by applying the patch
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
rewriting the `ossl_pkey_read_generic` properly.
The error didn't happen without the patch.

```
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 Beta (Plow)

$ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'"
/builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
  from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
  from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>'
  from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative'
  from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>'
  from -e:1:in `require'
  from -e:1:in `<main>'
```

Related: RHEL-5590
2023-10-11 19:20:25 +02:00
Jun Aruga
e696601395 Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
This commit was cherry-picked from Fedora rawhide
<1f35109c5e>.

Resolves: RHEL-5590
2023-10-11 19:17:26 +02:00
Vít Ondruch
77a322093b Fix for tzdata-2022g.
This commit was cherry-picked from Fedora rawhide
<f8ef5964d0>.
This fixes the test failures related to the Singapore time zone like below.

```
  2) Failure:
TestTimeTZ#test_asia_singapore [/builddir/build/BUILD/ruby-3.0.4/test/ruby/test_time_tz.rb:143]:
TZ=Asia/Singapore Time.local(1981, 12, 31, 23, 59, 59).
<"1981-12-31 23:59:59 +0730"> expected but was
<"1982-01-01 00:29:59 +0800">.
```

Related: RHEL-5590
2023-10-11 19:16:22 +02:00
Jun Aruga
ab9090475c Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
This commit was cherry-picked from Fedora rawhide
<ad7f78b5c8>.
This fixes the test failures related to the Amsterdam time zone like below.

```
1)
Time.local timezone changes correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam' FAILED
Expected [0, 0, 0, 16, 5, 1940, 4, 137, true, "WEST"] == [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
to be truthy but was false
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:13:in `block (5 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:12:in `block (4 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/local_spec.rb:5:in `<top (required)>'
```

Related: RHEL-5590
2023-10-11 19:16:17 +02:00
Jun Aruga
f35ee62ca8 Bypass git submodule test failure on Git >= 2.38.1.
This commit was cherry-picked from Fedora rawhide
<79d75fdcdd>.
This fixes the following test failure.

```
  1) Failure:
TestGemSourceGit#test_checkout_submodules [/builddir/build/BUILD/ruby-3.0.4/test/rubygems/test_gem_source_git.rb:72]:
fatal: transport 'file' not allowed
fatal: clone of '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/b' into submodule path '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/a/b' failed
```

Related: RHEL-5590
2023-10-11 19:15:58 +02:00
Jarek Prokop
20188a8a3f Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473).
Resolves: rhbz#2063773
2022-06-22 20:36:32 +02:00
Jarek Prokop
2e5dbe5e29 Fix rubygem-irb upgrade not working due to directory -> symlink conversion.
Upgrading from 2.5 or 2.7 results in an error due to directory symlink
conversion.

Resolves: rhbz#2010949
2021-10-11 12:36:10 +02:00
Jarek Prokop
56f548c2c8 Pass ldflags to gem install
The commit is a cherry-pick from Fedora rawhide 6b2ff68f33 .
The same comment on the changelog 3.0.1-138 was wrong.
The purpose is to synchronize with Fedora rawhide 63065e7db7 .

Related: rhbz#1938942
2021-07-22 14:18:05 +02:00
Jarek Prokop
e036ecc271 Upgrade to Ruby 3.0.2.
- Fix command injection vulnerability in RDoc. (CVE-2021-31799)
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
  (CVE-2021-31810)
- Fix StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
- Fix dependencies of gems with explicit source installed from a
  different source. (CVE-2020-36327)

Related: rhbz#1938942
2021-07-21 18:10:53 +02:00
Jarek Prokop
fc890b7d73 Revert "Skip the ssl tests on Brew s390x build environment."
This reverts commit 9599325b90.
This issue was fixed on RHELBLD-6305.

Bump release for rebuild.

Related: rhbz#1938942
2021-06-28 16:27:28 +02:00
Jarek Prokop
9599325b90 Skip the ssl tests on Brew s390x build environment.
Fix FTBFS due to SSL tests on s390x. The s390x builders in Brew have
unexpected configuration of DNS, which make the tests fail.

Related: rhbz#1938942
2021-06-24 21:03:27 +02:00
Jarek Prokop
d92f6f9d59 Fix FTBFS due to an incompatible load directive.
The FTBFS has started to happen with rpm-4.16.90-0.git15395.2.fc35.

The `%{?load:...}` is undocumented, and it was removed.

https://github.com/rpm-software-management/rpm/issues/1669

Related: rhbz#1938942
2021-06-24 21:03:27 +02:00
Jarek Prokop
8475ee2d69 Upgrade to Ruby 3.0.1.
Rebased from Fedora rawhide, commit: 6b2ff68.

* Except "Fix FTBFS due to an incompatible load" as that is included as
  a separate commit to highlight the change.
* Add missing `rubygem-` prefix for bundled provide of 'connection_pool'.
* Pass ldflags to gem install via CONFIGURE_ARGS
* Remove IRB dependency from rubygem-rdoc.
* Fix flaky excon test suite.
* Properly support DWARF5 debug information.
  Related: rhbz#1920533
* Bundle OpenSSL into StdLib.
* Fix SEGFAULT in rubygem-shoulda-matchers test suite.
* Provide `gem.build_complete` file for binary gems.
* Re-enable test suite.
* ruby-default-gems have to depend on rubygem(io-console) due to
  reline.
* Fix SEGFAULT preventing rubygem-unicode to build on armv7hl.
* Add support for reworked RubyGems plugins.
* Use proper path for plugin wrappers.
* Extract RSS and REXML into separate subpackages, because they were
   moved from default gems to bundled gems.
* Drop Net::Telnet and XMLRPC packages, because they were dropped from
  Ruby.

Resolves: rhbz#1938942
2021-06-24 21:02:48 +02:00
Vít Ondruch
6261d5976c Resolv::DNS: timeouts
Resolv::DNS: timeouts if multiple IPv6 name servers are given and address
contains leading zero

Resolves: rhbz#1944227
2021-04-21 10:55:36 +02:00
Pavel Valena
0ac9ccaebf Upgrade to Ruby 2.7.3.
Resolves: rhbz#1947938
2021-04-21 10:55:36 +02:00
Vít Ondruch
d064a7f405 Enable arm64 optimizations.
The same already exists for power/x86.

Resolves: rhbz#1884728
Related: rhbz#1947938
2021-04-21 10:55:36 +02:00
Vít Ondruch
f80c0b1d07 Upgrade to Ruby 2.7.2.
Related: rhbz#1947938
2021-04-21 10:55:36 +02:00
Jun Aruga
1aa8223a04 Give an option to increase the timeout in tests.
Because setting the option makes some tests stable that are currently randomly
failing with error on especially s390x and aarch64.

We observed the failing tests are calling `assert_in_out_err` method
calling `invoke_ruby` calling method.

Then when the `th_stdout.join(timeout)` or `th_stderr.join(timeout)` returns
`nil` as thread timeout in `invoke_ruby` method, it causes the error. [1][2]

The `test_timeout_scale` macro is to set the environment variable
`RUBY_TEST_TIMEOUT_SCALE` to increase the timeout in `apply_timeout_scale`
method as <new timeout> = <timeout> * <timeout scale>.

As an example, `TestBugReporter#test_bug_reporter_add` test's
maximum thread timeout was 56+ seconds for the default timeout 10 seconds. [3]
In this case setting `RUBY_TEST_TIMEOUT_SCALE=6` (6 * 10 = 60) is good enough
for 56+ seconds.

[1] https://github.com/ruby/ruby/blob/v2_7_1/tool/lib/envutil.rb#L149
[2] https://bugs.ruby-lang.org/issues/16492#note-8
[3] https://bugs.ruby-lang.org/issues/16492#note-4

Related: rhbz#1947938
2021-04-21 10:55:24 +02:00
Vít Ondruch
8a858ea256 Avoid possible timeout errors in TestBugReporter#test_bug_reporter_add.
Related: rhbz#1947938
2021-04-21 10:55:15 +02:00
Jun Aruga
3ca326ee95 Add ruby-default-gems dependency on irb.
Related: rhbz#1842989
2020-06-26 17:33:32 +02:00
Vít Ondruch
e7b80e8e7c Fix require behavior allowing to load libraries multiple times.
Resolves: rhbz#1842989
2020-06-26 17:33:15 +02:00
Jun Aruga
9b65bf6795 Ship racc binary.
Resolves: rhbz#1851388
2020-06-26 14:30:49 +02:00
Jun Aruga
d8e2548d44 Skip some tests.
* Skip unstable tests on s390x.
* Skip JIT tests in RHEL 8.

Related: rhbz#1817135
2020-05-30 06:50:14 +02:00
Jun Aruga
7916a42d9d Update to Ruby 2.7.1 by merging Fedora master branch (commit: 2981648)
Resolves: rhbz#1817135
2020-05-30 06:49:49 +02:00
Vít Ondruch
6299077765 Properly support %prerelease in %gemspec_ macros.
Related: rhbz#1672575
2019-07-11 11:51:42 +02:00
Jun Aruga
c29a112f31 Use ffi_closure_alloc to avoid segmentation fault by libffi on aarch64.
Resolves: rhbz#1727832
2019-07-10 20:08:20 +02:00
Pavel Valena
e3b4b9752e IO.select on all platforms to wait for input
with recvfrom_nonblock and accept_nonblock

Resolves: rhbz#1719743
2019-07-04 12:52:51 +02:00
Jun Aruga
86bf30d871 Update to Ruby 2.6.3 by merging Fedora master branch (commit: 1cc2a49)
Resolves: rhbz#1672575
2019-06-13 16:56:02 +02:00
Arjen Heidinga
b5b3a8bc0d Add zlib-devel as BuildRequire
This is needed to compile zlib support. I think it is by accident available in the original buildroot, but not in mine.
I think it is better to explicitly name it.

Related: rhbz#1688758
2019-05-09 18:41:24 +02:00
Vít Ondruch
0eb5d3b889 Fix CovScan issues.
Resolves: rhbz#1628592
2019-04-23 13:23:44 +02:00
Vít Ondruch
214a591366 Don't ship .stp files when SystemTap support is disabled.
Related: rhbz#1657915
2019-04-18 07:43:40 +02:00
Vít Ondruch
2cf4920fa3 Update to Ruby 2.5.5.
* Remove Patch25: ruby-2.6.0-Update-for-tzdata-2018f.patch; subsumed
* Remove Patch11: ruby-2.6.0-Try-to-update-cert.patch; subsumed
* Remove Patch19: ruby-2.6.0-net-http-net-ftp-fix-session-resumption-with
    -TLS-1.3.patch; subsumed

Resolves: rhbz#1688758
2019-04-18 07:39:17 +02:00
Jun Aruga
21af9f04d5 Refresh expired certificates to fix FTBFS.
Related: rhbz#1659807
2019-01-11 11:27:04 +01:00
Vít Ondruch
1637652b12 Fix Tokyo TZ tests.
Resolves: rhbz#1659807
2018-12-17 12:30:05 +01:00
Jun Aruga
d488a44d58 Update to Ruby 2.5.3.
Resolves: rhbz#1643092
2018-11-08 16:07:37 +01:00
Vít Ondruch
1ead6ac8f8 Properly harden package using -fstack-protector-strong.
Resolves: rhbz#1624168
2018-09-03 14:20:10 +02:00
Vít Ondruch
cd4ba485c1 Additional OpenSSL 1.1.1 fixes.
Related: rhbz#1616213
2018-08-31 12:21:55 +02:00
Vít Ondruch
ec37cfcfae Cleanly apply patches.
Related: rhbz#1616213
2018-08-31 12:17:34 +02:00
Jun Aruga
a56754b350 Fix generated rdoc template issues.
Resolves: rhbz#1612026
2018-08-31 12:17:12 +02:00
Vít Ondruch
2e08562f7c Disable strong crypto policies to make test suite pass.
Related: rhbz#1616213
2018-08-16 13:07:26 +02:00
Vít Ondruch
4017f27397 Fix TLS 1.3 issues.
Related: rhbz#1616213
2018-08-16 13:06:00 +02:00
Troy Dawson
b894aec1aa Related: bug#1614611 2018-08-11 23:44:57 +02:00
Troy Dawson
83d5f1fd45 Related: bug#1614611 2018-08-11 23:09:35 +02:00
Troy Dawson
0cd2e241e5 Related: bug#1614611 2018-08-11 22:15:13 +02:00
Jun Aruga
72eb3f0a4e Merge remote-tracking branch 'fedora/master' into stream-ruby-2.5 2018-07-31 16:13:52 +02:00
Florian Weimer
ab0834da77 Rebuild with fixed binutils 2018-07-31 11:16:50 +02:00
Igor Gnatenko
9fef07981c
Rebuild for new binutils
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-07-27 14:55:22 +02:00