rpms/ruby - ruby - AlmaLinux OS Foundation Git Server

rpms/ruby

Author SHA1 Message Date

Author	SHA1	Message	Date
Jun Aruga	d143dbbbc6	Upgrade to Ruby 3.3.1. * Upgrade to Ruby 3.3.1. Resolves: RHEL-33975 * Fix buffer overread vulnerability in StringIO. Resolves: RHEL-34124 * Fix RCE vulnerability with .rdoc_options in RDoc. Resolves: RHEL-34116 * Fix arbitrary memory address read vulnerability with Regex search. Resolves: RHEL-33866 * Ruby bundled NKF, add appropriate `bundled` provide and test * License review and clarification This commit was merged and adjusted from Fedora rawhie latest commit <`ff5301a5f3`>. ``` $ git remote add fedora https://src.fedoraproject.org/rpms/ruby.git $ git fetch fedora $ git merge --squash fedora/rawhide ```	2024-05-10 12:04:59 +02:00
Jarek Prokop	308b2c0ab2	Fix compiling coroutines with aarch64's branch protection. Armv8.3+ capable CPUs might segfault with incorrect compilation options. See related upstream report: https://bugs.ruby-lang.org/issues/20085 We have hit this on COPR which uses [0] c7g.xlarge AWS flavor for aarch64 architecture builds. This machine flavor seems to fall into the ARMv8.3+ range. Fedora CFLAGS come with `-mbranch-protection=standard` which means that both BTI and the PAC protections are used. The option is equivalent to `-mbranch-protection=pac-ret+bti`. However, since the upstream configure.ac automatically appends `-mbranch-protection=pac-ret`, the BTI protection is not used as the last used option seems to overwrite [1] the Fedora default for this. To resolve both of these issues, of BTI being skipped and the potential segfaults a patch is applied. To fix segfaults an upstream patch was applied [2]. To fix the issue of overridden option I have patched the configure.ac file to check for the `=standard` first when searching for a usable `-mbranch-protection` option. The overriding of our options was reported upstream: <https://bugs.ruby-lang.org/issues/20154> In the same issue I provided the extension of compilation option as an attachment, to showcase a workaround that fixes the situation in Fedora. [0] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/Y4GPCGQAZT2LJ5CE7MTIEFKGAPP6O2DW/> [1] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/QWLEBS4YQH73HJNNLKCCGIIOU3SSXAYK/> [2] <`02973b78f4`>	2024-01-15 16:38:51 +01:00

Jun Aruga

d143dbbbc6

Upgrade to Ruby 3.3.1.

* Upgrade to Ruby 3.3.1.
  Resolves: RHEL-33975
* Fix buffer overread vulnerability in StringIO.
  Resolves: RHEL-34124
* Fix RCE vulnerability with .rdoc_options in RDoc.
  Resolves: RHEL-34116
* Fix arbitrary memory address read vulnerability with Regex search.
  Resolves: RHEL-33866

* Ruby bundled NKF, add appropriate `bundled` provide and test
* License review and clarification

This commit was merged and adjusted from Fedora rawhie latest commit
<ff5301a5f3>.

```
$ git remote add fedora https://src.fedoraproject.org/rpms/ruby.git
$ git fetch fedora
$ git merge --squash fedora/rawhide
```

2024-05-10 12:04:59 +02:00

Jarek Prokop

308b2c0ab2

Fix compiling coroutines with aarch64's branch protection.

Armv8.3+ capable CPUs might segfault with incorrect compilation options.
See related upstream report: https://bugs.ruby-lang.org/issues/20085

We have hit this on COPR which uses [0] c7g.xlarge AWS flavor for aarch64
architecture builds. This machine flavor seems to fall into the ARMv8.3+
range.

Fedora CFLAGS come with `-mbranch-protection=standard` which means that
both BTI and the PAC protections are used. The option is equivalent
to `-mbranch-protection=pac-ret+bti`.

However, since the upstream configure.ac automatically appends
`-mbranch-protection=pac-ret`, the BTI protection is not used
as the last used option seems to overwrite [1] the Fedora
default for this.

To resolve both of these issues, of BTI being skipped and the potential
segfaults a patch is applied.

To fix segfaults an upstream patch was applied [2].

To fix the issue of overridden option I have patched the
configure.ac file to check for the `=standard` first when searching for a usable
`-mbranch-protection` option.

The overriding of our options was reported upstream:
<https://bugs.ruby-lang.org/issues/20154>
In the same issue I provided the extension of compilation option as an
attachment, to showcase a workaround that fixes the situation in Fedora.

[0] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/Y4GPCGQAZT2LJ5CE7MTIEFKGAPP6O2DW/>
[1] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/QWLEBS4YQH73HJNNLKCCGIIOU3SSXAYK/>
[2] <02973b78f4>

2024-01-15 16:38:51 +01:00

2 Commits