This commit was cherry-picked from Fedora rawhide
<c2026da175>.
In our observation, the libffi issue may happen randomly.
Fiddle::Closure object is making use of FFI closure
from libffi. When such object is created (instantiated) in Ruby,
and then the process forks on an SELinux-enabled system, the memory
will become corrupted. That is usually not a problem until the
The garbage collector sweeps the object and tries to free it, in which case the
Ruby process will fail with signal SIGABRT.
Tests in test/fiddle/test_closure.rb, test/fiddle/test_func.rb,
and test/fiddle/test_function.rb use the `Fiddle::Closure` class
directly and fiddle/test_import.rb use the class indirectly through
`bind_function` method, therefore they are disabled to prevent
introducing the problematic object into the Ruby GC during test suite
execution instead of relying on that fork and subsequent
garbage collection will not happen.
If an FFI closure object is allocated in Ruby
and the `fork` function is used afterward, the memory
pointing to the closure gets corrupted, and if Ruby GC
tries to collect the object in that state, a SIGABRT
error occurs.
The minimal Ruby reproducer for the issue is the following:
~~~
$ cat fiddle_fork.rb
require 'fiddle/closure'
require 'fiddle/struct'
Fiddle::Closure.new(Fiddle::TYPE_VOID, [])
fork { }
GC.start
~~~
We allocate an unused Closure object,
so it is free for the GC to pick up. Before we call `GC.start`
we fork the process as that corrupts the memory.
Running this with ruby-3.1.2-167.fc37.x86_64 on SELinux enabled system:
~~~
$ ruby fiddle_fork.rb
Aborted (core dumped)
~~~
Such issues may appear at random (depending on the use of forking and GC)
in larger applications that use Fiddle::Closure but can be spotted by the
following functions appearing in the coredump backtrace:
~~~
0x00007f6284d3e5b3 in dlfree (mem=<optimized out>) at ../src/dlmalloc.c:4350
0x00007f6284d6d0b1 in dealloc () from /usr/lib64/ruby/fiddle.so
0x00007f6295e432ec in finalize_list () from /lib64/libruby.so.3.1
0x00007f6295e43420 in finalize_deferred.lto_priv () from /lib64/libruby.so.3.1
0x00007f6295e4ff1c in gc_start_internal.lto_priv () from /lib64/libruby.so.3.1
~~~
Possible solutions to prevent Ruby from crashing:
* Do not use Fiddle::Closure.
* Use the Fiddle::Closure object only in isolated subprocess that
will not fork further.
* Enable static trampolines in libffi as noted in bugzilla comment:
<https://bugzilla.redhat.com/show_bug.cgi?id=2040380#c9>
See related discussion on
<https://bugzilla.redhat.com/show_bug.cgi?id=2040380>
Ruby upstream ticket:
<https://bugs.ruby-lang.org/issues/18914>
Ruby Fiddle ticket:
<https://github.com/ruby/fiddle/issues/102>
Related: RHEL-5590
This commit fixes the following failures in OpenSSL FIPS using the
`OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment.
```
$ cat /etc/redhat-release
CentOS Stream release 9
$ rpm -q openssl
openssl-3.0.7-24.el9.x86_64
$ pwd
/builddir/build/BUILD/ruby-3.1.2
$ make runruby 'TESTRUN_SCRIPT= \
-I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \
/builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose'
...
1) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]:
assert_separately failed with error message
pid 2043890 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| from -:in `require'
2) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]:
assert_separately failed with error message
pid 2043891 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| from -:in `require'
Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s.
12 tests, 57 assertions, 2 failures, 0 errors, 1 skips
ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux]
make: *** [uncommon.mk:1249: runruby] Error 2
```
Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too.
The error happened by applying the patch
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
rewriting the `ossl_pkey_read_generic` properly.
The error didn't happen without the patch.
```
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 Beta (Plow)
$ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'"
/builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>'
from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative'
from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>'
from -e:1:in `require'
from -e:1:in `<main>'
```
Related: RHEL-5590
This commit was cherry-picked from Fedora rawhide
<f8ef5964d0>.
This fixes the test failures related to the Singapore time zone like below.
```
2) Failure:
TestTimeTZ#test_asia_singapore [/builddir/build/BUILD/ruby-3.0.4/test/ruby/test_time_tz.rb:143]:
TZ=Asia/Singapore Time.local(1981, 12, 31, 23, 59, 59).
<"1981-12-31 23:59:59 +0730"> expected but was
<"1982-01-01 00:29:59 +0800">.
```
Related: RHEL-5590
This commit was cherry-picked from Fedora rawhide
<ad7f78b5c8>.
This fixes the test failures related to the Amsterdam time zone like below.
```
1)
Time.local timezone changes correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam' FAILED
Expected [0, 0, 0, 16, 5, 1940, 4, 137, true, "WEST"] == [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
to be truthy but was false
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:13:in `block (5 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:12:in `block (4 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/local_spec.rb:5:in `<top (required)>'
```
Related: RHEL-5590
This commit was cherry-picked from Fedora rawhide
<79d75fdcdd>.
This fixes the following test failure.
```
1) Failure:
TestGemSourceGit#test_checkout_submodules [/builddir/build/BUILD/ruby-3.0.4/test/rubygems/test_gem_source_git.rb:72]:
fatal: transport 'file' not allowed
fatal: clone of '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/b' into submodule path '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/a/b' failed
```
Related: RHEL-5590
The commit is a cherry-pick from Fedora rawhide 6b2ff68f33 .
The same comment on the changelog 3.0.1-138 was wrong.
The purpose is to synchronize with Fedora rawhide 63065e7db7 .
Related: rhbz#1938942
- Fix command injection vulnerability in RDoc. (CVE-2021-31799)
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
(CVE-2021-31810)
- Fix StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
- Fix dependencies of gems with explicit source installed from a
different source. (CVE-2020-36327)
Related: rhbz#1938942
Rebased from Fedora rawhide, commit: 6b2ff68.
* Except "Fix FTBFS due to an incompatible load" as that is included as
a separate commit to highlight the change.
* Add missing `rubygem-` prefix for bundled provide of 'connection_pool'.
* Pass ldflags to gem install via CONFIGURE_ARGS
* Remove IRB dependency from rubygem-rdoc.
* Fix flaky excon test suite.
* Properly support DWARF5 debug information.
Related: rhbz#1920533
* Bundle OpenSSL into StdLib.
* Fix SEGFAULT in rubygem-shoulda-matchers test suite.
* Provide `gem.build_complete` file for binary gems.
* Re-enable test suite.
* ruby-default-gems have to depend on rubygem(io-console) due to
reline.
* Fix SEGFAULT preventing rubygem-unicode to build on armv7hl.
* Add support for reworked RubyGems plugins.
* Use proper path for plugin wrappers.
* Extract RSS and REXML into separate subpackages, because they were
moved from default gems to bundled gems.
* Drop Net::Telnet and XMLRPC packages, because they were dropped from
Ruby.
Resolves: rhbz#1938942
Because setting the option makes some tests stable that are currently randomly
failing with error on especially s390x and aarch64.
We observed the failing tests are calling `assert_in_out_err` method
calling `invoke_ruby` calling method.
Then when the `th_stdout.join(timeout)` or `th_stderr.join(timeout)` returns
`nil` as thread timeout in `invoke_ruby` method, it causes the error. [1][2]
The `test_timeout_scale` macro is to set the environment variable
`RUBY_TEST_TIMEOUT_SCALE` to increase the timeout in `apply_timeout_scale`
method as <new timeout> = <timeout> * <timeout scale>.
As an example, `TestBugReporter#test_bug_reporter_add` test's
maximum thread timeout was 56+ seconds for the default timeout 10 seconds. [3]
In this case setting `RUBY_TEST_TIMEOUT_SCALE=6` (6 * 10 = 60) is good enough
for 56+ seconds.
[1] https://github.com/ruby/ruby/blob/v2_7_1/tool/lib/envutil.rb#L149
[2] https://bugs.ruby-lang.org/issues/16492#note-8
[3] https://bugs.ruby-lang.org/issues/16492#note-4
Related: rhbz#1947938
This is needed to compile zlib support. I think it is by accident available in the original buildroot, but not in mine.
I think it is better to explicitly name it.
Related: rhbz#1688758
