From d4586a2e5e25fd98a4ed2001e62fb82c059d0fa3 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Wed, 3 Jun 2026 08:15:42 -0400 Subject: [PATCH] import UBI ruby4.0-4.0.3-34.el10_2 --- .fmf/version | 1 - .gitignore | 9 +-- gating.yaml | 6 -- plans/public.fmf | 26 -------- rpminspect.yaml | 21 ------- ...ormat-string-injection-vulnerability.patch | 14 ++--- ruby.rpmlintrc | 61 ------------------- ruby4.0.spec | 12 ++-- 8 files changed, 16 insertions(+), 134 deletions(-) delete mode 100644 .fmf/version delete mode 100644 gating.yaml delete mode 100644 plans/public.fmf delete mode 100644 rpminspect.yaml delete mode 100644 ruby.rpmlintrc diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index 96d2cad..84f0924 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,3 @@ -/*/ -/ruby-*.tar.xz -/*.rpm -/mysql2-*.gem -/pg-*.gem -!/plans/ +mysql2-0.5.7.gem +pg-1.6.3.gem +ruby-4.0.3.tar.xz diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index 4ca9235..0000000 --- a/gating.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- !Policy -product_versions: - - rhel-10 -decision_context: osci_compose_gate -rules: - - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} diff --git a/plans/public.fmf b/plans/public.fmf deleted file mode 100644 index 44b7df2..0000000 --- a/plans/public.fmf +++ /dev/null @@ -1,26 +0,0 @@ -summary: Public (CentOS) beakerlib tests - -adjust+: - - when: distro == centos-stream - because: Update all packages and reboot - discover+<: - - name: update-and-reboot - how: shell - tests: - - name: update - test: dnf update --refresh -y - - name: reboot - test: "[[ $TMT_REBOOT_COUNT == 0 ]] && tmt-reboot || echo Already rebooted" - -environment+: - RUBY: "ruby4.0" - GEM: "gem4.0" - BUNDLE: "bundle4.0" - -discover: - - name: centos - how: fmf - url: https://gitlab.com/redhat/centos-stream/tests/ruby - filter: 'component:ruby4.0' -execute: - how: tmt diff --git a/rpminspect.yaml b/rpminspect.yaml deleted file mode 100644 index 3d0b4ca..0000000 --- a/rpminspect.yaml +++ /dev/null @@ -1,21 +0,0 @@ -badfuncs: - # Ruby implements the functionality for compatibility. - # Modern counterparts are also available and preferred. - allowed: - '/usr/lib*/ruby*/socket.so': - - gethostbyaddr - - gethostbyname - -patches: - # These patches are applied manually with the `patch` binary. - # The contents are unpacked with Ruby itself in %build. - # %build does not have %patch macros available for use. - ignore_list: - - rubygem-pg-1.3.0-remove-rpath.patch - - rubygem-mysql2-0.5.7-Disable-RPATH-completely-in-extconf.rb.patch - -rpmdeps: - ignore: - # The package will be pulled in transitively. Ruby takes care for the - # ABI compatibility in specific major.minor solib version. - requires: ^libruby.*\.so.*\(\)\(64bit\)$ diff --git a/ruby-4.0.3-Fix-a-format-string-injection-vulnerability.patch b/ruby-4.0.3-Fix-a-format-string-injection-vulnerability.patch index a654e9e..35b0a87 100644 --- a/ruby-4.0.3-Fix-a-format-string-injection-vulnerability.patch +++ b/ruby-4.0.3-Fix-a-format-string-injection-vulnerability.patch @@ -14,9 +14,9 @@ index 8f9729ef28..a05c5e9657 100644 --- a/ext/json/parser/parser.c +++ b/ext/json/parser/parser.c @@ -400,14 +400,9 @@ static void emit_parse_warning(const char *message, JSON_ParserState *state) - + #define PARSE_ERROR_FRAGMENT_LEN 32 - + -#ifdef RBIMPL_ATTR_NORETURN -RBIMPL_ATTR_NORETURN() -#endif @@ -26,7 +26,7 @@ index 8f9729ef28..a05c5e9657 100644 unsigned char buffer[PARSE_ERROR_FRAGMENT_LEN + 3]; - long line, column; - cursor_position(state, &line, &column); - + const char *ptr = "EOF"; if (state->cursor && state->cursor < state->end) { @@ -442,11 +437,23 @@ static void raise_parse_error(const char *format, JSON_ParserState *state) @@ -35,7 +35,7 @@ index 8f9729ef28..a05c5e9657 100644 RB_GC_GUARD(msg); + return message; +} - + +static VALUE parse_error_new(VALUE message, long line, long column) +{ VALUE exc = rb_exc_new_str(rb_path2class("JSON::ParserError"), message); @@ -52,12 +52,12 @@ index 8f9729ef28..a05c5e9657 100644 + VALUE message = build_parse_error_message(format, state, line, column); + rb_exc_raise(parse_error_new(message, line, column)); } - + #ifdef RBIMPL_ATTR_NORETURN @@ -896,6 +903,11 @@ static void raise_duplicate_key_error(JSON_ParserState *state, VALUE duplicate_k rb_inspect(duplicate_key) ); - + + long line, column; + cursor_position(state, &line, &column); + rb_str_concat(message, build_parse_error_message("", state, line, column)) ; @@ -73,7 +73,7 @@ index ec9391909d..61ea35d1f9 100644 @@ -411,6 +411,13 @@ def test_parse_duplicate_key end end - + + def test_parse_duplicate_key_escape + error = assert_raise(ParserError) do + JSON.parse('{"%s%s%s%s":1,"%s%s%s%s":2}', allow_duplicate_key: false) diff --git a/ruby.rpmlintrc b/ruby.rpmlintrc deleted file mode 100644 index 90e14d6..0000000 --- a/ruby.rpmlintrc +++ /dev/null @@ -1,61 +0,0 @@ -# Keep matching patterns enough not to hide unintended errors and warnings. - -# There is no way to implement this with `%{SOURCE0}` without `%{_sourcedir}`. -# The order in the .spec file could be possibly different. -addFilter(r'ruby\.(spec|src):20: E: use-of-RPM_SOURCE_DIR$') - -# The used version is not obvious. -addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-build_assert\)$') -addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-check_type\)$') -addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-container_of\)$') -addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-list\)$') - -# The template files do not have to have executable bits. -addFilter(r'^rubygem-bundler\.noarch: E: non-executable-script /usr/share/gems/gems/bundler-[\d\.]+/lib/bundler/templates/[\w/\.]+ 644 /usr/bin/env ') - -# The bundled gem files permissions are overridden as 644 by `make install`. -# https://bugs.ruby-lang.org/issues/17840 -# https://github.com/rubygems/rubygems/issues/5255 -# https://github.com/ruby/debug/pull/481 -# https://github.com/ruby/net-ftp/pull/12 -# https://github.com/ruby/net-imap/pull/53 -# https://github.com/ruby/net-pop/pull/7 -# https://github.com/ruby/prime/pull/16 -addFilter(r'^.*: E: non-executable-script /usr/share/gems/gems/(debug|net-(ftp|imap|pop)|prime)-[\d\.]+/bin/\w+ 644 ') - -# Ruby provides API to set the cipher list. -addFilter(r'^ruby-libs\.\w+: W: crypto-policy-non-compliance-openssl /usr/lib(64)?/ruby/openssl.so SSL_CTX_set_cipher_list$') - -# `gethostbyname` is part of deprecated Ruby API. There is also request to drop the API altogether: -# https://bugs.ruby-lang.org/issues/13097 -# https://bugs.ruby-lang.org/issues/17944 -addFilter(r'^ruby-libs\.\w+: W: binary-or-shlib-calls-gethostbyname /usr/lib(64)?/ruby/socket.so$') - -# Rake ships some examples. -addFilter(r'^rubygem-rake.noarch: W: devel-file-in-non-devel-package /usr/share/gems/gems/rake-[\d\.]+/doc/example/\w+.c$') - -# Some executables don't have their manual pages. Is it worth of use help2man? -addFilter(r'^.+: W: no-manual-page-for-binary (bundler|gem|racc|rbs|rdbg|rdoc|ruby-mri|syntax_suggest|typeprof)$') - -# Default gems does not come with any documentation. -addFilter(r'^rubygem-(bigdecimal|io-console|json|psych)\.\w+: W: no-documentation$') - -# rubygems-devel ships only RPM macros and generators. Their placement is given -# by RPM and can't be modified. -addFilter(r'rubygems-devel.noarch: W: only-non-binary-in-usr-lib$') - -# Ignore some spelling false positives. -# Ignore spelling of technical terms -addFilter(r'^ruby-default-gems.noarch: E: spelling-error \(\'gemspec\'') -addFilter(r'^ruby-libs.x86_64: E: spelling-error \(\'libruby\'') -addFilter(r'^rubygem-test-unit.noarch: E: spelling-error \(\'xUnit\'') -addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'libyaml\'') -addFilter(r'^rubygem-io-console.x86_64: E: spelling-error \(\'readline\'') -# `pyaml` is part of URL -addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'pyyaml\'') -# `de-` is actually prefix -addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'de\'') - -# It does not seemt to be worth of changing rubygems to archful package due to -# single directory, unless it causes some real troubles. -addFilter(r'^rubygems.noarch: E: noarch-with-lib64$') diff --git a/ruby4.0.spec b/ruby4.0.spec index 887734f..966948f 100644 --- a/ruby4.0.spec +++ b/ruby4.0.spec @@ -335,8 +335,8 @@ Patch10: ruby-4.0.1-test_box-avoid-failure-with-program-suffix.patch # option in Ruby's main build. # https://github.com/brianmario/mysql2/issues/1201 Patch11: rubygem-mysql2-0.5.7-Disable-RPATH-completely-in-extconf.rb.patch -# CVE-2026-33210 -# Fix for Denial of Service or Information Disclosure +# CVE-2026-33210 +# Fix for Denial of Service or Information Disclosure # via format string injection # in Ruby JSON # https://github.com/ruby/json/commit/393b41c3e5f87491e1e34fa59fa78ff6fa179a74 @@ -1648,13 +1648,13 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ %changelog * Wed Apr 29 2026 Tomas Juhasz - 4.0.3-34 - Upgrade to Ruby 4.0.3. - Resolves: RHEL-170933 -- Fix ERB: Arbitrary code execution via deserialization bypass + Resolves: RHEL-171239 +- Fix ERB: Arbitrary code execution via bypass (CVE-2026-41316) - Resolves: RHEL-170911 + Resolves: RHEL-170910 - Fix JSON: Denial of Service or Information Disclosure via format string injection (CVE-2026-33210) - Resolves: RHEL-169964 + Resolves: RHEL-173457 * Thu Feb 05 2026 Jarek Prokop - 4.0.1-33 - Initial package.