.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,3 +1,6 @@
-mysql2-0.5.7.gem
-pg-1.6.3.gem
-ruby-4.0.3.tar.xz
+/*/
+/ruby-*.tar.xz
+/*.rpm
+/mysql2-*.gem
+/pg-*.gem
+!/plans/

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

plans/public.fmf

@@ -0,0 +1,26 @@
+summary: Public (CentOS) beakerlib tests
+
+adjust+:
+  - when: distro == centos-stream
+    because: Update all packages and reboot
+    discover+<:
+      - name: update-and-reboot
+        how: shell
+        tests:
+          - name: update
+            test: dnf update --refresh -y
+          - name: reboot
+            test: "[[ $TMT_REBOOT_COUNT == 0 ]] && tmt-reboot || echo Already rebooted"
+
+environment+:
+  RUBY: "ruby4.0"
+  GEM: "gem4.0"
+  BUNDLE: "bundle4.0"
+
+discover:
+  - name: centos
+    how: fmf
+    url: https://gitlab.com/redhat/centos-stream/tests/ruby
+    filter: 'component:ruby4.0'
+execute:
+    how: tmt

rpminspect.yaml

@@ -0,0 +1,21 @@
+badfuncs:
+  # Ruby implements the functionality for compatibility.
+  # Modern counterparts are also available and preferred.
+  allowed:
+    '/usr/lib*/ruby*/socket.so':
+      - gethostbyaddr
+      - gethostbyname
+
+patches:
+  # These patches are applied manually with the `patch` binary.
+  # The contents are unpacked with Ruby itself in %build.
+  # %build does not have %patch macros available for use.
+  ignore_list:
+    - rubygem-pg-1.3.0-remove-rpath.patch
+    - rubygem-mysql2-0.5.7-Disable-RPATH-completely-in-extconf.rb.patch
+
+rpmdeps:
+  ignore:
+    # The package will be pulled in transitively. Ruby takes care for the
+    # ABI compatibility in specific major.minor solib version.
+    requires: ^libruby.*\.so.*\(\)\(64bit\)$

ruby-4.0.3-Fix-a-format-string-injection-vulnerability.patch

@@ -14,9 +14,9 @@ index 8f9729ef28..a05c5e9657 100644
 --- a/ext/json/parser/parser.c
 +++ b/ext/json/parser/parser.c
 @@ -400,14 +400,9 @@ static void emit_parse_warning(const char *message, JSON_ParserState *state)
- 
+
  #define PARSE_ERROR_FRAGMENT_LEN 32
- 
+
 -#ifdef RBIMPL_ATTR_NORETURN
 -RBIMPL_ATTR_NORETURN()
 -#endif
@@ -26,7 +26,7 @@ index 8f9729ef28..a05c5e9657 100644
      unsigned char buffer[PARSE_ERROR_FRAGMENT_LEN + 3];
 -    long line, column;
 -    cursor_position(state, &line, &column);
- 
+
      const char *ptr = "EOF";
      if (state->cursor && state->cursor < state->end) {
 @@ -442,11 +437,23 @@ static void raise_parse_error(const char *format, JSON_ParserState *state)
@@ -35,7 +35,7 @@ index 8f9729ef28..a05c5e9657 100644
      RB_GC_GUARD(msg);
 +    return message;
 +}
- 
+
 +static VALUE parse_error_new(VALUE message, long line, long column)
 +{
      VALUE exc = rb_exc_new_str(rb_path2class("JSON::ParserError"), message);
@@ -52,12 +52,12 @@ index 8f9729ef28..a05c5e9657 100644
 +    VALUE message = build_parse_error_message(format, state, line, column);
 +    rb_exc_raise(parse_error_new(message, line, column));
  }
- 
+
  #ifdef RBIMPL_ATTR_NORETURN
 @@ -896,6 +903,11 @@ static void raise_duplicate_key_error(JSON_ParserState *state, VALUE duplicate_k
          rb_inspect(duplicate_key)
      );
- 
+
 +    long line, column;
 +    cursor_position(state, &line, &column);
 +    rb_str_concat(message, build_parse_error_message("", state, line, column)) ;
@@ -73,7 +73,7 @@ index ec9391909d..61ea35d1f9 100644
 @@ -411,6 +411,13 @@ def test_parse_duplicate_key
      end
    end
- 
+
 +  def test_parse_duplicate_key_escape
 +    error = assert_raise(ParserError) do
 +      JSON.parse('{"%s%s%s%s":1,"%s%s%s%s":2}', allow_duplicate_key: false)

ruby.rpmlintrc

@@ -0,0 +1,61 @@
+# Keep matching patterns enough not to hide unintended errors and warnings.
+
+# There is no way to implement this with `%{SOURCE0}` without `%{_sourcedir}`.
+# The order in the .spec file could be possibly different.
+addFilter(r'ruby\.(spec|src):20: E: use-of-RPM_SOURCE_DIR$')
+
+# The used version is not obvious.
+addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-build_assert\)$')
+addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-check_type\)$')
+addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-container_of\)$')
+addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-list\)$')
+
+# The template files do not have to have executable bits.
+addFilter(r'^rubygem-bundler\.noarch: E: non-executable-script /usr/share/gems/gems/bundler-[\d\.]+/lib/bundler/templates/[\w/\.]+ 644 /usr/bin/env ')
+
+# The bundled gem files permissions are overridden as 644 by `make install`.
+# https://bugs.ruby-lang.org/issues/17840
+# https://github.com/rubygems/rubygems/issues/5255
+# https://github.com/ruby/debug/pull/481
+# https://github.com/ruby/net-ftp/pull/12
+# https://github.com/ruby/net-imap/pull/53
+# https://github.com/ruby/net-pop/pull/7
+# https://github.com/ruby/prime/pull/16
+addFilter(r'^.*: E: non-executable-script /usr/share/gems/gems/(debug|net-(ftp|imap|pop)|prime)-[\d\.]+/bin/\w+ 644 ')
+
+# Ruby provides API to set the cipher list.
+addFilter(r'^ruby-libs\.\w+: W: crypto-policy-non-compliance-openssl /usr/lib(64)?/ruby/openssl.so SSL_CTX_set_cipher_list$')
+
+# `gethostbyname` is part of deprecated Ruby API. There is also request to drop the API altogether:
+# https://bugs.ruby-lang.org/issues/13097
+# https://bugs.ruby-lang.org/issues/17944
+addFilter(r'^ruby-libs\.\w+: W: binary-or-shlib-calls-gethostbyname /usr/lib(64)?/ruby/socket.so$')
+
+# Rake ships some examples.
+addFilter(r'^rubygem-rake.noarch: W: devel-file-in-non-devel-package /usr/share/gems/gems/rake-[\d\.]+/doc/example/\w+.c$')
+
+# Some executables don't have their manual pages. Is it worth of use help2man?
+addFilter(r'^.+: W: no-manual-page-for-binary (bundler|gem|racc|rbs|rdbg|rdoc|ruby-mri|syntax_suggest|typeprof)$')
+
+# Default gems does not come with any documentation.
+addFilter(r'^rubygem-(bigdecimal|io-console|json|psych)\.\w+: W: no-documentation$')
+
+# rubygems-devel ships only RPM macros and generators. Their placement is given
+# by RPM and can't be modified.
+addFilter(r'rubygems-devel.noarch: W: only-non-binary-in-usr-lib$')
+
+# Ignore some spelling false positives.
+# Ignore spelling of technical terms
+addFilter(r'^ruby-default-gems.noarch: E: spelling-error \(\'gemspec\'')
+addFilter(r'^ruby-libs.x86_64: E: spelling-error \(\'libruby\'')
+addFilter(r'^rubygem-test-unit.noarch: E: spelling-error \(\'xUnit\'')
+addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'libyaml\'')
+addFilter(r'^rubygem-io-console.x86_64: E: spelling-error \(\'readline\'')
+# `pyaml` is part of URL
+addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'pyyaml\'')
+# `de-` is actually prefix
+addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'de\'')
+
+# It does not seemt to be worth of changing rubygems to archful package due to
+# single directory, unless it causes some real troubles.
+addFilter(r'^rubygems.noarch: E: noarch-with-lib64$')

ruby4.0.spec

@@ -335,8 +335,8 @@ Patch10: ruby-4.0.1-test_box-avoid-failure-with-program-suffix.patch
 # option in Ruby's main build.
 # https://github.com/brianmario/mysql2/issues/1201
 Patch11: rubygem-mysql2-0.5.7-Disable-RPATH-completely-in-extconf.rb.patch
-# CVE-2026-33210 
-# Fix for Denial of Service or Information Disclosure 
+# CVE-2026-33210
+# Fix for Denial of Service or Information Disclosure
 # via format string injection
 # in Ruby JSON
 # https://github.com/ruby/json/commit/393b41c3e5f87491e1e34fa59fa78ff6fa179a74
@@ -1648,13 +1648,13 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 %changelog
 * Wed Apr 29 2026 Tomas Juhasz <tjuhasz@redhat.com> - 4.0.3-34
 - Upgrade to Ruby 4.0.3.
-  Resolves: RHEL-171239
-- Fix ERB: Arbitrary code execution via bypass
+  Resolves: RHEL-170933
+- Fix ERB: Arbitrary code execution via deserialization bypass
  (CVE-2026-41316)
-  Resolves: RHEL-170910
+  Resolves: RHEL-170911
 - Fix JSON: Denial of Service or Information Disclosure via format string injection
  (CVE-2026-33210)
- Resolves: RHEL-173457
+ Resolves: RHEL-169964
 
 * Thu Feb 05 2026 Jarek Prokop <jprokop@redhat.com> - 4.0.1-33
 - Initial package.