diff --git a/backport-0001-CVE-2024-35221.patch b/backport-0001-CVE-2024-35221.patch new file mode 100644 index 0000000000000000000000000000000000000000..82589f1e38fa5ab1567cba9fbf13fead3d3afeaf --- /dev/null +++ b/backport-0001-CVE-2024-35221.patch @@ -0,0 +1,32 @@ +From c2812fb616a9a0f31bbc3906a8ec9bad9faec498 Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Wed, 7 Feb 2024 12:26:31 -0800 +Subject: [PATCH] [rubygems/rubygems] Control whether YAML aliases are enabled + in Gem::SafeYAML.safe_load via a constant + +https://github.com/rubygems/rubygems/commit/6bedb1cb79 +--- + lib/rubygems/safe_yaml.rb | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index dba3cfb16d..4e1da3c14b 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -25,8 +25,11 @@ module SafeYAML + runtime + ].freeze + ++ ALIASES = true # :nodoc: ++ private_constant :ALIASES ++ + def self.safe_load(input) +- ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true) ++ ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES) + end + + def self.load(input) +-- +2.33.0 + + diff --git a/backport-0002-CVE-2024-35221.patch b/backport-0002-CVE-2024-35221.patch new file mode 100644 index 0000000000000000000000000000000000000000..21dd0a066330b7f9219c505e95fde964715fa008 --- /dev/null +++ b/backport-0002-CVE-2024-35221.patch @@ -0,0 +1,36 @@ +From 5dcc7a03267216feaa587017ef5d6d075b62f75b Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Fri, 9 Feb 2024 10:15:40 -0800 +Subject: [PATCH] [rubygems/rubygems] Use a writer method on the module instead + of a constant + +https://github.com/rubygems/rubygems/commit/240d84eea3 +--- + lib/rubygems/safe_yaml.rb | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index 4e1da3c14b..f668e652be 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -25,11 +25,13 @@ module SafeYAML + runtime + ].freeze + +- ALIASES = true # :nodoc: +- private_constant :ALIASES ++ @aliases_enabled = true ++ def self.aliases_enabled=(value) ++ @aliases_enabled = !!value ++ end + + def self.safe_load(input) +- ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES) ++ ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled) + end + + def self.load(input) +-- +2.33.0 + + diff --git a/backport-0003-CVE-2024-35221.patch b/backport-0003-CVE-2024-35221.patch new file mode 100644 index 0000000000000000000000000000000000000000..2edaac18130ebce2674a9388cda4e6e44506bc30 --- /dev/null +++ b/backport-0003-CVE-2024-35221.patch @@ -0,0 +1,44 @@ +From 466ed0e1ace6ebf069d444d666f0db3f9224a4b9 Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Sat, 10 Feb 2024 19:52:13 -0800 +Subject: [PATCH] [rubygems/rubygems] Add a test for safe yaml + +https://github.com/rubygems/rubygems/commit/148deade0a +--- + test/rubygems/test_gem_safe_yaml.rb | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + create mode 100644 test/rubygems/test_gem_safe_yaml.rb + +diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb +new file mode 100644 +index 0000000000..4f7e400132 +--- /dev/null ++++ b/test/rubygems/test_gem_safe_yaml.rb +@@ -0,0 +1,23 @@ ++# frozen_string_literal: true ++ ++require_relative "helper" ++ ++Gem.load_yaml ++ ++class TestGemSafeYAML < Gem::TestCase ++ def test_aliases_enabled_by_default ++ assert_predicate Gem::SafeYAML, :aliases_enabled? ++ assert_equal({ "a" => "a", "b" => "a" }, Gem::SafeYAML.safe_load("a: &a a\nb: *a\n")) ++ end ++ ++ def test_aliases_disabled ++ aliases_enabled = Gem::SafeYAML.aliases_enabled? ++ Gem::SafeYAML.aliases_enabled = false ++ refute_predicate Gem::SafeYAML, :aliases_enabled? ++ assert_raise Psych::AliasesNotEnabled do ++ Gem::SafeYAML.safe_load("a: &a\nb: *a\n") ++ end ++ ensure ++ Gem::SafeYAML.aliases_enabled = aliases_enabled ++ end ++end +-- +2.33.0 + + diff --git a/backport-0004-CVE-2024-35221.patch b/backport-0004-CVE-2024-35221.patch new file mode 100644 index 0000000000000000000000000000000000000000..3aab59c47ba583a1359065330e77babcd3ca997a --- /dev/null +++ b/backport-0004-CVE-2024-35221.patch @@ -0,0 +1,34 @@ +From 997470b7b697d267109571d81081453acc73a2f9 Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Wed, 14 Feb 2024 00:50:52 -0800 +Subject: [PATCH] [rubygems/rubygems] Commit missing new method + +https://github.com/rubygems/rubygems/commit/5265b4ce3d +--- + lib/rubygems/safe_yaml.rb | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index f668e652be..6a02a48230 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -26,10 +26,14 @@ module SafeYAML + ].freeze + + @aliases_enabled = true +- def self.aliases_enabled=(value) ++ def self.aliases_enabled=(value) # :nodoc: + @aliases_enabled = !!value + end + ++ def self.aliases_enabled? # :nodoc: ++ @aliases_enabled ++ end ++ + def self.safe_load(input) + ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled) + end +-- +2.33.0 + + diff --git a/backport-0005-CVE-2024-35221.patch b/backport-0005-CVE-2024-35221.patch new file mode 100644 index 0000000000000000000000000000000000000000..aee19f12bacf729c89cc830dfe3582d86ace5354 --- /dev/null +++ b/backport-0005-CVE-2024-35221.patch @@ -0,0 +1,29 @@ +From 8bc51a393acfb5af4e446799e51f73e61b0cfc8e Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Tue, 20 Feb 2024 11:03:28 -0800 +Subject: [PATCH] [rubygems/rubygems] Check for correct exception on older + psych versions + +https://github.com/rubygems/rubygems/commit/52de6eccf5 +--- + test/rubygems/test_gem_safe_yaml.rb | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb +index 4f7e400132..02df9f97da 100644 +--- a/test/rubygems/test_gem_safe_yaml.rb ++++ b/test/rubygems/test_gem_safe_yaml.rb +@@ -14,7 +14,8 @@ def test_aliases_disabled + aliases_enabled = Gem::SafeYAML.aliases_enabled? + Gem::SafeYAML.aliases_enabled = false + refute_predicate Gem::SafeYAML, :aliases_enabled? +- assert_raise Psych::AliasesNotEnabled do ++ expected_error = defined?(Psych::AliasesNotEnabled) ? Psych::AliasesNotEnabled : Psych::BadAlias ++ assert_raise expected_error do + Gem::SafeYAML.safe_load("a: &a\nb: *a\n") + end + ensure +-- +2.33.0 + + diff --git a/backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch b/backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch new file mode 100644 index 0000000000000000000000000000000000000000..82157da806751b74e89f497c8f7711a830a8ac06 --- /dev/null +++ b/backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch @@ -0,0 +1,62 @@ +From 3926ad578c312ddd2ff5221b96ef077b9e24e612 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Thu, 9 Mar 2023 15:42:07 +0900 +Subject: [PATCH] [rubygems/rubygems] Drop to support Psych 3.0 bundled at Ruby + 2.5 + +https://github.com/rubygems/rubygems/commit/a6650c2c96 + +Reference:https://github.com/ruby/ruby/commit/3926ad578c312ddd2ff5221b96ef077b9e24e612 +Conflict:NA +--- + lib/rubygems/safe_yaml.rb | 32 +++++--------------------------- + 1 file changed, 5 insertions(+), 27 deletions(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index 5a98505..3a1ae3b 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -24,34 +24,12 @@ module Gem + runtime + ].freeze + +- if ::Psych.respond_to? :safe_load +- def self.safe_load(input) +- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1") +- ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true) +- else +- ::Psych.safe_load(input, PERMITTED_CLASSES, PERMITTED_SYMBOLS, true) +- end +- end +- +- def self.load(input) +- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1") +- ::Psych.safe_load(input, permitted_classes: [::Symbol]) +- else +- ::Psych.safe_load(input, [::Symbol]) +- end +- end +- else +- unless Gem::Deprecate.skip +- warn "Psych safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." +- end +- +- def self.safe_load(input, *args) +- ::Psych.load input +- end ++ def self.safe_load(input) ++ ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true) ++ end + +- def self.load(input) +- ::Psych.load input +- end ++ def self.load(input) ++ ::Psych.safe_load(input, permitted_classes: [::Symbol]) + end + end + end +-- +2.33.0 + + diff --git a/ruby.spec b/ruby.spec index 6e44702fafc83f76d25774a76dffd751a35de565..ceb8527e5d5863d556547795138d60b4144b723f 100644 --- a/ruby.spec +++ b/ruby.spec @@ -33,7 +33,7 @@ Name: ruby Version: %{ruby_version} -Release: 140 +Release: 141 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -91,6 +91,12 @@ Patch6007: backport-CVE-2019-16163.patch Patch6015: backport-CVE-2023-36617.patch Patch6016: backport-CVE-2024-27281.patch Patch6017: backport-CVE-2024-27282.patch +Patch6018: backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch +Patch6019: backport-0001-CVE-2024-35221.patch +Patch6020: backport-0002-CVE-2024-35221.patch +Patch6021: backport-0003-CVE-2024-35221.patch +Patch6022: backport-0004-CVE-2024-35221.patch +Patch6023: backport-0005-CVE-2024-35221.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -876,6 +882,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec %changelog +* Tue Jun 18 2024 shixuantong - 3.2.2-141 +- fix CVE-2024-35221 + * Mon May 6 2024 zhoupengcheng - 3.2.2-140 - fix CVE-2024-27282