4 files changed, 1 insertions, 423 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch
deleted file mode 100644
index 83064e85ab..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From b1c73f239fe9af97de837331849f55d67c27561e Mon Sep 17 00:00:00 2001
-From: aycabta <aycabta@gmail.com>
-Date: Sun, 2 May 2021 20:52:23 +0900
-Subject: [PATCH] [ruby/rdoc] Use File.open to fix the OS Command Injection
- vulnerability in CVE-2021-31799
-https://github.com/ruby/rdoc/commit/a7f5d6ab88
-CVE: CVE-2021-31799
-Upstream-Status: Backport[https://github.com/ruby/ruby/commit/b1c73f239fe9af97de837331849f55d67c27561e]
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
- lib/rdoc/rdoc.rb            |  2 +-
- test/rdoc/test_rdoc_rdoc.rb | 12 ++++++++++++
- 2 files changed, 13 insertions(+), 1 deletion(-)
-diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
-index 680a8612f7..904625f105 100644
--- a/lib/rdoc/rdoc.rb
-+++ b/lib/rdoc/rdoc.rb
-@@ -444,7 +444,7 @@ def remove_unparseable files
-     files.reject do |file, *|
-       file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
-         (file =~ /tags$/i and
-         open(file, 'rb') { |io|
-+         File.open(file, 'rb') { |io|
-            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
-          })
-     end
-diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
-index 3910dd4656..a83d5a1b88 100644
--- a/test/rdoc/test_rdoc_rdoc.rb
-+++ b/test/rdoc/test_rdoc_rdoc.rb
-@@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim
-     end
-   end
- 
-+  def test_remove_unparseable_CVE_2021_31799
-+    temp_dir do
-+      file_list = ['| touch evil.txt && echo tags']
-+      file_list.each do |f|
-+        FileUtils.touch f
-+      end
-+
-+      assert_equal file_list, @rdoc.remove_unparseable(file_list)
-+      assert_equal file_list, Dir.children('.')
-+    end
-+  end
-+
-   def test_setup_output_dir
-     Dir.mktmpdir {|d|
-       path = File.join d, 'testdir'
-- 
-2.17.1
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch
deleted file mode 100644
index 69d774e0b7..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch
+++ /dev/null
@@ -1,258 +0,0 @@
-From 8cebc092cd18f4cfb669f66018ea8ffc6f408584 Mon Sep 17 00:00:00 2001
-From: Yusuke Endoh <mame@ruby-lang.org>
-Date: Wed, 7 Jul 2021 11:57:15 +0900
-Subject: [PATCH] Ignore IP addresses in PASV responses by default, and add new
- option use_pasv_ip
-This fixes CVE-2021-31810.
-Reported by Alexandr Savca.
-Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>
-CVE: CVE-2021-31810
-Upstream-Status: Backport
-[https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- lib/net/ftp.rb           |  15 +++-
- test/net/ftp/test_ftp.rb | 159 ++++++++++++++++++++++++++++++++++++++-
- 2 files changed, 170 insertions(+), 4 deletions(-)
-diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb
-index 88e8655..d6f5cc3 100644
--- a/lib/net/ftp.rb
-+++ b/lib/net/ftp.rb
-@@ -98,6 +98,10 @@ module Net
-     # When +true+, the connection is in passive mode.  Default: +true+.
-     attr_accessor :passive
- 
-+    # When +true+, use the IP address in PASV responses.  Otherwise, it uses
-+    # the same IP address for the control connection.  Default: +false+.
-+    attr_accessor :use_pasv_ip
-+
-     # When +true+, all traffic to and from the server is written
-     # to +$stdout+.  Default: +false+.
-     attr_accessor :debug_mode
-@@ -206,6 +210,9 @@ module Net
-     #                          handshake.
-     #                          See Net::FTP#ssl_handshake_timeout for
-     #                          details.  Default: +nil+.
-+    # use_pasv_ip::  When +true+, use the IP address in PASV responses.
-+    #                Otherwise, it uses the same IP address for the control
-+    #                connection.  Default: +false+.
-     # debug_mode::  When +true+, all traffic to and from the server is
-     #               written to +$stdout+.  Default: +false+.
-     #
-@@ -266,6 +273,7 @@ module Net
-       @open_timeout = options[:open_timeout]
-       @ssl_handshake_timeout = options[:ssl_handshake_timeout]
-       @read_timeout = options[:read_timeout] || 60
-+      @use_pasv_ip = options[:use_pasv_ip] || false
-       if host
-         connect(host, options[:port] || FTP_PORT)
-         if options[:username]
-@@ -1371,7 +1379,12 @@ module Net
-         raise FTPReplyError, resp
-       end
-       if m = /\((?<host>\d+(?:,\d+){3}),(?<port>\d+,\d+)\)/.match(resp)
-        return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"])
-+        if @use_pasv_ip
-+          host = parse_pasv_ipv4_host(m["host"])
-+        else
-+          host = @bare_sock.remote_address.ip_address
-+        end
-+        return host, parse_pasv_port(m["port"])
-       else
-         raise FTPProtoError, resp
-       end
-diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb
-index 023e794..243d4ad 100644
--- a/test/net/ftp/test_ftp.rb
-+++ b/test/net/ftp/test_ftp.rb
-@@ -61,7 +61,7 @@ class FTPTest < Test::Unit::TestCase
-   end
- 
-   def test_parse227
-    ftp = Net::FTP.new
-+    ftp = Net::FTP.new(nil, use_pasv_ip: true)
-     host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
-     assert_equal("192.168.0.1", host)
-     assert_equal(3106, port)
-@@ -80,6 +80,14 @@ class FTPTest < Test::Unit::TestCase
-     assert_raise(Net::FTPProtoError) do
-       ftp.send(:parse227, "227 ) foo bar (")
-     end
-+
-+    ftp = Net::FTP.new
-+    sock = OpenStruct.new
-+    sock.remote_address = OpenStruct.new
-+    sock.remote_address.ip_address = "10.0.0.1"
-+    ftp.instance_variable_set(:@bare_sock, sock)
-+    host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
-+    assert_equal("10.0.0.1", host)
-   end
- 
-   def test_parse228
-@@ -2474,10 +2482,155 @@ EOF
-     end
-   end
- 
-+  def test_ignore_pasv_ip
-+    commands = []
-+    binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
-+    server = create_ftp_server(nil, "127.0.0.1") { |sock|
-+      sock.print("220 (test_ftp).\r\n")
-+      commands.push(sock.gets)
-+      sock.print("331 Please specify the password.\r\n")
-+      commands.push(sock.gets)
-+      sock.print("230 Login successful.\r\n")
-+      commands.push(sock.gets)
-+      sock.print("200 Switching to Binary mode.\r\n")
-+      line = sock.gets
-+      commands.push(line)
-+      data_server = TCPServer.new("127.0.0.1", 0)
-+      port = data_server.local_address.ip_port
-+      sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n",
-+                  port.divmod(256).join(","))
-+      commands.push(sock.gets)
-+      sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
-+      conn = data_server.accept
-+      binary_data.scan(/.{1,1024}/nm) do |s|
-+        conn.print(s)
-+      end
-+      conn.shutdown(Socket::SHUT_WR)
-+      conn.read
-+      conn.close
-+      data_server.close
-+      sock.print("226 Transfer complete.\r\n")
-+    }
-+    begin
-+      begin
-+        ftp = Net::FTP.new
-+        ftp.passive = true
-+        ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
-+        ftp.connect("127.0.0.1", server.port)
-+        ftp.login
-+        assert_match(/\AUSER /, commands.shift)
-+        assert_match(/\APASS /, commands.shift)
-+        assert_equal("TYPE I\r\n", commands.shift)
-+        buf = ftp.getbinaryfile("foo", nil)
-+        assert_equal(binary_data, buf)
-+        assert_equal(Encoding::ASCII_8BIT, buf.encoding)
-+        assert_equal("PASV\r\n", commands.shift)
-+        assert_equal("RETR foo\r\n", commands.shift)
-+        assert_equal(nil, commands.shift)
-+      ensure
-+        ftp.close if ftp
-+      end
-+    ensure
-+      server.close
-+    end
-+  end
-+
-+  def test_use_pasv_ip
-+    commands = []
-+    binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
-+    server = create_ftp_server(nil, "127.0.0.1") { |sock|
-+      sock.print("220 (test_ftp).\r\n")
-+      commands.push(sock.gets)
-+      sock.print("331 Please specify the password.\r\n")
-+      commands.push(sock.gets)
-+      sock.print("230 Login successful.\r\n")
-+      commands.push(sock.gets)
-+      sock.print("200 Switching to Binary mode.\r\n")
-+      line = sock.gets
-+      commands.push(line)
-+      data_server = TCPServer.new("127.0.0.1", 0)
-+      port = data_server.local_address.ip_port
-+      sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n",
-+                  port.divmod(256).join(","))
-+      commands.push(sock.gets)
-+      sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
-+      conn = data_server.accept
-+      binary_data.scan(/.{1,1024}/nm) do |s|
-+        conn.print(s)
-+      end
-+      conn.shutdown(Socket::SHUT_WR)
-+      conn.read
-+      conn.close
-+      data_server.close
-+      sock.print("226 Transfer complete.\r\n")
-+    }
-+    begin
-+      begin
-+        ftp = Net::FTP.new
-+        ftp.passive = true
-+        ftp.use_pasv_ip = true
-+        ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
-+        ftp.connect("127.0.0.1", server.port)
-+        ftp.login
-+        assert_match(/\AUSER /, commands.shift)
-+        assert_match(/\APASS /, commands.shift)
-+        assert_equal("TYPE I\r\n", commands.shift)
-+        buf = ftp.getbinaryfile("foo", nil)
-+        assert_equal(binary_data, buf)
-+        assert_equal(Encoding::ASCII_8BIT, buf.encoding)
-+        assert_equal("PASV\r\n", commands.shift)
-+        assert_equal("RETR foo\r\n", commands.shift)
-+        assert_equal(nil, commands.shift)
-+      ensure
-+        ftp.close if ftp
-+      end
-+    ensure
-+      server.close
-+    end
-+  end
-+
-+  def test_use_pasv_invalid_ip
-+    commands = []
-+    binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
-+    server = create_ftp_server(nil, "127.0.0.1") { |sock|
-+      sock.print("220 (test_ftp).\r\n")
-+      commands.push(sock.gets)
-+      sock.print("331 Please specify the password.\r\n")
-+      commands.push(sock.gets)
-+      sock.print("230 Login successful.\r\n")
-+      commands.push(sock.gets)
-+      sock.print("200 Switching to Binary mode.\r\n")
-+      line = sock.gets
-+      commands.push(line)
-+      sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n")
-+      commands.push(sock.gets)
-+    }
-+    begin
-+      begin
-+        ftp = Net::FTP.new
-+        ftp.passive = true
-+        ftp.use_pasv_ip = true
-+        ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
-+        ftp.connect("127.0.0.1", server.port)
-+        ftp.login
-+        assert_match(/\AUSER /, commands.shift)
-+        assert_match(/\APASS /, commands.shift)
-+        assert_equal("TYPE I\r\n", commands.shift)
-+        assert_raise(SocketError) do
-+          ftp.getbinaryfile("foo", nil)
-+        end
-+      ensure
-+        ftp.close if ftp
-+      end
-+    ensure
-+      server.close
-+    end
-+  end
-+
-   private
- 
-  def create_ftp_server(sleep_time = nil)
-    server = TCPServer.new(SERVER_ADDR, 0)
-+  def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR)
-+    server = TCPServer.new(addr, 0)
-     @thread = Thread.start do
-       if sleep_time
-         sleep(sleep_time)
-- 
-2.17.1
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch
deleted file mode 100644
index b78a74a4b5..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From e2ac25d0eb66de99f098d6669cf4f06796aa6256 Mon Sep 17 00:00:00 2001
-From: Shugo Maeda <shugo@ruby-lang.org>
-Date: Tue, 11 May 2021 10:31:27 +0900
-Subject: [PATCH] Fix StartTLS stripping vulnerability
-This fixes CVE-2021-32066.
-Reported by Alexandr Savca in <https://hackerone.com/reports/1178562>.
-CVE: CVE-2021-32066
-Upstream-Status: Backport
-[https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- lib/net/imap.rb            |  8 +++++++-
- test/net/imap/test_imap.rb | 31 +++++++++++++++++++++++++++++++
- 2 files changed, 38 insertions(+), 1 deletion(-)
-diff --git a/lib/net/imap.rb b/lib/net/imap.rb
-index 505b4c8950..d45304f289 100644
--- a/lib/net/imap.rb
-+++ b/lib/net/imap.rb
-@@ -1218,12 +1218,14 @@ def get_tagged_response(tag, cmd)
-       end
-       resp = @tagged_responses.delete(tag)
-       case resp.name
-+      when /\A(?:OK)\z/ni
-+        return resp
-       when /\A(?:NO)\z/ni
-         raise NoResponseError, resp
-       when /\A(?:BAD)\z/ni
-         raise BadResponseError, resp
-       else
-        return resp
-+        raise UnknownResponseError, resp
-       end
-     end
- 
-@@ -3719,6 +3721,10 @@ class BadResponseError < ResponseError
-     class ByeResponseError < ResponseError
-     end
- 
-+    # Error raised upon an unknown response from the server.
-+    class UnknownResponseError < ResponseError
-+    end
-+
-     RESPONSE_ERRORS = Hash.new(ResponseError)
-     RESPONSE_ERRORS["NO"] = NoResponseError
-     RESPONSE_ERRORS["BAD"] = BadResponseError
-diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb
-index 8b924b524e..85fb71d440 100644
--- a/test/net/imap/test_imap.rb
-+++ b/test/net/imap/test_imap.rb
-@@ -127,6 +127,16 @@ def test_starttls
-         imap.disconnect
-       end
-     end
-+
-+    def test_starttls_stripping
-+      starttls_stripping_test do |port|
-+        imap = Net::IMAP.new("localhost", :port => port)
-+        assert_raise(Net::IMAP::UnknownResponseError) do
-+          imap.starttls(:ca_file => CA_FILE)
-+        end
-+        imap
-+      end
-+    end
-   end
- 
-   def start_server
-@@ -834,6 +844,27 @@ def starttls_test
-     end
-   end
- 
-+  def starttls_stripping_test
-+    server = create_tcp_server
-+    port = server.addr[1]
-+    start_server do
-+      sock = server.accept
-+      begin
-+        sock.print("* OK test server\r\n")
-+        sock.gets
-+        sock.print("RUBY0001 BUG unhandled command\r\n")
-+      ensure
-+        sock.close
-+        server.close
-+      end
-+    end
-+    begin
-+      imap = yield(port)
-+    ensure
-+      imap.disconnect if imap && !imap.disconnected?
-+    end
-+  end
-+
-   def create_tcp_server
-     return TCPServer.new(server_addr, 0)
-   end
-- 
-2.25.1
diff --git a/meta/recipes-devtools/ruby/ruby_3.0.1.bb b/meta/recipes-devtools/ruby/ruby_3.0.3.bb
index a348946972..a781f69534 100644
--- a/meta/recipes-devtools/ruby/ruby_3.0.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.0.3.bb
@@ -6,16 +6,13 @@ SRC_URI += " \
           file://remove_has_include_macros.patch \
           file://run-ptest \
           file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
-           file://CVE-2021-31810.patch \
-           file://CVE-2021-32066.patch \
-           file://CVE-2021-31799.patch \
           file://0003-rdoc-build-reproducible-documentation.patch \
           file://0004-lib-mkmf.rb-sort-list-of-object-files-in-generated-M.patch \
           file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
           file://0006-Make-gemspecs-reproducible.patch \
           "
-SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727"
+SRC_URI[sha256sum] = "3586861cb2df56970287f0fd83f274bd92058872d830d15570b36def7f1a92ac"
 PACKAGECONFIG ??= ""
 PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
@@ -81,8 +78,6 @@ do_install_ptest () {
        -i ${D}${PTEST_PATH}/test/erb/test_erb_command.rb
    cp -r ${S}/include ${D}/${libdir}/ruby/
-    test_case_rb=`grep rubygems/test_case.rb ${B}/.installed.list`
-    sed -i -e 's:../../../test/:../../../ptest/test/:g' ${D}/$test_case_rb
 }
 PACKAGES =+ "${PN}-ri-docs ${PN}-rdoc"

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch deleted file mode 100644 index 83064e85ab..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch +++ /dev/null
@@ -1,57 +0,0 @@
1	From b1c73f239fe9af97de837331849f55d67c27561e Mon Sep 17 00:00:00 2001
2	From: aycabta <aycabta@gmail.com>
3	Date: Sun, 2 May 2021 20:52:23 +0900
4	Subject: [PATCH] [ruby/rdoc] Use File.open to fix the OS Command Injection
5	vulnerability in CVE-2021-31799
6
7	https://github.com/ruby/rdoc/commit/a7f5d6ab88
8
9	CVE: CVE-2021-31799
10
11	Upstream-Status: Backport[https://github.com/ruby/ruby/commit/b1c73f239fe9af97de837331849f55d67c27561e]
12
13	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
14	---
15	lib/rdoc/rdoc.rb \| 2 +-
16	test/rdoc/test_rdoc_rdoc.rb \| 12 ++++++++++++
17	2 files changed, 13 insertions(+), 1 deletion(-)
18
19	diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
20	index 680a8612f7..904625f105 100644
21	--- a/lib/rdoc/rdoc.rb
22	+++ b/lib/rdoc/rdoc.rb
23	@@ -444,7 +444,7 @@ def remove_unparseable files
24	files.reject do \|file, *\|
25	file =~ /\.(?:class\|eps\|erb\|scpt\.txt\|svg\|ttf\|yml)$/i or
26	(file =~ /tags$/i and
27	- open(file, 'rb') { \|io\|
28	+ File.open(file, 'rb') { \|io\|
29	io.read(100) =~ /\A(\f\n[^,]+,\d+$\|!_TAG_)/
30	})
31	end
32	diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
33	index 3910dd4656..a83d5a1b88 100644
34	--- a/test/rdoc/test_rdoc_rdoc.rb
35	+++ b/test/rdoc/test_rdoc_rdoc.rb
36	@@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim
37	end
38	end
39
40	+ def test_remove_unparseable_CVE_2021_31799
41	+ temp_dir do
42	+ file_list = ['\| touch evil.txt && echo tags']
43	+ file_list.each do \|f\|
44	+ FileUtils.touch f
45	+ end
46	+
47	+ assert_equal file_list, @rdoc.remove_unparseable(file_list)
48	+ assert_equal file_list, Dir.children('.')
49	+ end
50	+ end
51	+
52	def test_setup_output_dir
53	Dir.mktmpdir {\|d\|
54	path = File.join d, 'testdir'
55	--
56	2.17.1
57


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch deleted file mode 100644 index 69d774e0b7..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch +++ /dev/null
@@ -1,258 +0,0 @@
1	From 8cebc092cd18f4cfb669f66018ea8ffc6f408584 Mon Sep 17 00:00:00 2001
2	From: Yusuke Endoh <mame@ruby-lang.org>
3	Date: Wed, 7 Jul 2021 11:57:15 +0900
4	Subject: [PATCH] Ignore IP addresses in PASV responses by default, and add new
5	option use_pasv_ip
6
7	This fixes CVE-2021-31810.
8	Reported by Alexandr Savca.
9
10	Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>
11
12	CVE: CVE-2021-31810
13
14	Upstream-Status: Backport
15	[https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd]
16
17	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
18	---
19	lib/net/ftp.rb \| 15 +++-
20	test/net/ftp/test_ftp.rb \| 159 ++++++++++++++++++++++++++++++++++++++-
21	2 files changed, 170 insertions(+), 4 deletions(-)
22
23	diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb
24	index 88e8655..d6f5cc3 100644
25	--- a/lib/net/ftp.rb
26	+++ b/lib/net/ftp.rb
27	@@ -98,6 +98,10 @@ module Net
28	# When +true+, the connection is in passive mode. Default: +true+.
29	attr_accessor :passive
30
31	+ # When +true+, use the IP address in PASV responses. Otherwise, it uses
32	+ # the same IP address for the control connection. Default: +false+.
33	+ attr_accessor :use_pasv_ip
34	+
35	# When +true+, all traffic to and from the server is written
36	# to +$stdout+. Default: +false+.
37	attr_accessor :debug_mode
38	@@ -206,6 +210,9 @@ module Net
39	# handshake.
40	# See Net::FTP#ssl_handshake_timeout for
41	# details. Default: +nil+.
42	+ # use_pasv_ip:: When +true+, use the IP address in PASV responses.
43	+ # Otherwise, it uses the same IP address for the control
44	+ # connection. Default: +false+.
45	# debug_mode:: When +true+, all traffic to and from the server is
46	# written to +$stdout+. Default: +false+.
47	#
48	@@ -266,6 +273,7 @@ module Net
49	@open_timeout = options[:open_timeout]
50	@ssl_handshake_timeout = options[:ssl_handshake_timeout]
51	@read_timeout = options[:read_timeout] \|\| 60
52	+ @use_pasv_ip = options[:use_pasv_ip] \|\| false
53	if host
54	connect(host, options[:port] \|\| FTP_PORT)
55	if options[:username]
56	@@ -1371,7 +1379,12 @@ module Net
57	raise FTPReplyError, resp
58	end
59	if m = /\((?<host>\d+(?:,\d+){3}),(?<port>\d+,\d+)\)/.match(resp)
60	- return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"])
61	+ if @use_pasv_ip
62	+ host = parse_pasv_ipv4_host(m["host"])
63	+ else
64	+ host = @bare_sock.remote_address.ip_address
65	+ end
66	+ return host, parse_pasv_port(m["port"])
67	else
68	raise FTPProtoError, resp
69	end
70	diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb
71	index 023e794..243d4ad 100644
72	--- a/test/net/ftp/test_ftp.rb
73	+++ b/test/net/ftp/test_ftp.rb
74	@@ -61,7 +61,7 @@ class FTPTest < Test::Unit::TestCase
75	end
76
77	def test_parse227
78	- ftp = Net::FTP.new
79	+ ftp = Net::FTP.new(nil, use_pasv_ip: true)
80	host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
81	assert_equal("192.168.0.1", host)
82	assert_equal(3106, port)
83	@@ -80,6 +80,14 @@ class FTPTest < Test::Unit::TestCase
84	assert_raise(Net::FTPProtoError) do
85	ftp.send(:parse227, "227 ) foo bar (")
86	end
87	+
88	+ ftp = Net::FTP.new
89	+ sock = OpenStruct.new
90	+ sock.remote_address = OpenStruct.new
91	+ sock.remote_address.ip_address = "10.0.0.1"
92	+ ftp.instance_variable_set(:@bare_sock, sock)
93	+ host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
94	+ assert_equal("10.0.0.1", host)
95	end
96
97	def test_parse228
98	@@ -2474,10 +2482,155 @@ EOF
99	end
100	end
101
102	+ def test_ignore_pasv_ip
103	+ commands = []
104	+ binary_data = (0..0xff).map {\|i\| i.chr}.join * 4 * 3
105	+ server = create_ftp_server(nil, "127.0.0.1") { \|sock\|
106	+ sock.print("220 (test_ftp).\r\n")
107	+ commands.push(sock.gets)
108	+ sock.print("331 Please specify the password.\r\n")
109	+ commands.push(sock.gets)
110	+ sock.print("230 Login successful.\r\n")
111	+ commands.push(sock.gets)
112	+ sock.print("200 Switching to Binary mode.\r\n")
113	+ line = sock.gets
114	+ commands.push(line)
115	+ data_server = TCPServer.new("127.0.0.1", 0)
116	+ port = data_server.local_address.ip_port
117	+ sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n",
118	+ port.divmod(256).join(","))
119	+ commands.push(sock.gets)
120	+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
121	+ conn = data_server.accept
122	+ binary_data.scan(/.{1,1024}/nm) do \|s\|
123	+ conn.print(s)
124	+ end
125	+ conn.shutdown(Socket::SHUT_WR)
126	+ conn.read
127	+ conn.close
128	+ data_server.close
129	+ sock.print("226 Transfer complete.\r\n")
130	+ }
131	+ begin
132	+ begin
133	+ ftp = Net::FTP.new
134	+ ftp.passive = true
135	+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
136	+ ftp.connect("127.0.0.1", server.port)
137	+ ftp.login
138	+ assert_match(/\AUSER /, commands.shift)
139	+ assert_match(/\APASS /, commands.shift)
140	+ assert_equal("TYPE I\r\n", commands.shift)
141	+ buf = ftp.getbinaryfile("foo", nil)
142	+ assert_equal(binary_data, buf)
143	+ assert_equal(Encoding::ASCII_8BIT, buf.encoding)
144	+ assert_equal("PASV\r\n", commands.shift)
145	+ assert_equal("RETR foo\r\n", commands.shift)
146	+ assert_equal(nil, commands.shift)
147	+ ensure
148	+ ftp.close if ftp
149	+ end
150	+ ensure
151	+ server.close
152	+ end
153	+ end
154	+
155	+ def test_use_pasv_ip
156	+ commands = []
157	+ binary_data = (0..0xff).map {\|i\| i.chr}.join * 4 * 3
158	+ server = create_ftp_server(nil, "127.0.0.1") { \|sock\|
159	+ sock.print("220 (test_ftp).\r\n")
160	+ commands.push(sock.gets)
161	+ sock.print("331 Please specify the password.\r\n")
162	+ commands.push(sock.gets)
163	+ sock.print("230 Login successful.\r\n")
164	+ commands.push(sock.gets)
165	+ sock.print("200 Switching to Binary mode.\r\n")
166	+ line = sock.gets
167	+ commands.push(line)
168	+ data_server = TCPServer.new("127.0.0.1", 0)
169	+ port = data_server.local_address.ip_port
170	+ sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n",
171	+ port.divmod(256).join(","))
172	+ commands.push(sock.gets)
173	+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
174	+ conn = data_server.accept
175	+ binary_data.scan(/.{1,1024}/nm) do \|s\|
176	+ conn.print(s)
177	+ end
178	+ conn.shutdown(Socket::SHUT_WR)
179	+ conn.read
180	+ conn.close
181	+ data_server.close
182	+ sock.print("226 Transfer complete.\r\n")
183	+ }
184	+ begin
185	+ begin
186	+ ftp = Net::FTP.new
187	+ ftp.passive = true
188	+ ftp.use_pasv_ip = true
189	+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
190	+ ftp.connect("127.0.0.1", server.port)
191	+ ftp.login
192	+ assert_match(/\AUSER /, commands.shift)
193	+ assert_match(/\APASS /, commands.shift)
194	+ assert_equal("TYPE I\r\n", commands.shift)
195	+ buf = ftp.getbinaryfile("foo", nil)
196	+ assert_equal(binary_data, buf)
197	+ assert_equal(Encoding::ASCII_8BIT, buf.encoding)
198	+ assert_equal("PASV\r\n", commands.shift)
199	+ assert_equal("RETR foo\r\n", commands.shift)
200	+ assert_equal(nil, commands.shift)
201	+ ensure
202	+ ftp.close if ftp
203	+ end
204	+ ensure
205	+ server.close
206	+ end
207	+ end
208	+
209	+ def test_use_pasv_invalid_ip
210	+ commands = []
211	+ binary_data = (0..0xff).map {\|i\| i.chr}.join * 4 * 3
212	+ server = create_ftp_server(nil, "127.0.0.1") { \|sock\|
213	+ sock.print("220 (test_ftp).\r\n")
214	+ commands.push(sock.gets)
215	+ sock.print("331 Please specify the password.\r\n")
216	+ commands.push(sock.gets)
217	+ sock.print("230 Login successful.\r\n")
218	+ commands.push(sock.gets)
219	+ sock.print("200 Switching to Binary mode.\r\n")
220	+ line = sock.gets
221	+ commands.push(line)
222	+ sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n")
223	+ commands.push(sock.gets)
224	+ }
225	+ begin
226	+ begin
227	+ ftp = Net::FTP.new
228	+ ftp.passive = true
229	+ ftp.use_pasv_ip = true
230	+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
231	+ ftp.connect("127.0.0.1", server.port)
232	+ ftp.login
233	+ assert_match(/\AUSER /, commands.shift)
234	+ assert_match(/\APASS /, commands.shift)
235	+ assert_equal("TYPE I\r\n", commands.shift)
236	+ assert_raise(SocketError) do
237	+ ftp.getbinaryfile("foo", nil)
238	+ end
239	+ ensure
240	+ ftp.close if ftp
241	+ end
242	+ ensure
243	+ server.close
244	+ end
245	+ end
246	+
247	private
248
249	- def create_ftp_server(sleep_time = nil)
250	- server = TCPServer.new(SERVER_ADDR, 0)
251	+ def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR)
252	+ server = TCPServer.new(addr, 0)
253	@thread = Thread.start do
254	if sleep_time
255	sleep(sleep_time)
256	--
257	2.17.1
258


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch deleted file mode 100644 index b78a74a4b5..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch +++ /dev/null
@@ -1,102 +0,0 @@
1	From e2ac25d0eb66de99f098d6669cf4f06796aa6256 Mon Sep 17 00:00:00 2001
2	From: Shugo Maeda <shugo@ruby-lang.org>
3	Date: Tue, 11 May 2021 10:31:27 +0900
4	Subject: [PATCH] Fix StartTLS stripping vulnerability
5
6	This fixes CVE-2021-32066.
7	Reported by Alexandr Savca in <https://hackerone.com/reports/1178562>.
8
9	CVE: CVE-2021-32066
10
11	Upstream-Status: Backport
12	[https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256]
13
14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
15	---
16	lib/net/imap.rb \| 8 +++++++-
17	test/net/imap/test_imap.rb \| 31 +++++++++++++++++++++++++++++++
18	2 files changed, 38 insertions(+), 1 deletion(-)
19
20	diff --git a/lib/net/imap.rb b/lib/net/imap.rb
21	index 505b4c8950..d45304f289 100644
22	--- a/lib/net/imap.rb
23	+++ b/lib/net/imap.rb
24	@@ -1218,12 +1218,14 @@ def get_tagged_response(tag, cmd)
25	end
26	resp = @tagged_responses.delete(tag)
27	case resp.name
28	+ when /\A(?:OK)\z/ni
29	+ return resp
30	when /\A(?:NO)\z/ni
31	raise NoResponseError, resp
32	when /\A(?:BAD)\z/ni
33	raise BadResponseError, resp
34	else
35	- return resp
36	+ raise UnknownResponseError, resp
37	end
38	end
39
40	@@ -3719,6 +3721,10 @@ class BadResponseError < ResponseError
41	class ByeResponseError < ResponseError
42	end
43
44	+ # Error raised upon an unknown response from the server.
45	+ class UnknownResponseError < ResponseError
46	+ end
47	+
48	RESPONSE_ERRORS = Hash.new(ResponseError)
49	RESPONSE_ERRORS["NO"] = NoResponseError
50	RESPONSE_ERRORS["BAD"] = BadResponseError
51	diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb
52	index 8b924b524e..85fb71d440 100644
53	--- a/test/net/imap/test_imap.rb
54	+++ b/test/net/imap/test_imap.rb
55	@@ -127,6 +127,16 @@ def test_starttls
56	imap.disconnect
57	end
58	end
59	+
60	+ def test_starttls_stripping
61	+ starttls_stripping_test do \|port\|
62	+ imap = Net::IMAP.new("localhost", :port => port)
63	+ assert_raise(Net::IMAP::UnknownResponseError) do
64	+ imap.starttls(:ca_file => CA_FILE)
65	+ end
66	+ imap
67	+ end
68	+ end
69	end
70
71	def start_server
72	@@ -834,6 +844,27 @@ def starttls_test
73	end
74	end
75
76	+ def starttls_stripping_test
77	+ server = create_tcp_server
78	+ port = server.addr[1]
79	+ start_server do
80	+ sock = server.accept
81	+ begin
82	+ sock.print("* OK test server\r\n")
83	+ sock.gets
84	+ sock.print("RUBY0001 BUG unhandled command\r\n")
85	+ ensure
86	+ sock.close
87	+ server.close
88	+ end
89	+ end
90	+ begin
91	+ imap = yield(port)
92	+ ensure
93	+ imap.disconnect if imap && !imap.disconnected?
94	+ end
95	+ end
96	+
97	def create_tcp_server
98	return TCPServer.new(server_addr, 0)
99	end
100	--
101	2.25.1
102


diff --git a/meta/recipes-devtools/ruby/ruby_3.0.1.bb b/meta/recipes-devtools/ruby/ruby_3.0.3.bb index a348946972..a781f69534 100644 --- a/meta/recipes-devtools/ruby/ruby_3.0.1.bb +++ b/meta/recipes-devtools/ruby/ruby_3.0.3.bb
@@ -6,16 +6,13 @@ SRC_URI += " \
6	file://remove_has_include_macros.patch \	6	file://remove_has_include_macros.patch \
7	file://run-ptest \	7	file://run-ptest \
8	file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \	8	file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
9	file://CVE-2021-31810.patch \
10	file://CVE-2021-32066.patch \
11	file://CVE-2021-31799.patch \
12	file://0003-rdoc-build-reproducible-documentation.patch \	9	file://0003-rdoc-build-reproducible-documentation.patch \
13	file://0004-lib-mkmf.rb-sort-list-of-object-files-in-generated-M.patch \	10	file://0004-lib-mkmf.rb-sort-list-of-object-files-in-generated-M.patch \
14	file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \	11	file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
15	file://0006-Make-gemspecs-reproducible.patch \	12	file://0006-Make-gemspecs-reproducible.patch \
16	"	13	"
17		14
18	SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727"	15	SRC_URI[sha256sum] = "3586861cb2df56970287f0fd83f274bd92058872d830d15570b36def7f1a92ac"
19		16
20	PACKAGECONFIG ??= ""	17	PACKAGECONFIG ??= ""
21	PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"	18	PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
@@ -81,8 +78,6 @@ do_install_ptest () {
81	-i ${D}${PTEST_PATH}/test/erb/test_erb_command.rb	78	-i ${D}${PTEST_PATH}/test/erb/test_erb_command.rb
82		79
83	cp -r ${S}/include ${D}/${libdir}/ruby/	80	cp -r ${S}/include ${D}/${libdir}/ruby/
84	test_case_rb=`grep rubygems/test_case.rb ${B}/.installed.list`
85	sed -i -e 's:../../../test/:../../../ptest/test/:g' ${D}/$test_case_rb
86	}	81	}
87		82
88	PACKAGES =+ "${PN}-ri-docs ${PN}-rdoc"	83	PACKAGES =+ "${PN}-ri-docs ${PN}-rdoc"