diff options
| author | Mingli Yu <mingli.yu@windriver.com> | 2025-12-18 15:27:36 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-12-31 07:49:31 -0800 |
| commit | 4faff2acb8ae732aaa80c2165d4e91cd33a3a066 (patch) | |
| tree | dcc697de6ad594a420154d2b4640b57085e75d2d /meta/recipes-devtools/ruby | |
| parent | fee180d783a2b1cff6c79e109ef9ebe06dd6def7 (diff) | |
| download | poky-4faff2acb8ae732aaa80c2165d4e91cd33a3a066.tar.gz | |
ruby: Upgrade 3.3.5 -> 3.3.10
Per ruby maintenance policy [1], the 3.3.x branch should be still in normal
maintenance, so upgrade to the latest version 3.3.10 to fix many security
issues and bugs.
Remove the fix for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 as
these fixes have been included in the new version.
[1] https://www.ruby-lang.org/en/downloads/branches/
(From OE-Core rev: bad372ad8ec33334c6a74c077bf975851c1e59d2)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/ruby')
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch | 31 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch | 78 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch | 57 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch | 73 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby_3.3.10.bb (renamed from meta/recipes-devtools/ruby/ruby_3.3.5.bb) | 6 |
5 files changed, 1 insertions, 244 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch deleted file mode 100644 index 7813a6143c..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch +++ /dev/null | |||
| @@ -1,31 +0,0 @@ | |||
| 1 | From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hiroshi SHIBATA <hsbt@ruby-lang.org> | ||
| 3 | Date: Fri, 21 Feb 2025 16:01:17 +0900 | ||
| 4 | Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage | ||
| 5 | |||
| 6 | Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org> | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab] | ||
| 9 | CVE: CVE-2025-27219 | ||
| 10 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
| 11 | |||
| 12 | lib/cgi/cookie.rb | 5 +++-- | ||
| 13 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb | ||
| 16 | index 9498e2f..1c4ef6a 100644 | ||
| 17 | --- a/lib/cgi/cookie.rb | ||
| 18 | +++ b/lib/cgi/cookie.rb | ||
| 19 | @@ -190,9 +190,10 @@ def self.parse(raw_cookie) | ||
| 20 | values ||= "" | ||
| 21 | values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } | ||
| 22 | if cookies.has_key?(name) | ||
| 23 | - values = cookies[name].value + values | ||
| 24 | + cookies[name].concat(values) | ||
| 25 | + else | ||
| 26 | + cookies[name] = Cookie.new(name, *values) | ||
| 27 | end | ||
| 28 | - cookies[name] = Cookie.new(name, *values) | ||
| 29 | end | ||
| 30 | |||
| 31 | cookies | ||
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch deleted file mode 100644 index f2f8bc7f76..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch +++ /dev/null | |||
| @@ -1,78 +0,0 @@ | |||
| 1 | From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hiroshi SHIBATA <hsbt@ruby-lang.org> | ||
| 3 | Date: Fri, 21 Feb 2025 15:53:31 +0900 | ||
| 4 | Subject: [PATCH] Escape/unescape unclosed tags as well | ||
| 5 | |||
| 6 | Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org> | ||
| 7 | |||
| 8 | CVE: CVE-2025-27220 | ||
| 9 | |||
| 10 | Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6] | ||
| 11 | |||
| 12 | Signed-off-by: Divya Chellam <divya.chellam@windriver.com> | ||
| 13 | --- | ||
| 14 | lib/cgi/util.rb | 4 ++-- | ||
| 15 | test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++ | ||
| 16 | 2 files changed, 20 insertions(+), 2 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb | ||
| 19 | index 4986e54..5f12eae 100644 | ||
| 20 | --- a/lib/cgi/util.rb | ||
| 21 | +++ b/lib/cgi/util.rb | ||
| 22 | @@ -184,7 +184,7 @@ module CGI::Util | ||
| 23 | def escapeElement(string, *elements) | ||
| 24 | elements = elements[0] if elements[0].kind_of?(Array) | ||
| 25 | unless elements.empty? | ||
| 26 | - string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do | ||
| 27 | + string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do | ||
| 28 | CGI.escapeHTML($&) | ||
| 29 | end | ||
| 30 | else | ||
| 31 | @@ -204,7 +204,7 @@ module CGI::Util | ||
| 32 | def unescapeElement(string, *elements) | ||
| 33 | elements = elements[0] if elements[0].kind_of?(Array) | ||
| 34 | unless elements.empty? | ||
| 35 | - string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do | ||
| 36 | + string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do | ||
| 37 | unescapeHTML($&) | ||
| 38 | end | ||
| 39 | else | ||
| 40 | diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb | ||
| 41 | index b0612fc..bff77f7 100644 | ||
| 42 | --- a/test/cgi/test_cgi_util.rb | ||
| 43 | +++ b/test/cgi/test_cgi_util.rb | ||
| 44 | @@ -269,6 +269,14 @@ class CGIUtilTest < Test::Unit::TestCase | ||
| 45 | assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"])) | ||
| 46 | assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', "A", "IMG")) | ||
| 47 | assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"])) | ||
| 48 | + | ||
| 49 | + assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', "A", "IMG")) | ||
| 50 | + assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"])) | ||
| 51 | + assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', "A", "IMG")) | ||
| 52 | + assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', ["A", "IMG"])) | ||
| 53 | + | ||
| 54 | + assert_equal("<A <A ", escapeElement('<A <A ', "A", "IMG")) | ||
| 55 | + assert_equal("<A <A ", escapeElement('<A <A ', ["A", "IMG"])) | ||
| 56 | end | ||
| 57 | |||
| 58 | |||
| 59 | @@ -277,6 +285,16 @@ class CGIUtilTest < Test::Unit::TestCase | ||
| 60 | assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"])) | ||
| 61 | assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG")) | ||
| 62 | assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"])) | ||
| 63 | + | ||
| 64 | + assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG")) | ||
| 65 | + assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"])) | ||
| 66 | + assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG")) | ||
| 67 | + assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"])) | ||
| 68 | + | ||
| 69 | + assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG")) | ||
| 70 | + assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"])) | ||
| 71 | + assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG")) | ||
| 72 | + assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"])) | ||
| 73 | end | ||
| 74 | end | ||
| 75 | |||
| 76 | -- | ||
| 77 | 2.40.0 | ||
| 78 | |||
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch deleted file mode 100644 index 95802d04f9..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch +++ /dev/null | |||
| @@ -1,57 +0,0 @@ | |||
| 1 | From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hiroshi SHIBATA <hsbt@ruby-lang.org> | ||
| 3 | Date: Fri, 21 Feb 2025 16:29:36 +0900 | ||
| 4 | Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+ | ||
| 5 | |||
| 6 | CVE: CVE-2025-27221 | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495] | ||
| 9 | |||
| 10 | Signed-off-by: Divya Chellam <divya.chellam@windriver.com> | ||
| 11 | --- | ||
| 12 | lib/uri/generic.rb | 6 +++++- | ||
| 13 | test/uri/test_generic.rb | 11 +++++++++++ | ||
| 14 | 2 files changed, 16 insertions(+), 1 deletion(-) | ||
| 15 | |||
| 16 | diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb | ||
| 17 | index f3540a2..ecc78c5 100644 | ||
| 18 | --- a/lib/uri/generic.rb | ||
| 19 | +++ b/lib/uri/generic.rb | ||
| 20 | @@ -1141,7 +1141,11 @@ module URI | ||
| 21 | end | ||
| 22 | |||
| 23 | # RFC2396, Section 5.2, 7) | ||
| 24 | - base.set_userinfo(rel.userinfo) if rel.userinfo | ||
| 25 | + if rel.userinfo | ||
| 26 | + base.set_userinfo(rel.userinfo) | ||
| 27 | + else | ||
| 28 | + base.set_userinfo(nil) | ||
| 29 | + end | ||
| 30 | base.set_host(rel.host) if rel.host | ||
| 31 | base.set_port(rel.port) if rel.port | ||
| 32 | base.query = rel.query if rel.query | ||
| 33 | diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb | ||
| 34 | index e661937..17ba2b6 100644 | ||
| 35 | --- a/test/uri/test_generic.rb | ||
| 36 | +++ b/test/uri/test_generic.rb | ||
| 37 | @@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase | ||
| 38 | # must be empty string to identify as path-abempty, not path-absolute | ||
| 39 | assert_equal('', url.host) | ||
| 40 | assert_equal('http:////example.com', url.to_s) | ||
| 41 | + | ||
| 42 | + # sec-2957667 | ||
| 43 | + url = URI.parse('http://user:pass@example.com').merge('//example.net') | ||
| 44 | + assert_equal('http://example.net', url.to_s) | ||
| 45 | + assert_nil(url.userinfo) | ||
| 46 | + url = URI.join('http://user:pass@example.com', '//example.net') | ||
| 47 | + assert_equal('http://example.net', url.to_s) | ||
| 48 | + assert_nil(url.userinfo) | ||
| 49 | + url = URI.parse('http://user:pass@example.com') + '//example.net' | ||
| 50 | + assert_equal('http://example.net', url.to_s) | ||
| 51 | + assert_nil(url.userinfo) | ||
| 52 | end | ||
| 53 | |||
| 54 | def test_parse_scheme_with_symbols | ||
| 55 | -- | ||
| 56 | 2.40.0 | ||
| 57 | |||
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch deleted file mode 100644 index 4435b87c34..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch +++ /dev/null | |||
| @@ -1,73 +0,0 @@ | |||
| 1 | From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hiroshi SHIBATA <hsbt@ruby-lang.org> | ||
| 3 | Date: Fri, 21 Feb 2025 18:16:28 +0900 | ||
| 4 | Subject: [PATCH] Fix merger of URI with authority component | ||
| 5 | |||
| 6 | https://hackerone.com/reports/2957667 | ||
| 7 | |||
| 8 | Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org> | ||
| 9 | |||
| 10 | CVE: CVE-2025-27221 | ||
| 11 | |||
| 12 | Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5] | ||
| 13 | |||
| 14 | Signed-off-by: Divya Chellam <divya.chellam@windriver.com> | ||
| 15 | --- | ||
| 16 | lib/uri/generic.rb | 19 +++++++------------ | ||
| 17 | test/uri/test_generic.rb | 7 +++++++ | ||
| 18 | 2 files changed, 14 insertions(+), 12 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb | ||
| 21 | index ecc78c5..2c0a88d 100644 | ||
| 22 | --- a/lib/uri/generic.rb | ||
| 23 | +++ b/lib/uri/generic.rb | ||
| 24 | @@ -1133,21 +1133,16 @@ module URI | ||
| 25 | base.fragment=(nil) | ||
| 26 | |||
| 27 | # RFC2396, Section 5.2, 4) | ||
| 28 | - if !authority | ||
| 29 | - base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path | ||
| 30 | - else | ||
| 31 | - # RFC2396, Section 5.2, 4) | ||
| 32 | - base.set_path(rel.path) if rel.path | ||
| 33 | + if authority | ||
| 34 | + base.set_userinfo(rel.userinfo) | ||
| 35 | + base.set_host(rel.host) | ||
| 36 | + base.set_port(rel.port || base.default_port) | ||
| 37 | + base.set_path(rel.path) | ||
| 38 | + elsif base.path && rel.path | ||
| 39 | + base.set_path(merge_path(base.path, rel.path)) | ||
| 40 | end | ||
| 41 | |||
| 42 | # RFC2396, Section 5.2, 7) | ||
| 43 | - if rel.userinfo | ||
| 44 | - base.set_userinfo(rel.userinfo) | ||
| 45 | - else | ||
| 46 | - base.set_userinfo(nil) | ||
| 47 | - end | ||
| 48 | - base.set_host(rel.host) if rel.host | ||
| 49 | - base.set_port(rel.port) if rel.port | ||
| 50 | base.query = rel.query if rel.query | ||
| 51 | base.fragment=(rel.fragment) if rel.fragment | ||
| 52 | |||
| 53 | diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb | ||
| 54 | index 17ba2b6..1a70dd4 100644 | ||
| 55 | --- a/test/uri/test_generic.rb | ||
| 56 | +++ b/test/uri/test_generic.rb | ||
| 57 | @@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase | ||
| 58 | assert_equal(u0, u1) | ||
| 59 | end | ||
| 60 | |||
| 61 | + def test_merge_authority | ||
| 62 | + u = URI.parse('http://user:pass@example.com:8080') | ||
| 63 | + u0 = URI.parse('http://new.example.org/path') | ||
| 64 | + u1 = u.merge('//new.example.org/path') | ||
| 65 | + assert_equal(u0, u1) | ||
| 66 | + end | ||
| 67 | + | ||
| 68 | def test_route | ||
| 69 | url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html') | ||
| 70 | assert_equal('b.html', url.to_s) | ||
| 71 | -- | ||
| 72 | 2.40.0 | ||
| 73 | |||
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.10.bb index 8b45946f6b..936bc73e32 100644 --- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb +++ b/meta/recipes-devtools/ruby/ruby_3.3.10.bb | |||
| @@ -26,10 +26,6 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ | |||
| 26 | file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ | 26 | file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ |
| 27 | file://0006-Make-gemspecs-reproducible.patch \ | 27 | file://0006-Make-gemspecs-reproducible.patch \ |
| 28 | file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ | 28 | file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ |
| 29 | file://CVE-2025-27219.patch \ | ||
| 30 | file://CVE-2025-27220.patch \ | ||
| 31 | file://CVE-2025-27221-0001.patch \ | ||
| 32 | file://CVE-2025-27221-0002.patch \ | ||
| 33 | file://0007-Skip-test_rm_r_no_permissions-test-under-root.patch \ | 29 | file://0007-Skip-test_rm_r_no_permissions-test-under-root.patch \ |
| 34 | " | 30 | " |
| 35 | UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" | 31 | UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" |
| @@ -51,7 +47,7 @@ do_configure:prepend() { | |||
| 51 | 47 | ||
| 52 | DEPENDS:append:libc-musl = " libucontext" | 48 | DEPENDS:append:libc-musl = " libucontext" |
| 53 | 49 | ||
| 54 | SRC_URI[sha256sum] = "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196" | 50 | SRC_URI[sha256sum] = "b555baa467a306cfc8e6c6ed24d0d27b27e9a1bed1d91d95509859eac6b0e928" |
| 55 | 51 | ||
| 56 | PACKAGECONFIG ??= "" | 52 | PACKAGECONFIG ??= "" |
| 57 | PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" | 53 | PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" |