GNU bug report logs - #77304
[PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]

Previous Next

Package: guix-patches;

Reported by: Remco van 't Veer <remco <at> remworks.net>

Date: Thu, 27 Mar 2025 10:02:04 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 77304 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix <at> cbaines.net, guix-patches <at> gnu.org:
bug#77304; Package guix-patches. (Thu, 27 Mar 2025 10:02:05 GMT) Full text and rfc822 format available.
Acknowledgement sent to Remco van 't Veer <remco <at> remworks.net>:
New bug report received and forwarded. Copy sent to guix <at> cbaines.net, guix-patches <at> gnu.org. (Thu, 27 Mar 2025 10:02:05 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: guix-patches <at> gnu.org
Cc: Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280,
 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]
Date: Thu, 27 Mar 2025 11:00:24 +0100

Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
* gnu/packages/ruby.scm (ruby-3.1.7): Add package.

Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
---
 gnu/packages/ruby.scm | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..875a1b9a10 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin <at> mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g <at> xelera.eu>
 ;;; Copyright © 2022 Philip McGrath <philip <at> philipmcgrath.com>
-;;; Copyright © 2022-2024 Remco van 't Veer <remco <at> remworks.net>
+;;; Copyright © 2022-2025 Remco van 't Veer <remco <at> remworks.net>
 ;;; Copyright © 2022 Taiju HIGASHI <higashi <at> taiju.info>
 ;;; Copyright © 2023 Yovan Naumovski <yovan <at> gorski.stream>
 ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev <at> gmail.com>
@@ -250,6 +250,7 @@ (define-public ruby-3.1
   (package
     (inherit ruby-3.0)
     (version "3.1.4")
+    (replacement ruby-3.1.7)
     (source
      (origin
        (method url-fetch)
@@ -260,6 +261,22 @@ (define-public ruby-3.1
         (base32
          "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v"))))))
 
++;;; TODO: This newer version resolves serveral CVEs.  Remove
++;;; after ungrafting ruby.
+(define ruby-3.1.7
+  (package
+    (inherit ruby-3.1)
+    (version "3.1.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5"))))))
+
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)

base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
-- 
2.49.0
Information forwarded to guix <at> cbaines.net, guix-patches <at> gnu.org:
bug#77304; Package guix-patches. (Thu, 27 Mar 2025 10:26:02 GMT) Full text and rfc822 format available.

Message #8 received at 77304 <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: 77304 <at> debbugs.gnu.org
Cc: Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280,
 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 11:25:00 +0100

Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
* gnu/packages/ruby.scm (ruby-3.1.7): Add package.

Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
---

Changes in this v2:

* improve commit subject.

 gnu/packages/ruby.scm | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..875a1b9a10 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin <at> mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g <at> xelera.eu>
 ;;; Copyright © 2022 Philip McGrath <philip <at> philipmcgrath.com>
-;;; Copyright © 2022-2024 Remco van 't Veer <remco <at> remworks.net>
+;;; Copyright © 2022-2025 Remco van 't Veer <remco <at> remworks.net>
 ;;; Copyright © 2022 Taiju HIGASHI <higashi <at> taiju.info>
 ;;; Copyright © 2023 Yovan Naumovski <yovan <at> gorski.stream>
 ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev <at> gmail.com>
@@ -250,6 +250,7 @@ (define-public ruby-3.1
   (package
     (inherit ruby-3.0)
     (version "3.1.4")
+    (replacement ruby-3.1.7)
     (source
      (origin
        (method url-fetch)
@@ -260,6 +261,22 @@ (define-public ruby-3.1
         (base32
          "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v"))))))
 
++;;; TODO: This newer version resolves serveral CVEs.  Remove
++;;; after ungrafting ruby.
+(define ruby-3.1.7
+  (package
+    (inherit ruby-3.1)
+    (version "3.1.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5"))))))
+
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)

base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
-- 
2.49.0
Information forwarded to guix-patches <at> gnu.org:
bug#77304; Package guix-patches. (Thu, 27 Mar 2025 13:05:03 GMT) Full text and rfc822 format available.

Message #11 received at 77304 <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Remco van 't Veer <remco <at> remworks.net>, 77304 <at> debbugs.gnu.org
Cc: Christopher Baines <guix <at> cbaines.net>,
 Remco van 't Veer <remco <at> remworks.net>
Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes
 CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 14:04:48 +0100

This should be applied on the ruby-team branch.

-- 
Best regards,
Nicolas Graves
Information forwarded to guix-patches <at> gnu.org:
bug#77304; Package guix-patches. (Thu, 27 Mar 2025 13:09:01 GMT) Full text and rfc822 format available.

Message #14 received at 77304 <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: Christopher Baines <guix <at> cbaines.net>, 77304 <at> debbugs.gnu.org
Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes
 CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 14:08:03 +0100

2025/03/27, Nicolas Graves:

> This should be applied on the ruby-team branch.

Does that also mean a graft is not needed?
Information forwarded to guix-patches <at> gnu.org:
bug#77304; Package guix-patches. (Thu, 27 Mar 2025 15:08:05 GMT) Full text and rfc822 format available.

Message #17 received at 77304 <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Remco van 't Veer <remco <at> remworks.net>
Cc: Christopher Baines <guix <at> cbaines.net>, 77304 <at> debbugs.gnu.org
Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes
 CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 16:06:52 +0100

On 2025-03-27 14:08, Remco van t. Veer wrote:

> 2025/03/27, Nicolas Graves:
>
>> This should be applied on the ruby-team branch.
>
> Does that also mean a graft is not needed?

On ruby-team, no, they will be rebuilt.

-- 
Best regards,
Nicolas Graves
Information forwarded to guix-patches <at> gnu.org:
bug#77304; Package guix-patches. (Thu, 27 Mar 2025 15:43:02 GMT) Full text and rfc822 format available.

Message #20 received at 77304 <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: Christopher Baines <guix <at> cbaines.net>, 77304 <at> debbugs.gnu.org
Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes
 CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 16:42:24 +0100

2025/03/27, Nicolas Graves:

> On 2025-03-27 14:08, Remco van t. Veer wrote:
>
>> 2025/03/27, Nicolas Graves:
>>
>>> This should be applied on the ruby-team branch.
>>
>> Does that also mean a graft is not needed?
>
> On ruby-team, no, they will be rebuilt.

To be honest, I was not aware of the ruby-team branch.  Looking at it, I
assume this patch and the other two (bug#77308 and bug#77309) will not
apply on this branch.  Should I close this and the other two bugs and
create new ones for 3.1.7 and 3.2.8 for the ruby-team branch?
This bug report was last modified 12 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.