GNU bug report logs -
#77304
[PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]
Previous Next
To reply to this bug, email your comments to 77304 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix <at> cbaines.net, guix-patches <at> gnu.org
:
bug#77304
; Package
guix-patches
.
(Thu, 27 Mar 2025 10:02:05 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Remco van 't Veer <remco <at> remworks.net>
:
New bug report received and forwarded. Copy sent to
guix <at> cbaines.net, guix-patches <at> gnu.org
.
(Thu, 27 Mar 2025 10:02:05 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).
* gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
* gnu/packages/ruby.scm (ruby-3.1.7): Add package.
Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
---
gnu/packages/ruby.scm | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..875a1b9a10 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@
;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin <at> mailbox.org>
;;; Copyright © 2021 Giovanni Biscuolo <g <at> xelera.eu>
;;; Copyright © 2022 Philip McGrath <philip <at> philipmcgrath.com>
-;;; Copyright © 2022-2024 Remco van 't Veer <remco <at> remworks.net>
+;;; Copyright © 2022-2025 Remco van 't Veer <remco <at> remworks.net>
;;; Copyright © 2022 Taiju HIGASHI <higashi <at> taiju.info>
;;; Copyright © 2023 Yovan Naumovski <yovan <at> gorski.stream>
;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev <at> gmail.com>
@@ -250,6 +250,7 @@ (define-public ruby-3.1
(package
(inherit ruby-3.0)
(version "3.1.4")
+ (replacement ruby-3.1.7)
(source
(origin
(method url-fetch)
@@ -260,6 +261,22 @@ (define-public ruby-3.1
(base32
"0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v"))))))
++;;; TODO: This newer version resolves serveral CVEs. Remove
++;;; after ungrafting ruby.
+(define ruby-3.1.7
+ (package
+ (inherit ruby-3.1)
+ (version "3.1.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+ (version-major+minor version)
+ "/ruby-" version ".tar.xz"))
+ (sha256
+ (base32
+ "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5"))))))
+
(define-public ruby-3.2
(package
(inherit ruby-3.1)
base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
--
2.49.0
Information forwarded
to
guix <at> cbaines.net, guix-patches <at> gnu.org
:
bug#77304
; Package
guix-patches
.
(Thu, 27 Mar 2025 10:26:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 77304 <at> debbugs.gnu.org (full text, mbox):
Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).
* gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
* gnu/packages/ruby.scm (ruby-3.1.7): Add package.
Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
---
Changes in this v2:
* improve commit subject.
gnu/packages/ruby.scm | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..875a1b9a10 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@
;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin <at> mailbox.org>
;;; Copyright © 2021 Giovanni Biscuolo <g <at> xelera.eu>
;;; Copyright © 2022 Philip McGrath <philip <at> philipmcgrath.com>
-;;; Copyright © 2022-2024 Remco van 't Veer <remco <at> remworks.net>
+;;; Copyright © 2022-2025 Remco van 't Veer <remco <at> remworks.net>
;;; Copyright © 2022 Taiju HIGASHI <higashi <at> taiju.info>
;;; Copyright © 2023 Yovan Naumovski <yovan <at> gorski.stream>
;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev <at> gmail.com>
@@ -250,6 +250,7 @@ (define-public ruby-3.1
(package
(inherit ruby-3.0)
(version "3.1.4")
+ (replacement ruby-3.1.7)
(source
(origin
(method url-fetch)
@@ -260,6 +261,22 @@ (define-public ruby-3.1
(base32
"0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v"))))))
++;;; TODO: This newer version resolves serveral CVEs. Remove
++;;; after ungrafting ruby.
+(define ruby-3.1.7
+ (package
+ (inherit ruby-3.1)
+ (version "3.1.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+ (version-major+minor version)
+ "/ruby-" version ".tar.xz"))
+ (sha256
+ (base32
+ "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5"))))))
+
(define-public ruby-3.2
(package
(inherit ruby-3.1)
base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org
:
bug#77304
; Package
guix-patches
.
(Thu, 27 Mar 2025 13:05:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 77304 <at> debbugs.gnu.org (full text, mbox):
This should be applied on the ruby-team branch.
--
Best regards,
Nicolas Graves
Information forwarded
to
guix-patches <at> gnu.org
:
bug#77304
; Package
guix-patches
.
(Thu, 27 Mar 2025 13:09:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 77304 <at> debbugs.gnu.org (full text, mbox):
2025/03/27, Nicolas Graves:
> This should be applied on the ruby-team branch.
Does that also mean a graft is not needed?
Information forwarded
to
guix-patches <at> gnu.org
:
bug#77304
; Package
guix-patches
.
(Thu, 27 Mar 2025 15:08:05 GMT)
Full text and
rfc822 format available.
Message #17 received at 77304 <at> debbugs.gnu.org (full text, mbox):
On 2025-03-27 14:08, Remco van t. Veer wrote:
> 2025/03/27, Nicolas Graves:
>
>> This should be applied on the ruby-team branch.
>
> Does that also mean a graft is not needed?
On ruby-team, no, they will be rebuilt.
--
Best regards,
Nicolas Graves
Information forwarded
to
guix-patches <at> gnu.org
:
bug#77304
; Package
guix-patches
.
(Thu, 27 Mar 2025 15:43:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 77304 <at> debbugs.gnu.org (full text, mbox):
2025/03/27, Nicolas Graves:
> On 2025-03-27 14:08, Remco van t. Veer wrote:
>
>> 2025/03/27, Nicolas Graves:
>>
>>> This should be applied on the ruby-team branch.
>>
>> Does that also mean a graft is not needed?
>
> On ruby-team, no, they will be rebuilt.
To be honest, I was not aware of the ruby-team branch. Looking at it, I
assume this patch and the other two (bug#77308 and bug#77309) will not
apply on this branch. Should I close this and the other two bugs and
create new ones for 3.1.7 and 3.2.8 for the ruby-team branch?
This bug report was last modified 12 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.