From 4faff2acb8ae732aaa80c2165d4e91cd33a3a066 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Thu, 18 Dec 2025 15:27:36 +0800 Subject: [PATCH] ruby: Upgrade 3.3.5 -> 3.3.10 Per ruby maintenance policy [1], the 3.3.x branch should be still in normal maintenance, so upgrade to the latest version 3.3.10 to fix many security issues and bugs. Remove the fix for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 as these fixes have been included in the new version. [1] https://www.ruby-lang.org/en/downloads/branches/ (From OE-Core rev: bad372ad8ec33334c6a74c077bf975851c1e59d2) Signed-off-by: Mingli Yu Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2025-27219.patch | 31 -------- .../ruby/ruby/CVE-2025-27220.patch | 78 ------------------- .../ruby/ruby/CVE-2025-27221-0001.patch | 57 -------------- .../ruby/ruby/CVE-2025-27221-0002.patch | 73 ----------------- .../ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} | 6 +- 5 files changed, 1 insertion(+), 244 deletions(-) delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch rename meta/recipes-devtools/ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} (95%) diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch deleted file mode 100644 index 7813a6143c..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001 -From: Hiroshi SHIBATA -Date: Fri, 21 Feb 2025 16:01:17 +0900 -Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage - -Co-authored-by: "Yusuke Endoh" - -Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab] -CVE: CVE-2025-27219 -Signed-off-by: Ashish Sharma - - lib/cgi/cookie.rb | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb -index 9498e2f..1c4ef6a 100644 ---- a/lib/cgi/cookie.rb -+++ b/lib/cgi/cookie.rb -@@ -190,9 +190,10 @@ def self.parse(raw_cookie) - values ||= "" - values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } - if cookies.has_key?(name) -- values = cookies[name].value + values -+ cookies[name].concat(values) -+ else -+ cookies[name] = Cookie.new(name, *values) - end -- cookies[name] = Cookie.new(name, *values) - end - - cookies diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch deleted file mode 100644 index f2f8bc7f76..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch +++ /dev/null @@ -1,78 +0,0 @@ -From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001 -From: Hiroshi SHIBATA -Date: Fri, 21 Feb 2025 15:53:31 +0900 -Subject: [PATCH] Escape/unescape unclosed tags as well - -Co-authored-by: Nobuyoshi Nakada - -CVE: CVE-2025-27220 - -Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6] - -Signed-off-by: Divya Chellam ---- - lib/cgi/util.rb | 4 ++-- - test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++ - 2 files changed, 20 insertions(+), 2 deletions(-) - -diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb -index 4986e54..5f12eae 100644 ---- a/lib/cgi/util.rb -+++ b/lib/cgi/util.rb -@@ -184,7 +184,7 @@ module CGI::Util - def escapeElement(string, *elements) - elements = elements[0] if elements[0].kind_of?(Array) - unless elements.empty? -- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do -+ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do - CGI.escapeHTML($&) - end - else -@@ -204,7 +204,7 @@ module CGI::Util - def unescapeElement(string, *elements) - elements = elements[0] if elements[0].kind_of?(Array) - unless elements.empty? -- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do -+ string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do - unescapeHTML($&) - end - else -diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb -index b0612fc..bff77f7 100644 ---- a/test/cgi/test_cgi_util.rb -+++ b/test/cgi/test_cgi_util.rb -@@ -269,6 +269,14 @@ class CGIUtilTest < Test::Unit::TestCase - assert_equal("
<A HREF="url"></A>", escapeElement('
', ["A", "IMG"])) - assert_equal("
<A HREF="url"></A>", escape_element('
', "A", "IMG")) - assert_equal("
<A HREF="url"></A>", escape_element('
', ["A", "IMG"])) -+ -+ assert_equal("<A <A HREF="url"></A>", escapeElement('', "A", "IMG")) -+ assert_equal("<A <A HREF="url"></A>", escapeElement('', ["A", "IMG"])) -+ assert_equal("<A <A HREF="url"></A>", escape_element('', "A", "IMG")) -+ assert_equal("<A <A HREF="url"></A>", escape_element('', ["A", "IMG"])) -+ -+ assert_equal("<A <A ", escapeElement('', unescapeElement(escapeHTML('
'), ["A", "IMG"])) - assert_equal('<BR>', unescape_element(escapeHTML('
'), "A", "IMG")) - assert_equal('<BR>', unescape_element(escapeHTML('
'), ["A", "IMG"])) -+ -+ assert_equal('', unescapeElement(escapeHTML(''), "A", "IMG")) -+ assert_equal('', unescapeElement(escapeHTML(''), ["A", "IMG"])) -+ assert_equal('', unescape_element(escapeHTML(''), "A", "IMG")) -+ assert_equal('', unescape_element(escapeHTML(''), ["A", "IMG"])) -+ -+ assert_equal(' -Date: Fri, 21 Feb 2025 16:29:36 +0900 -Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+ - -CVE: CVE-2025-27221 - -Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495] - -Signed-off-by: Divya Chellam ---- - lib/uri/generic.rb | 6 +++++- - test/uri/test_generic.rb | 11 +++++++++++ - 2 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb -index f3540a2..ecc78c5 100644 ---- a/lib/uri/generic.rb -+++ b/lib/uri/generic.rb -@@ -1141,7 +1141,11 @@ module URI - end - - # RFC2396, Section 5.2, 7) -- base.set_userinfo(rel.userinfo) if rel.userinfo -+ if rel.userinfo -+ base.set_userinfo(rel.userinfo) -+ else -+ base.set_userinfo(nil) -+ end - base.set_host(rel.host) if rel.host - base.set_port(rel.port) if rel.port - base.query = rel.query if rel.query -diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb -index e661937..17ba2b6 100644 ---- a/test/uri/test_generic.rb -+++ b/test/uri/test_generic.rb -@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase - # must be empty string to identify as path-abempty, not path-absolute - assert_equal('', url.host) - assert_equal('http:////example.com', url.to_s) -+ -+ # sec-2957667 -+ url = URI.parse('http://user:pass@example.com').merge('//example.net') -+ assert_equal('http://example.net', url.to_s) -+ assert_nil(url.userinfo) -+ url = URI.join('http://user:pass@example.com', '//example.net') -+ assert_equal('http://example.net', url.to_s) -+ assert_nil(url.userinfo) -+ url = URI.parse('http://user:pass@example.com') + '//example.net' -+ assert_equal('http://example.net', url.to_s) -+ assert_nil(url.userinfo) - end - - def test_parse_scheme_with_symbols --- -2.40.0 - diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch deleted file mode 100644 index 4435b87c34..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001 -From: Hiroshi SHIBATA -Date: Fri, 21 Feb 2025 18:16:28 +0900 -Subject: [PATCH] Fix merger of URI with authority component - -https://hackerone.com/reports/2957667 - -Co-authored-by: Nobuyoshi Nakada - -CVE: CVE-2025-27221 - -Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5] - -Signed-off-by: Divya Chellam ---- - lib/uri/generic.rb | 19 +++++++------------ - test/uri/test_generic.rb | 7 +++++++ - 2 files changed, 14 insertions(+), 12 deletions(-) - -diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb -index ecc78c5..2c0a88d 100644 ---- a/lib/uri/generic.rb -+++ b/lib/uri/generic.rb -@@ -1133,21 +1133,16 @@ module URI - base.fragment=(nil) - - # RFC2396, Section 5.2, 4) -- if !authority -- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path -- else -- # RFC2396, Section 5.2, 4) -- base.set_path(rel.path) if rel.path -+ if authority -+ base.set_userinfo(rel.userinfo) -+ base.set_host(rel.host) -+ base.set_port(rel.port || base.default_port) -+ base.set_path(rel.path) -+ elsif base.path && rel.path -+ base.set_path(merge_path(base.path, rel.path)) - end - - # RFC2396, Section 5.2, 7) -- if rel.userinfo -- base.set_userinfo(rel.userinfo) -- else -- base.set_userinfo(nil) -- end -- base.set_host(rel.host) if rel.host -- base.set_port(rel.port) if rel.port - base.query = rel.query if rel.query - base.fragment=(rel.fragment) if rel.fragment - -diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb -index 17ba2b6..1a70dd4 100644 ---- a/test/uri/test_generic.rb -+++ b/test/uri/test_generic.rb -@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase - assert_equal(u0, u1) - end - -+ def test_merge_authority -+ u = URI.parse('http://user:pass@example.com:8080') -+ u0 = URI.parse('http://new.example.org/path') -+ u1 = u.merge('//new.example.org/path') -+ assert_equal(u0, u1) -+ end -+ - def test_route - url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html') - assert_equal('b.html', url.to_s) --- -2.40.0 - diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.10.bb similarity index 95% rename from meta/recipes-devtools/ruby/ruby_3.3.5.bb rename to meta/recipes-devtools/ruby/ruby_3.3.10.bb index 8b45946f6b..936bc73e32 100644 --- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb +++ b/meta/recipes-devtools/ruby/ruby_3.3.10.bb @@ -26,10 +26,6 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ - file://CVE-2025-27219.patch \ - file://CVE-2025-27220.patch \ - file://CVE-2025-27221-0001.patch \ - file://CVE-2025-27221-0002.patch \ file://0007-Skip-test_rm_r_no_permissions-test-under-root.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" @@ -51,7 +47,7 @@ do_configure:prepend() { DEPENDS:append:libc-musl = " libucontext" -SRC_URI[sha256sum] = "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196" +SRC_URI[sha256sum] = "b555baa467a306cfc8e6c6ed24d0d27b27e9a1bed1d91d95509859eac6b0e928" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"