Upgrade to Ruby 3.1.4.

Fix ReDoS vulnerability in URI (CVE-2023-28755) Fix ReDoS vulnerability in Time (CVE-2023-28756) Skip a test that uses compaction when the compaction is unimplemented. <https://bugs.ruby-lang.org/issues/19529#note-7>
2023-03-31 17:33:54 +02:00 · 2023-03-31 17:33:54 +02:00 · 2837b345ca
commit 2837b345ca
parent a4040936ae
13 changed files with 80 additions and 212 deletions
--- a/ruby.spec
+++ b/ruby.spec
@ -1,6 +1,6 @@
 %global major_version 3
 %global minor_version 1
-%global teeny_version 3
+%global teeny_version 4
 %global major_minor_version %{major_version}.%{minor_version}

 %global ruby_version %{major_minor_version}.%{teeny_version}
@ -22,7 +22,7 @@
 %endif


-%global release 174
+%global release 175
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

 # The RubyGems library has to stay out of Ruby directory tree, since the
@ -45,7 +45,7 @@
 %global bundler_tmpdir_version 0.1.0
 # TODO: Check the version if/when available in library.
 %global bundler_tsort_version 0.1.1
-%global bundler_uri_version 0.10.1
+%global bundler_uri_version 0.10.2

 %global bigdecimal_version 3.1.1
 %global did_you_mean_version 1.6.1
@ -169,15 +169,15 @@ Patch19: ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch
 # https://github.com/ruby/ruby/pull/5934
 Patch22: ruby-3.2.0-define-unsupported-gc-compaction-methods-as-rb_f_notimplement.patch
 # To regenerate the patch you need to have ruby, autoconf, xz, tar and make installed:
-# tar -Jxvf ./ruby-3.1.3.tar.xz
+# tar -Jxvf ./ruby-3.1.4.tar.xz
 # git clone https://github.com/ruby/ruby.git
-# cd ruby && git checkout v3_1_3
+# cd ruby && git checkout v3_1_4
 # patch -p1 < ../ruby-3.2.0-define-unsupported-gc-compaction-methods-as-rb_f_notimplement.patch
 # ./autogen.sh && ./configure
 # make gc.rbinc miniprelude.c
 # cd ..
-# diff -u {ruby-3.1.3,ruby}/gc.rbinc > ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.patch
-# diff -u {ruby-3.1.3,ruby}/miniprelude.c >> ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.patch
+# diff -u {ruby-3.1.4,ruby}/gc.rbinc > ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.patch
+# diff -u {ruby-3.1.4,ruby}/miniprelude.c >> ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.patch
 Patch23: ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.patch
 # Define the GC compaction support macro at run time.
 # https://bugs.ruby-lang.org/issues/18829
@ -190,17 +190,11 @@ Patch27: ruby-irb-1.4.1-drop-rdoc-hard-dep.patch
 # Set soft dependency on RDoc in input-method.rb in IRB.
 # https://github.com/ruby/irb/pull/395
 Patch28: ruby-irb-1.4.1-set-rdoc-soft-dep.patch
-# CGI is now too restrictive about leading '.' in domain, leading to failures
-# in Rack, rack-test or ActionPack.
-# https://github.com/ruby/ruby/commit/656f25987cf2885104d5b13c8d3f5b7d32f1b333
-Patch29: ruby-3.2.0-ruby-cgi-Fix-test_cgi_cookie_new_with_domain-to-pass.patch
-# https://github.com/ruby/cgi/pull/29
-# https://github.com/ruby/ruby/commit/745dcf5326ea2c8e2047a3bddeb0fbb7e7d07649
-Patch30: ruby-3.2.0-ruby-cgi-Loosen-the-domain-regex-to-accept.patch
-# Fix Time Zone Database 2022g.
-# https://bugs.ruby-lang.org/issues/19187
-# https://github.com/ruby/ruby/commit/a1124dc162810f86cb0bff58cde24064cfc561bc
-Patch31: ruby-3.1.3-Fix-for-tzdata-2022g.patch
+# A Weakmap test uses compaction without safeguarding if the method is defined.
+# This test should be skipped if compaction is not supported on the platform.
+# https://github.com/ruby/ruby/commit/bffadcd6d46ccfccade79ce0efb60ced8eac4483
+# https://bugs.ruby-lang.org/issues/19529#note-7
+Patch29: ruby-3.1.4-Skip-test_compaction_bug_19529-if-compaction-unsupported.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@ -673,8 +667,6 @@ rm -rf ext/fiddle/libffi*
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
-%patch30 -p1
-%patch31 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1249,7 +1241,7 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/Fiddle::TestFunction#test_argument_count/"
 %{gem_dir}/specifications/default/abbrev-0.1.0.gemspec
 %{gem_dir}/specifications/default/base64-0.1.1.gemspec
 %{gem_dir}/specifications/default/benchmark-0.2.0.gemspec
-%{gem_dir}/specifications/default/cgi-0.3.5.gemspec
+%{gem_dir}/specifications/default/cgi-0.3.6.gemspec
 %{gem_dir}/specifications/default/csv-3.2.5.gemspec
 %{gem_dir}/specifications/default/date-3.2.2.gemspec
 %{gem_dir}/specifications/default/delegate-0.2.0.gemspec
@ -1300,12 +1292,12 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/Fiddle::TestFunction#test_argument_count/"
 %{gem_dir}/specifications/default/strscan-3.0.1.gemspec
 %{gem_dir}/specifications/default/syslog-0.1.0.gemspec
 %{gem_dir}/specifications/default/tempfile-0.1.2.gemspec
-%{gem_dir}/specifications/default/time-0.2.0.gemspec
+%{gem_dir}/specifications/default/time-0.2.2.gemspec
 %{gem_dir}/specifications/default/timeout-0.2.0.gemspec
 %{gem_dir}/specifications/default/tmpdir-0.1.2.gemspec
 %{gem_dir}/specifications/default/tsort-0.1.0.gemspec
 %{gem_dir}/specifications/default/un-0.2.0.gemspec
-%{gem_dir}/specifications/default/uri-0.11.0.gemspec
+%{gem_dir}/specifications/default/uri-0.12.1.gemspec
 %{gem_dir}/specifications/default/weakref-0.1.1.gemspec
 #%%{gem_dir}/specifications/default/win32ole-1.8.8.gemspec
 %{gem_dir}/specifications/default/yaml-0.2.0.gemspec
@ -1545,6 +1537,11 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/Fiddle::TestFunction#test_argument_count/"


 %changelog
+* Fri Mar 31 2023 Jarek Prokop jprokop@redhat.com - 3.1.4-175
+- Upgrade to Ruby 3.1.4.
+- Fix ReDoS vulnerability in URI (CVE-2023-28755)
+- Fix ReDoS vulnerability in Time (CVE-2023-28756)
+
 * Fri Jan 20 2023 Jun Aruga <jaruga@redhat.com> - 3.1.3-174
 - Fix for tzdata-2022g.