GNU bug report logs - #77304
[PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Christopher Baines <mail <at> cbaines.net>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#77304: closed ([PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7
 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220,
 CVE-2025-27221}])
Date: Mon, 26 May 2025 15:24:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Mon, 26 May 2025 16:22:31 +0100
with message-id <878qmjjt1k.fsf <at> cbaines.net>
and subject line Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
has caused the debbugs.gnu.org bug report #77304,
regarding [PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
77304: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=77304
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Remco van 't Veer <remco <at> remworks.net>
To: guix-patches <at> gnu.org
Cc: Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280,
 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]
Date: Thu, 27 Mar 2025 11:00:24 +0100

Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
* gnu/packages/ruby.scm (ruby-3.1.7): Add package.

Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
---
 gnu/packages/ruby.scm | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..875a1b9a10 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin <at> mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g <at> xelera.eu>
 ;;; Copyright © 2022 Philip McGrath <philip <at> philipmcgrath.com>
-;;; Copyright © 2022-2024 Remco van 't Veer <remco <at> remworks.net>
+;;; Copyright © 2022-2025 Remco van 't Veer <remco <at> remworks.net>
 ;;; Copyright © 2022 Taiju HIGASHI <higashi <at> taiju.info>
 ;;; Copyright © 2023 Yovan Naumovski <yovan <at> gorski.stream>
 ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev <at> gmail.com>
@@ -250,6 +250,7 @@ (define-public ruby-3.1
   (package
     (inherit ruby-3.0)
     (version "3.1.4")
+    (replacement ruby-3.1.7)
     (source
      (origin
        (method url-fetch)
@@ -260,6 +261,22 @@ (define-public ruby-3.1
         (base32
          "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v"))))))
 
++;;; TODO: This newer version resolves serveral CVEs.  Remove
++;;; after ungrafting ruby.
+(define ruby-3.1.7
+  (package
+    (inherit ruby-3.1)
+    (version "3.1.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5"))))))
+
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)

base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
-- 
2.49.0

[Message part 3 (message/rfc822, inline)]

From: Christopher Baines <mail <at> cbaines.net>
To: Remco van 't Veer <remco <at> remworks.net>
Cc: Christopher Baines <guix <at> cbaines.net>, 77304-done <at> debbugs.gnu.org
Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes
 CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
Date: Mon, 26 May 2025 16:22:31 +0100

[Message part 4 (text/plain, inline)]

Remco van 't Veer <remco <at> remworks.net> writes:

> Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
> CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
> CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
> search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
> CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
> CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).
>
> * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
> * gnu/packages/ruby.scm (ruby-3.1.7): Add package.
>
> Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
> ---
>
> Changes in this v2:
>
> * improve commit subject.
>
>  gnu/packages/ruby.scm | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)

Thanks for the patch, I've pushed this to master as
72ac4a8fc6affa789df63382fc1b57c199d0c720.

Chris

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.