#77304 - [PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]

GNU bug report logs - #77304
[PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]

Reported by: Remco van 't Veer <remco <at> remworks.net>

Date: Thu, 27 Mar 2025 10:02:04 UTC

Severity: normal

Tags: patch

Done: Christopher Baines <mail <at> cbaines.net>

View this message in rfc822 format

From: Remco van 't Veer <remco <at> remworks.net> To: 77304 <at> debbugs.gnu.org Cc: Remco van 't Veer <remco <at> remworks.net>, Christopher Baines <guix <at> cbaines.net> Subject: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] Date: Thu, 27 Mar 2025 11:25:00 +0100

Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse) CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7. * gnu/packages/ruby.scm (ruby-3.1.7): Add package. Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae --- Changes in this v2: * improve commit subject. gnu/packages/ruby.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 24407fbd58..875a1b9a10 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -29,7 +29,7 @@ ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin <at> mailbox.org> ;;; Copyright © 2021 Giovanni Biscuolo <g <at> xelera.eu> ;;; Copyright © 2022 Philip McGrath <philip <at> philipmcgrath.com> -;;; Copyright © 2022-2024 Remco van 't Veer <remco <at> remworks.net> +;;; Copyright © 2022-2025 Remco van 't Veer <remco <at> remworks.net> ;;; Copyright © 2022 Taiju HIGASHI <higashi <at> taiju.info> ;;; Copyright © 2023 Yovan Naumovski <yovan <at> gorski.stream> ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev <at> gmail.com> @@ -250,6 +250,7 @@ (define-public ruby-3.1 (package (inherit ruby-3.0) (version "3.1.4") + (replacement ruby-3.1.7) (source (origin (method url-fetch) @@ -260,6 +261,22 @@ (define-public ruby-3.1 (base32 "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v")))))) ++;;; TODO: This newer version resolves serveral CVEs. Remove ++;;; after ungrafting ruby. +(define ruby-3.1.7 + (package + (inherit ruby-3.1) + (version "3.1.7") + (source + (origin + (method url-fetch) + (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" + (version-major+minor version) + "/ruby-" version ".tar.xz")) + (sha256 + (base32 + "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5")))))) + (define-public ruby-3.2 (package (inherit ruby-3.1) base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2 -- 2.49.0

This bug report was last modified 20 days ago.

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #77304 [PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]

GNU bug report logs - #77304
[PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]