Bug#1092669: ruby3.1: diff for NMU version 3.1.2-8.5

Fri, 10 Jan 2025 07:39:22 -0800 

Package: ruby3.1
Version: 3.1.2-8.4
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for ruby3.1 (versioned as 3.1.2-8.5) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.

Regards.
Sebastian

diff -Nru ruby3.1-3.1.2/debian/changelog ruby3.1-3.1.2/debian/changelog
--- ruby3.1-3.1.2/debian/changelog	2024-08-26 15:00:57.000000000 +0200
+++ ruby3.1-3.1.2/debian/changelog	2025-01-10 15:56:56.000000000 +0100
@@ -1,3 +1,12 @@
+ruby3.1 (3.1.2-8.5) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix test failures with OpenSSL 3.4 (Closes: #1087960).
+  * CVE-2024-27282 ("Arbitrary memory address read vulnerability with Regex
+    search") (Closes: #1069969).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc>  Fri, 10 Jan 2025 15:56:56 +0100
+
 ruby3.1 (3.1.2-8.4) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch
--- ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch	2025-01-10 15:55:21.000000000 +0100
@@ -0,0 +1,21 @@
+From: Hiroshi SHIBATA <h...@ruby-lang.org>
+Date: Fri, 12 Apr 2024 15:01:47 +1000
+Subject: [PATCH 5/5] Fix Use-After-Free issue for Regexp
+
+Co-authored-by: Isaac Peka <7493006+isaac-p...@users.noreply.github.com>
+---
+ regexec.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/regexec.c
++++ b/regexec.c
+@@ -2528,8 +2528,8 @@ match_at(regex_t* reg, const UChar* str,
+     CASE(OP_MEMORY_END_PUSH_REC)  MOP_IN(OP_MEMORY_END_PUSH_REC);
+       GET_MEMNUM_INC(mem, p);
+       STACK_GET_MEM_START(mem, stkp); /* should be before push mem-end. */
+-      STACK_PUSH_MEM_END(mem, s);
+       mem_start_stk[mem] = GET_STACK_INDEX(stkp);
++      STACK_PUSH_MEM_END(mem, s);
+       MOP_OUT;
+       JUMP;
+ 
diff -Nru ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch
--- ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch	2025-01-10 15:39:50.000000000 +0100
@@ -0,0 +1,65 @@
+From 4418ceb66e8c6564ddfea0fc76c3abde285d7531 Mon Sep 17 00:00:00 2001
+From: Job Snijders <j...@sobornost.net>
+Date: Tue, 19 Nov 2024 20:49:31 +0000
+Subject: [PATCH] [ruby/openssl] Only CSR version 1 (encoded as 0) is allowed
+ by PKIX standards
+
+RFC 2986, section 4.1 only defines version 1 for CSRs. This version
+is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
+to anything but 1 fails.
+
+Do not attempt to generate a CSR with invalid version (which now fails)
+and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
+subject rather than using an invalid version.
+
+This commit fixes the following error.
+
+```
+ 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
+X509_REQ_set_version: passed invalid argument
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
+`test_version'
+     40:     req = OpenSSL::X509::Request.new(req.to_der)
+     41:     assert_equal(0, req.version)
+     42:
+  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+     44:     assert_equal(1, req.version)
+     45:     req = OpenSSL::X509::Request.new(req.to_der)
+     46:     assert_equal(1, req.version)
+```
+
+https://github.com/ruby/openssl/commit/c06fdeb091
+---
+ test/openssl/test_x509req.rb | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
+index ff17c4116306..b98754b8c8e4 100644
+--- a/test/openssl/test_x509req.rb
++++ b/test/openssl/test_x509req.rb
+@@ -39,11 +39,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
+     assert_equal(0, req.version)
+     req = OpenSSL::X509::Request.new(req.to_der)
+     assert_equal(0, req.version)
+-
+-    req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
+-    assert_equal(1, req.version)
+-    req = OpenSSL::X509::Request.new(req.to_der)
+-    assert_equal(1, req.version)
+   end
+ 
+   def test_subject
+@@ -106,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
+     assert_equal(false, req.verify(@rsa2048))
+     assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
+     assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
+-    req.version = 1
++    req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
+     assert_equal(false, req.verify(@rsa1024))
+   end
+ 
+-- 
+2.45.2
+
diff -Nru ruby3.1-3.1.2/debian/patches/series ruby3.1-3.1.2/debian/patches/series
--- ruby3.1-3.1.2/debian/patches/series	2024-08-26 15:00:57.000000000 +0200
+++ ruby3.1-3.1.2/debian/patches/series	2025-01-10 15:55:46.000000000 +0100
@@ -19,3 +19,5 @@
 Update-test-certificates.patch
 openssl-3.3.patch
 deduplicate-getaddrinfo.patch
+ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch
+Fix-Use-After-Free-issue-for-Regexp.patch

Reply via email to