Bug#1087960: marked as done (ruby3.1: Fix FTBFS against openssl 3.4)

Mon, 13 Jan 2025 09:27:23 -0800 

Your message dated Mon, 13 Jan 2025 17:22:14 +0000
with message-id <e1txo8k-00ftc0...@fasolo.debian.org>
and subject line Bug#1087960: fixed in ruby3.1 3.1.2-8.5
has caused the Debian Bug report #1087960,
regarding ruby3.1: Fix FTBFS against openssl 3.4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1087960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ruby3.1
Version: 3.1.2-8.4
Severity: important
Tags: sid patch
control: affects -1 src:openssl
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: openssl-3.4

ruby3.1's testsuite fails against openssl 3.4. The problem is that the
testuite tries a CSR version which was never defined and openssl 3.4
started to verify the argument. Patch has been backported from upstream.

Sebastian

>From 4418ceb66e8c6564ddfea0fc76c3abde285d7531 Mon Sep 17 00:00:00 2001
From: Job Snijders <j...@sobornost.net>
Date: Tue, 19 Nov 2024 20:49:31 +0000
Subject: [PATCH] [ruby/openssl] Only CSR version 1 (encoded as 0) is allowed
 by PKIX standards

RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.

Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.

This commit fixes the following error.

```
 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
     40:     req = OpenSSL::X509::Request.new(req.to_der)
     41:     assert_equal(0, req.version)
     42:
  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     44:     assert_equal(1, req.version)
     45:     req = OpenSSL::X509::Request.new(req.to_der)
     46:     assert_equal(1, req.version)
```

https://github.com/ruby/openssl/commit/c06fdeb091
---
 test/openssl/test_x509req.rb | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index ff17c4116306..b98754b8c8e4 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -39,11 +39,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
     assert_equal(0, req.version)
     req = OpenSSL::X509::Request.new(req.to_der)
     assert_equal(0, req.version)
-
-    req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
-    assert_equal(1, req.version)
-    req = OpenSSL::X509::Request.new(req.to_der)
-    assert_equal(1, req.version)
   end
 
   def test_subject
@@ -106,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
     assert_equal(false, req.verify(@rsa2048))
     assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
     assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
-    req.version = 1
+    req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
     assert_equal(false, req.verify(@rsa1024))
   end
 
-- 
2.45.2

--- End Message ---
--- Begin Message --- 
Source: ruby3.1
Source-Version: 3.1.2-8.5
Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>

We believe that the bug you reported is fixed in the latest version of
ruby3.1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1087...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated 
ruby3.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Jan 2025 15:56:56 +0100
Source: ruby3.1
Architecture: source
Version: 3.1.2-8.5
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team 
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Closes: 1069969 1087960
Changes:
 ruby3.1 (3.1.2-8.5) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix test failures with OpenSSL 3.4 (Closes: #1087960).
   * CVE-2024-27282 ("Arbitrary memory address read vulnerability with Regex
     search") (Closes: #1069969).
Checksums-Sha1:
 492a2a15d8b900eac043adb1ae097ff06ba12372 2599 ruby3.1_3.1.2-8.5.dsc
 04adc088733257caa6c3cf6e5c0e0dae5426ce8d 82420 ruby3.1_3.1.2-8.5.debian.tar.xz
Checksums-Sha256:
 cb190ec7cb0c308599394c90093bc6f40f925adb7a63a46c6016c4e4b056b810 2599 
ruby3.1_3.1.2-8.5.dsc
 d85addbdaf9f7b8fa1825575b7451d0fa6fd11d518160f38b12a640dc9c8c417 82420 
ruby3.1_3.1.2-8.5.debian.tar.xz
Files:
 4fdd16b35152bd6b652947e531cc3fce 2599 ruby optional ruby3.1_3.1.2-8.5.dsc
 002c15fbd330c22ffceadfb13187eb11 82420 ruby optional 
ruby3.1_3.1.2-8.5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmeBQb4ACgkQe5boFiqM
9dHuXw/+IbrDgtjsnZWWVjcHh6BwayuR/OSnEm5aaVknINVipsHNMnJjV6CFBVgW
Xfws9GOu+QpYNSNOyqItMumhDizF4eZIMAingkL6HIygV9A0ICRsFLRVLwPp3bcj
clqw9ce0CNosL1HXIhPWKACbl1qgIGGBVNAD6yArdUBp6hEGvOB4NTNe/BZiwJFh
ZZy1tyI85waoiBCQ6jQhsjstyxvEDv5fZ41vNDIyES+ZSWyiR1Xsrg1Xq6UiF4ii
BEi4jaYfpH6msCjVQYkpixwbXwymIr3XEYud6c5+BDq/okwKsKoQo3FhUSLdZ9g1
Ih3iXPrmryMZEA+O4TS5Z7XEwmE+F8Jilwltfb+XNQ13PZCG0H+wRJCfXe0DJ5cy
1l8C/F3M2HTCpBQ/7XMumWUFFHqq/+JqvmdTb9jrrzCodPX2OcIegbky9ocB1Ylp
aLuaW6WGAu12ZMYhe12y3PoWa1ELnOSSEuGadRNXignUGcLnhUpcWfJzWneCOmbz
zH19HKIUJowiXAhN+vB+bfjckt/GLs7Zf5Z6YNuYhutBgRGzVHBsPNm4VPUCQRoW
EH1sppQUmfM3DXccCb9DzLbdH0Nu7w36P6jcWkv+IAhVKuP43uiw1dZLqihszVP8
De37rlYsR9tZAl/ZJF2x9OPEa2NXuTuLI7+RjEwONGomj6QMWQs=
=spAb
-----END PGP SIGNATURE-----

Attachment: pgpr_UCJBbQKP.pgp
Description: PGP signature


--- End Message ---

Reply via email to