ruby: update to 3.3.5 to resolve CVE-2024-39908 and CVE-2024-49761 (#…

…10988)

Signed-off-by: Saul Paredes <[email protected]>
Co-authored-by: Mykhailo Bykhovtsev <[email protected]>
Co-authored-by: jslobodzian <[email protected]>

SPECS/ruby/Avoid-another-race-condition-of-open-mode.patch

@@ -0,0 +1,45 @@
+From 2daad257bee7a500e18ebe553e79487b267fb140 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <[email protected]>
+Date: Mon, 12 Aug 2024 20:18:34 +0900
+Subject: [PATCH] Avoid another race condition of open mode
+
+Instead, just open in CREATE and APPEND mode.
+Also, move the workaround for old Solaris as fallback to retry.
+---
+ lib/rubygems.rb | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/lib/rubygems.rb b/lib/rubygems.rb
+index 2b52cde0a749..c51ba69203cb 100644
+--- a/lib/rubygems.rb
++++ b/lib/rubygems.rb
+@@ -798,24 +798,20 @@ def self.open_file(path, flags, &block)
+     File.open(path, flags, &block)
+   end
+
++  MODE_TO_FLOCK = IO::RDONLY | IO::APPEND | IO::CREAT # :nodoc:
++
+   ##
+   # Open a file with given flags, and protect access with flock
+
+   def self.open_file_with_flock(path, &block)
+-    flags = File.exist?(path) ? "r+" : "a+"
+-
+-    File.open(path, flags) do |io|
++    File.open(path, MODE_TO_FLOCK) do |io|
+       begin
+         io.flock(File::LOCK_EX)
+       rescue Errno::ENOSYS, Errno::ENOTSUP
++      rescue Errno::ENOLCK # NFS
++        raise unless Thread.main == Thread.current
+       end
+       yield io
+-    rescue Errno::ENOLCK # NFS
+-      if Thread.main != Thread.current
+-        raise
+-      else
+-        open_file(path, flags, &block)
+-      end
+     end
+   end
+

SPECS/ruby/CVE-2024-49761.patch

@@ -0,0 +1,46 @@
+From 51474a44f41e1e26cac2168922034f675851855d Mon Sep 17 00:00:00 2001
+From: Saul Paredes <[email protected]>
+Date: Tue, 12 Nov 2024 12:30:10 -0800
+Subject: [PATCH] ruby: patch CVE-2024-49761 Patch adapted from
+ https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+ which fixes CVE-2024-49761 per
+ https://nvd.nist.gov/vuln/detail/CVE-2024-49761
+
+Needed for rubygem-rexml versions < 3.3.9
+
+Signed-off-by: Saul Paredes <[email protected]>
+---
+ .../gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb   | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb
+index d11c276..e9ab0ee 100644
+--- a/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb
+@@ -150,7 +150,7 @@ module REXML
+         PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+         ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
+         CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
+-        CHARACTER_REFERENCES = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
++        CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
+         DEFAULT_ENTITIES_PATTERNS = {}
+         default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
+         default_entities.each do |term|
+@@ -564,8 +564,12 @@ module REXML
+         return rv if matches.size == 0
+         rv.gsub!( Private::CHARACTER_REFERENCES ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if filter
+-- 
+2.25.1
+

SPECS/ruby/Remove-the-lock-file-for-binstubs.patch

@@ -0,0 +1,99 @@
+From ace303c2d7bc0d98407e5e8b1ca77de07aa0eb75 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <[email protected]>
+Date: Tue, 13 Aug 2024 17:19:41 +0900
+Subject: [PATCH] Remove the lock file for binstubs
+
+https://github.com/rubygems/rubygems/pull/7806#issuecomment-2241662488
+
+This patch is needed so other rubygems don't install unnecessary lock files per 
+https://src.fedoraproject.org/rpms/ruby/c/b7e197fb887200e4faaf8fae663a9df00bdc09d3?branch=rawhide
+
+---
+ lib/rubygems.rb                     |  2 +-
+ lib/rubygems/installer.rb           |  3 ++-
+ test/rubygems/test_gem_installer.rb | 10 ++++++++++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rubygems.rb b/lib/rubygems.rb
+index bd9f240e2091..7626ccfdf0d6 100644
+--- a/lib/rubygems.rb
++++ b/lib/rubygems.rb
+@@ -794,7 +794,7 @@ def self.open_file(path, flags, &block)
+     File.open(path, flags, &block)
+   end
+
+-  MODE_TO_FLOCK = IO::RDONLY | IO::APPEND | IO::CREAT # :nodoc:
++  MODE_TO_FLOCK = IO::RDONLY | IO::APPEND | IO::CREAT | IO::SHARE_DELETE | IO::BINARY # :nodoc:
+
+   ##
+   # Open a file with given flags, and protect access with flock
+diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
+index d558c0be2bfa..8f95bab733f8 100644
+--- a/lib/rubygems/installer.rb
++++ b/lib/rubygems/installer.rb
+@@ -538,7 +538,7 @@ def generate_plugins # :nodoc:
+   def generate_bin_script(filename, bindir)
+     bin_script_path = File.join bindir, formatted_program_filename(filename)
+
+-    Gem.open_file_with_flock("#{bin_script_path}.lock") do
++    Gem.open_file_with_flock("#{bin_script_path}.lock") do |lock|
+       require "fileutils"
+       FileUtils.rm_f bin_script_path # prior install may have been --no-wrappers
+
+@@ -546,6 +546,7 @@ def generate_bin_script(filename, bindir)
+         file.write app_script_text(filename)
+         file.chmod(options[:prog_mode] || 0o755)
+       end
++      File.unlink(lock.path)
+     end
+
+     verbose bin_script_path
+diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb
+index a61d1b6fff28..2f4ff7349db4 100644
+--- a/test/rubygems/test_gem_installer.rb
++++ b/test/rubygems/test_gem_installer.rb
+@@ -1083,6 +1083,8 @@ def test_install_creates_working_binstub
+     end
+
+     assert_match(/ran executable/, e.message)
++
++    assert_path_not_exist(File.join(installer.bin_dir, "executable.lock"))
+   end
+
+   def test_conflicting_binstubs
+@@ -1131,6 +1133,8 @@ def test_conflicting_binstubs
+     # We expect the bin stub to activate the version that actually contains
+     # the binstub.
+     assert_match("I have an executable", e.message)
++
++    assert_path_not_exist(File.join(installer.bin_dir, "executable.lock"))
+   end
+
+   def test_install_creates_binstub_that_understand_version
+@@ -1160,6 +1164,8 @@ def test_install_creates_binstub_that_understand_version
+     end
+
+     assert_includes(e.message, "can't find gem a (= 3.0)")
++
++    assert_path_not_exist(File.join(installer.bin_dir, "executable.lock"))
+   end
+
+   def test_install_creates_binstub_that_prefers_user_installed_gem_to_default
+@@ -1192,6 +1198,8 @@ def test_install_creates_binstub_that_prefers_user_installed_gem_to_default
+     end
+
+     assert_equal(e.message, "ran executable")
++
++    assert_path_not_exist(File.join(installer.bin_dir, "executable.lock"))
+   end
+
+   def test_install_creates_binstub_that_dont_trust_encoding
+@@ -1222,6 +1230,8 @@ def test_install_creates_binstub_that_dont_trust_encoding
+     end
+
+     assert_match(/ran executable/, e.message)
++
++    assert_path_not_exist(File.join(installer.bin_dir, "executable.lock"))
+   end
+
+   def test_install_with_no_prior_files

SPECS/ruby/ruby.signatures.json

@@ -7,6 +7,6 @@
     "rubygems.con": "eb804c6b50eeafdb2172285265bc487a80acaa9846233cd5f1d20a25f1dac2ea",
     "rubygems.prov": "b79c1f5873dd20d251e100b276a5e584c1fb677f3e1b92534fc09130fabe8ee5",
     "rubygems.req": "e85681d8fa45d214055f3b26a8c1829b3a4bd67b26a5ef3c1f6426e7eff83ad0",
-    "ruby-3.3.3.tar.gz": "83c05b2177ee9c335b631b29b8c077b4770166d02fa527f3a9f6a40d13f3cce2"
+    "ruby-3.3.5.tar.gz": "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196"
   }
 }