unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes].
@ 2022-06-29 15:55 Remco van 't Veer
       [not found] ` <handler.56302.B.165651815228055.ack@debbugs.gnu.org>
                   ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Remco van 't Veer @ 2022-06-29 15:55 UTC (permalink / raw)
  To: 56302; +Cc: Remco van 't Veer

Includes fixes for: CVE-2022-28739, CVE-2021-41816, and CVE-2021-41817.

* gnu/packages/ruby.scm (ruby-2.7): Update to 2.7.6.
---
 gnu/packages/ruby.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 5b65196c6c..9e1aff410f 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -28,6 +28,7 @@
 ;;; Copyright © 2021 EuAndreh <eu@euandre.org>
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu>
+;;; Copyright © 2022 Remco van 't Veer <remco@remworks.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -151,7 +152,7 @@ (define-public ruby-2.6
 (define-public ruby-2.7
   (package
     (inherit ruby-2.6)
-    (version "2.7.4")
+    (version "2.7.6")
     (source
      (origin
        (inherit (package-source ruby-2.6))
@@ -160,7 +161,7 @@ (define-public ruby-2.7
                            "/ruby-" version ".tar.gz"))
        (sha256
         (base32
-         "0nxwkxh7snmjqf787qsp4i33mxd1rbf9yzyfiky5k230i680jhrh"))))
+         "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877"))))
     (arguments
      `(#:test-target "test"
        #:configure-flags '("--enable-shared") ; dynamic linking

base-commit: 4bc6888f5e475e06019790c76fd20caf4cc137f4
-- 
2.36.1





^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].)
       [not found] ` <handler.56302.B.165651815228055.ack@debbugs.gnu.org>
@ 2022-06-29 15:58   ` Remco van 't Veer
  2022-06-29 16:04     ` Tobias Geerinckx-Rice via Guix-patches via
  2022-06-29 16:04     ` Maxime Devos
  0 siblings, 2 replies; 11+ messages in thread
From: Remco van 't Veer @ 2022-06-29 15:58 UTC (permalink / raw)
  To: 56302

Please note:

  $ guix refresh --list-dependent ruby@2.7
  Building the following 2346 packages would ensure 6612 dependent packages are rebuilt: ...

So this goes into core-updates.




^ permalink raw reply	[flat|nested] 11+ messages in thread

* [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].)
  2022-06-29 15:58   ` [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].) Remco van 't Veer
@ 2022-06-29 16:04     ` Tobias Geerinckx-Rice via Guix-patches via
  2022-06-29 16:04     ` Maxime Devos
  1 sibling, 0 replies; 11+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2022-06-29 16:04 UTC (permalink / raw)
  To: 56302, remco

Right, but '[security fixes]' means we (also) need to graft on master.

Would you want to give that a try?

Thanks for the patch!

T G-R

Sent on the go.  Excuse or enjoy my brevity.




^ permalink raw reply	[flat|nested] 11+ messages in thread

* [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].)
  2022-06-29 15:58   ` [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].) Remco van 't Veer
  2022-06-29 16:04     ` Tobias Geerinckx-Rice via Guix-patches via
@ 2022-06-29 16:04     ` Maxime Devos
  2022-06-29 16:13       ` Remco van 't Veer
  1 sibling, 1 reply; 11+ messages in thread
From: Maxime Devos @ 2022-06-29 16:04 UTC (permalink / raw)
  To: Remco van 't Veer, 56302

[-- Attachment #1: Type: text/plain, Size: 887 bytes --]

Remco van 't Veer schreef op wo 29-06-2022 om 17:58 [+0200]:
> Please note:
> 
>   $ guix refresh --list-dependent ruby@2.7
>   Building the following 2346 packages would ensure 6612 dependent packages are rebuilt: ...
> 
> So this goes into core-updates.

core-updates probably won't be merged for a long time, so a graft might
be needed in the meantime.

Basically, what you need to do is:

  * keep the old ruby@2.7.4 package definition
  * add a ruby@2.7.6 package (as (define-public ruby-2.7-fixed [...]))
  * in ruby@2.7.4, add a field
    (replacement ruby-2.7-fixed) ; security fixes

and verify that some Ruby-using dependents still seem to work.

That way, we can use a fixed ruby@2.7.6 on master.

(This assumes that ruby is graftable -- this assumes that ruby is
ABI-compatible, otherwise the grafted dependents won't work.)

Greetings,
Maxime

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].)
  2022-06-29 16:04     ` Maxime Devos
@ 2022-06-29 16:13       ` Remco van 't Veer
  2022-06-29 18:18         ` Maxime Devos
  0 siblings, 1 reply; 11+ messages in thread
From: Remco van 't Veer @ 2022-06-29 16:13 UTC (permalink / raw)
  To: Maxime Devos; +Cc: 56302

2022/06/29 18:04, Maxime Devos:

> core-updates probably won't be merged for a long time, so a graft might
> be needed in the meantime.

So, keep this bug and make a new patch / bug for the graft?

> Basically, what you need to do is:
>
>   * keep the old ruby@2.7.4 package definition
>   * add a ruby@2.7.6 package (as (define-public ruby-2.7-fixed [...]))
>   * in ruby@2.7.4, add a field
>     (replacement ruby-2.7-fixed) ; security fixes
>
> and verify that some Ruby-using dependents still seem to work.
>
> That way, we can use a fixed ruby@2.7.6 on master.
>
> (This assumes that ruby is graftable -- this assumes that ruby is
> ABI-compatible, otherwise the grafted dependents won't work.)

Thanks for the explanation! I'll give it a try.

Cheers,
Remco




^ permalink raw reply	[flat|nested] 11+ messages in thread

* [bug#56302] [PATCH v2] gnu: ruby: Update to 2.7.6 [security fixes].
  2022-06-29 15:55 [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes] Remco van 't Veer
       [not found] ` <handler.56302.B.165651815228055.ack@debbugs.gnu.org>
@ 2022-06-29 18:00 ` Remco van 't Veer
  2022-08-29 14:48   ` bug#56302: " Marius Bakke
  2022-06-29 18:29 ` [bug#56302] [PATCH] " Maxime Devos
  2 siblings, 1 reply; 11+ messages in thread
From: Remco van 't Veer @ 2022-06-29 18:00 UTC (permalink / raw)
  To: 56302; +Cc: Tobias Geerinckx-Rice, Maxime Devos, Remco van 't Veer

Includes fixes for: CVE-2022-28739, CVE-2021-41816, and CVE-2021-41817.

* gnu/packages/ruby.scm (ruby-2.7-fixed): New variable.
(ruby-2.7)[replacement]: Graft.
---
 gnu/packages/ruby.scm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 68e5d8dfd6..0b6626bdf7 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -28,6 +28,7 @@
 ;;; Copyright © 2021 EuAndreh <eu@euandre.org>
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu>
+;;; Copyright © 2022 Remco van 't Veer <remco@remworks.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -152,6 +153,7 @@ (define-public ruby-2.7
   (package
     (inherit ruby-2.6)
     (version "2.7.4")
+    (replacement ruby-2.7-fixed) ; security fixes
     (source
      (origin
        (inherit (package-source ruby-2.6))
@@ -186,6 +188,20 @@ (define-public ruby-2.7
     (native-inputs
      (list autoconf))))
 
+(define ruby-2.7-fixed
+  (package
+    (inherit ruby-2.7)
+    (version "2.7.6")
+    (source
+     (origin
+       (inherit (package-source ruby-2.7))
+       (uri (string-append "https://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.gz"))
+       (sha256
+        (base32
+         "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877"))))))
+
 (define-public ruby-3.0
   (package
     (inherit ruby-2.7)
-- 
2.36.1





^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].)
  2022-06-29 16:13       ` Remco van 't Veer
@ 2022-06-29 18:18         ` Maxime Devos
  0 siblings, 0 replies; 11+ messages in thread
From: Maxime Devos @ 2022-06-29 18:18 UTC (permalink / raw)
  To: Remco van 't Veer; +Cc: 56302

[-- Attachment #1: Type: text/plain, Size: 734 bytes --]

Remco van 't Veer schreef op wo 29-06-2022 om 18:13 [+0200]:
> 2022/06/29 18:04, Maxime Devos:
> 
> > core-updates probably won't be merged for a long time, so a graft might
> > be needed in the meantime.
> 
> So, keep this bug and make a new patch / bug for the graft?

I'd keep the 56302 to keep things orderly.  FWIW, while they can be
reviewed and applied independently, the various Ruby update patches are
all about the same thing (updating Ruby), so they could have been done
together I think (separate patches, but a single series and single
debbugs number).

TBC: to keep things orderly, let's not make a new issue with a patch
series, it's more a thing I would recommend for the future.

Greetings,
Maxime

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes].
  2022-06-29 15:55 [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes] Remco van 't Veer
       [not found] ` <handler.56302.B.165651815228055.ack@debbugs.gnu.org>
  2022-06-29 18:00 ` [bug#56302] [PATCH v2] gnu: ruby: Update to 2.7.6 [security fixes] Remco van 't Veer
@ 2022-06-29 18:29 ` Maxime Devos
  2022-06-29 18:57   ` Maxime Devos
  2 siblings, 1 reply; 11+ messages in thread
From: Maxime Devos @ 2022-06-29 18:29 UTC (permalink / raw)
  To: Remco van 't Veer, 56302

[-- Attachment #1: Type: text/plain, Size: 553 bytes --]

Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
> +         "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877"))))

This matches with a local

$ guix download https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz’

and with all the hashes from <https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/>.

I'll try diffing (*) it with the old tarball for ‘suspiciousness’
(e.g.: obvious malware, new bundling, ???).

Greetings,
Maxime

(*) diffoscope can be useful, albeit a bit slow at time.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes].
  2022-06-29 18:29 ` [bug#56302] [PATCH] " Maxime Devos
@ 2022-06-29 18:57   ` Maxime Devos
  2022-08-29 14:51     ` Marius Bakke
  0 siblings, 1 reply; 11+ messages in thread
From: Maxime Devos @ 2022-06-29 18:57 UTC (permalink / raw)
  To: Remco van 't Veer, 56302

[-- Attachment #1: Type: text/plain, Size: 1893 bytes --]

Maxime Devos schreef op wo 29-06-2022 om 20:29 [+0200]:
> Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
> > +        
> "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877"))))
> 
> This matches with a local
> 
> $ guix download
> https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz’
> 
> and with all the hashes from
> <https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/>.
> 
> I'll try diffing (*) it with the old tarball for ‘suspiciousness’
> (e.g.: obvious malware, new bundling, ???).

When scrolling through the diff, nothing looked ‘suspect’ at first
glance.  However, I did notice something else: some parts are not 
under the Ruby License, but under 2-clause BSD:

│ ├── +++ ruby-2.7.4/gems/xmlrpc-0.3.0/LICENSE.txt
│ │┄ Files 26% similar despite different names
│ │ @@ -1,13 +1,10 @@
│ │ -test-unit is copyrighted free software by Kouhei Sutou
│ │ -<kou@cozmixng.org>, Ryan Davis <ryand-ruby@zenspider.com>
│ │ -and Nathaniel Talbott <nathaniel@talbott.ws>.
│ │ -
│ │ -You can redistribute it and/or modify it under either the terms of
the GPL
│ │ -version 2 (see the file GPL), or the conditions below:
│ │ +Ruby is copyrighted free software by Yukihiro Matsumoto
<matz@netlab.jp>.
│ │ +You can redistribute it and/or modify it under either the terms of
the
│ │ +2-clause BSDL (see the file BSDL), or the conditions below:

so it maybe be good to add ‘2-clause BSDL’ to the license field as well
(though given that it's an old issue, bringing the new version of ruby
in Guix has priority).

Also, looks like it bundles some autoconf scripts (config.guess), which
is not in line with
<https://lists.gnu.org/archive/html/guix-devel/2022-04/msg00065.html>,
but also not priority given the security fix.

Greetings,
Maxime

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#56302: [PATCH v2] gnu: ruby: Update to 2.7.6 [security fixes].
  2022-06-29 18:00 ` [bug#56302] [PATCH v2] gnu: ruby: Update to 2.7.6 [security fixes] Remco van 't Veer
@ 2022-08-29 14:48   ` Marius Bakke
  0 siblings, 0 replies; 11+ messages in thread
From: Marius Bakke @ 2022-08-29 14:48 UTC (permalink / raw)
  To: Remco van 't Veer, 56302-done
  Cc: Tobias Geerinckx-Rice, Maxime Devos, Remco van 't Veer

[-- Attachment #1: Type: text/plain, Size: 235 bytes --]

Remco van 't Veer <remco@remworks.net> skriver:

> Includes fixes for: CVE-2022-28739, CVE-2021-41816, and CVE-2021-41817.
>
> * gnu/packages/ruby.scm (ruby-2.7-fixed): New variable.
> (ruby-2.7)[replacement]: Graft.

Applied, thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes].
  2022-06-29 18:57   ` Maxime Devos
@ 2022-08-29 14:51     ` Marius Bakke
  0 siblings, 0 replies; 11+ messages in thread
From: Marius Bakke @ 2022-08-29 14:51 UTC (permalink / raw)
  To: Maxime Devos, Remco van 't Veer, 56302

[-- Attachment #1: Type: text/plain, Size: 1957 bytes --]

Maxime Devos <maximedevos@telenet.be> skriver:

> Maxime Devos schreef op wo 29-06-2022 om 20:29 [+0200]:
>> Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
>> > +        
>> "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877"))))
>> 
>> This matches with a local
>> 
>> $ guix download
>> https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz’
>> 
>> and with all the hashes from
>> <https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/>.
>> 
>> I'll try diffing (*) it with the old tarball for ‘suspiciousness’
>> (e.g.: obvious malware, new bundling, ???).
>
> When scrolling through the diff, nothing looked ‘suspect’ at first
> glance.  However, I did notice something else: some parts are not 
> under the Ruby License, but under 2-clause BSD:
>
> │ ├── +++ ruby-2.7.4/gems/xmlrpc-0.3.0/LICENSE.txt
> │ │┄ Files 26% similar despite different names
> │ │ @@ -1,13 +1,10 @@
> │ │ -test-unit is copyrighted free software by Kouhei Sutou
> │ │ -<kou@cozmixng.org>, Ryan Davis <ryand-ruby@zenspider.com>
> │ │ -and Nathaniel Talbott <nathaniel@talbott.ws>.
> │ │ -
> │ │ -You can redistribute it and/or modify it under either the terms of
> the GPL
> │ │ -version 2 (see the file GPL), or the conditions below:
> │ │ +Ruby is copyrighted free software by Yukihiro Matsumoto
> <matz@netlab.jp>.
> │ │ +You can redistribute it and/or modify it under either the terms of
> the
> │ │ +2-clause BSDL (see the file BSDL), or the conditions below:
>
> so it maybe be good to add ‘2-clause BSDL’ to the license field as well
> (though given that it's an old issue, bringing the new version of ruby
> in Guix has priority).

It would be good to do a proper license audit of the bundled gems in
Ruby.  I see the previous version was not the Ruby license either, but
GPL, and it's not listed among the licenses.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2022-08-29 14:53 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-29 15:55 [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes] Remco van 't Veer
     [not found] ` <handler.56302.B.165651815228055.ack@debbugs.gnu.org>
2022-06-29 15:58   ` [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].) Remco van 't Veer
2022-06-29 16:04     ` Tobias Geerinckx-Rice via Guix-patches via
2022-06-29 16:04     ` Maxime Devos
2022-06-29 16:13       ` Remco van 't Veer
2022-06-29 18:18         ` Maxime Devos
2022-06-29 18:00 ` [bug#56302] [PATCH v2] gnu: ruby: Update to 2.7.6 [security fixes] Remco van 't Veer
2022-08-29 14:48   ` bug#56302: " Marius Bakke
2022-06-29 18:29 ` [bug#56302] [PATCH] " Maxime Devos
2022-06-29 18:57   ` Maxime Devos
2022-08-29 14:51     ` Marius Bakke

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).