#17887 closed enhancement (fixed)
ruby-3.2.2
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (8)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Priority: | normal → elevated |
| Status: | new → assigned |
comment:2 by , 2 years ago
comment:3 by , 2 years ago
It wouldn't be a package update recently if something didn't require additional effort. :)
When I started working on this, I was able to do a build with the CAPI docs and a build without tests perfectly fine for stats.
Once I ran the tests for Ruby, I almost immediately ran into a problem. The Number#step test triggered a segmentation fault. That originally implied that there was a regression with the fix for https://bugs.ruby-lang.org/issues/19445 (Ruby Bug Report #19445), which was supposed to be fixed in this version of Ruby. I came up with a sed (sed -i '278,365d' test/ruby/test_numeric.py) to remove the faulty test, but that was before I realized that this was a serious problem because this was supposed to get fixed in this version.
Some additional investigation showed that we were getting a version of Ruby that reported itself as 3.2.1. You'll notice the behavior here:
renodr [ /sources/ruby-3.2.2 ]$ ./ruby -v ruby 3.2.1 (2023-02-08 revision 31819e82c8) [x86_64-linux]
In the tests, you'll see:
/sources/ruby-3.2.2/ruby-3.2.2/basictest/test.rb:path .......................OK 23 /sources/ruby-3.2.2/ruby-3.2.2/basictest/test.rb:gc ....OK 4 test succeeded Run options: --seed=53717 "--ruby=./miniruby -I./lib -I. -I.ext/common ./tool/runruby.rb --extout=.ext -- --disable-gems" # Running tests: Finished tests in 8.259602s, 37.6531 tests/s, 218.0493 assertions/s. 311 tests, 1801 assertions, 0 failures, 0 errors, 12 skips ruby -v: ruby 3.2.1 (2023-02-08 revision 31819e82c8) [x86_64-linux]
... now why are we using 'ruby 3.2.1' in 'ruby 3.2.2'?
This was even when adding the '--without-baseruby' option to configure.
Ruby pulls it's version information from /usr/lib/libruby.so, and as a result it will report 3.2.1 unless you pass LD_PRELOAD=./libruby.so (which points to libruby.so.3.2.2). This threw me for a loop originally, but after accidentally running a build without --enable-shared I was able to figure out what was happening there. However, because of this, we were running the tests with a strange hybrid of ruby-3.2.2's programs with ruby-3.2.1's standard library. Note that I determined this after a few hours of going down the wrong path, where 'miniruby' was originally thought to be the system installed version of ruby. This is determined by the BOOTSTRAP_RUBY variable in Makefile, and I misinterpreted it at first when doing initial troubleshooting. I learned a lot more about Ruby's build system than I originally planned. :)
An example of this behavior:
renodr [ /sources/ruby-3.2.2 ]$ ./ruby -v ruby 3.2.1 (2023-02-08 revision 31819e82c8) [x86_64-linux] renodr [ /sources/ruby-3.2.2 ]$ LD_PRELOAD=$PWD/libruby.so ./ruby -v ruby 3.2.2 (2023-03-30 revision e51014f9c0) [x86_64-linux]
Once working past the initial test failure/segmentation fault, I encountered another problem that was introduced by a check for not reporting changed environment variables for BUNDLER_PREFIX during the tests. It has been fixed properly upstream, but I just removed the check with a one-line sed for now: 'sed -i 238d tool/lib/leakchecker.rb', since it hasn't been backported to the 3.2 branch yet. That fix can be found at: https://git.ruby-lang.org/ruby.git/commit/?id=bccdc041665032b819fab1c04ed4dbdfeeeb366b
To make sure that we get clean builds that are free of contaminents from prior versions of Ruby, we need to change to:
./configure --prefix=/usr \
--enable-shared \
--without-valgrind \
--without-baseruby \
--docdir=/usr/share/doc/ruby-3.2.2 &&
make &&
sed -i '238d' tool/lib/leakchecker.rb &&
LD_PRELOAD=$PWD/libruby.so make -j1 -k check &&
make install
I'll also need to change --without-baseruby into a parameter from an optional in the short descriptions.
comment:4 by , 2 years ago
What happens if you just delay the tests until after the install? It's not optimal, but we do that for epiphany and perhaps one or two other packages.
comment:5 by , 2 years ago
I've been thinking about it a bit and still need to do experimentation, but I'll get to that after class today. I still want to start on GNOME today too (though I've got other tickets and a Nouveau bug to look at so it'll likely be tomorrow for gnome stuff).
I'm probably going to add without-baseruby to the default instructions though just to prevent further issues. Building without it could be problematic between minor versions
comment:6 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Release Notes
Security Fixes CVE-2023-28755: ReDoS vulnerability in URI CVE-2023-28756: ReDoS vulnerability in Time What's Changed Backport [Bug #19158] for Ruby 3.2 by hsbt · Pull Request #7356 Bug #19415: Incorrect circularity warning for concurrent requires Bug #19400: YJIT fails to boot on ARM64 systems with 64 KiB pages Bug #19419: [BUG] try to mark T_NONE object in ibf_dump_mark Bug #19444: YJIT String#+@ miscompilations Bug #19445: Segmentation fault with Numeric#step Bug #19439: Marshal.load doesn't load Regexp instance variables Bug #19459: Is length of IO::Buffer#read required or optional? Bug #19464: YJIT miscompiles BasicObject#__send__ to alias methods of send Bug #19468: Ruby 3.2: net/http sets UTF-8 encoding for binary responses Bug #19469: Crash when resizing generic iv list Bug #19161: Cannot compile 3.0.5 or 3.1.3 on Red Hat Enterprise Linux 7 Bug #19467: Some linear_time regexp does not match in linear time Bug #19476: Regexp unexpected partial match Bug #19536: Frozen status loss when moving objects Bug #19485: Unexpected behavior in squiggly heredocs Bug #19471: Regexp::compile does not handle :timeout argument Use URI-0.12.1 for Ruby 3.2 by hsbt · Pull Request #7603 Merge RubyGems-3.4.10 and Bundler-2.4.10 by hsbt · Pull Request #7479 Merge Time-0.2.2 by hsbt · Pull Request #7623CVE-2023-28755
CVE-2023-28755: ReDoS vulnerability in URI We have released the uri gem version 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755. Details A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The uri gem version 0.12.0, 0.11.0, 0.10.1, 0.10.0 and all versions prior 0.10.0 are vulnerable for this vulnerability. Recommended action We recommend to update the uri gem to 0.12.1. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: For Ruby 2.7: Update to uri 0.10.0.1 For Ruby 3.0: Update to uri 0.10.2 For Ruby 3.1: Update to uri 0.11.1 For Ruby 3.2: Update to uri 0.12.1 You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.1" (or other version mentioned above) to your Gemfile. Affected versions uri gem 0.12.0 uri gem 0.11.0 uri gem 0.10.1 uri gem 0.10.0 or beforeCVE-2023-28756
CVE-2023-28756: ReDoS vulnerability in Time We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28756. Details The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects. A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7. Recommended action We recommend to update the time gem to version 0.2.2 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: For Ruby 3.0 users: Update to time 0.1.1 For Ruby 3.1/3.2 users: Update to time 0.2.2 You can use gem update time to update it. If you are using bundler, please add gem "time", ">= 0.2.2" to your Gemfile. Unfortunately, time gem only works with Ruby 3.0 or later. If you are using Ruby 2.7, please use the latest version of Ruby. Affected versions Ruby 2.7.7 or lower time gem 0.1.0 time gem 0.2.1