- Fix command injection vulnerability in RDoc.
Resolves: CVE-2021-31799
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
Resolves: CVE-2021-31810
- Fix StartTLS stripping vulnerability in Net::IMAP.
Resolves: CVE-2021-32066
- Fix dependencies of gems with explicit source installed from a different
source.
Resolves: CVE-2020-36327
A result of ruby.spec file depends on how the spec file is called by rpmlint.
```
$ rpmlint ruby.spec
ruby.spec:20: E: use-of-RPM_SOURCE_DIR
..
0 packages and 1 specfiles checked; 3 errors, 4 warnings.
$ rpmlint ./ruby.spec
./ruby.spec:20: E: use-of-RPM_SOURCE_DIR
..
0 packages and 1 specfiles checked; 3 errors, 4 warnings.
```
Nothing referred and no dependency information should be no problem.
Ignore the following error.
```
ruby-libs.x86_64: E: shared-lib-without-dependency-information /usr/lib64/ruby/enc/gb2312.so
```
The `chroot` in the `dir.c` is just used as a Ruby binding `Dir.chroot`
for the function.
Ignore the following error.
```
ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libruby.so.3.0.1
```
The FTBFS has started to happen with rpm-4.16.90-0.git15395.2.fc35.
root.log
```
DEBUG util.py:444: error: line 116: Unknown tag: /chroot_tmpdir/srpm_unpacked/SOURCES/macros.ruby
```
As the `%{?load:...}` is undocumented, it is gone.
https://github.com/rpm-software-management/rpm/issues/1669
Ignore the false positive errors and warnings by the
`rpmlint --file ruby.rpmlintrc`, that is executed by Zuul CI.
You can run the command on your local like this.
```
$ rpmlint --file ruby.rpmlintrc ruby.spec /var/lib/mock/fedora-rawhide-x86_64/result/*.rpm
```
The `rpmlint` without `--file` option shows the original result.
Symlinks to StdLib provided to preserve `--disable-gems` functionality
together with `require_relative` cause double loading issues [1], e.g.:
~~~
$ ruby --disable-gems -e 'require "openssl"; require "openssl/digest"'
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::MD4
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of MD4 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::MD5
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of MD5 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::RIPEMD160
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of RIPEMD160 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA1
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA1 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA224
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA224 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA256
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA256 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA384
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA384 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA512
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA512 was here
/usr/share/ruby/openssl/digest.rb:52:in `<class:Digest>': superclass mismatch for class Digest (TypeError)
from /usr/share/ruby/openssl/digest.rb:16:in `<module:OpenSSL>'
from /usr/share/ruby/openssl/digest.rb:15:in `<top (required)>'
from -e:1:in `require'
from -e:1:in `<main>'
~~~
We could maintain a downstream patch reverting the `require_relative`,
but given that how much troubles the extracted gems cause, it'll be
better to keep them bundled. This will provide similar experience to
upstream and prevent similar issues.
[1]: https://bugs.ruby-lang.org/issues/16978#note-11
When the `gem.build_complete` file is not present, Bundler treats the
package as uninstalled, therefore leaves it out from the dependency
resolution with error such as:
~~~
Could not find gem 'openssl', which is required by gem 'net-ssh', in any of the sources.
~~~
[1] 1969e8adfc/bundler/lib/bundler/source/rubygems.rb (L353-L384)
This fixes IRB failures:
~~~
$ irb
/usr/share/rubygems/rubygems/specification.rb:1398:in `rescue in block in activate_dependencies': Could not find 'io-console' (~> 0.5) among 76 total gem(s) (Gem::MissingSpecError)
Checked in 'GEM_PATH=/builddir/.local/share/gem/ruby:/usr/share/gems:/usr/local/share/gems' at: /usr/share/gems/specifications/reline-0.2.0.gemspec, execute `gem env` for more information
from /usr/share/rubygems/rubygems/specification.rb:1395:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems/specification.rb:1402:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems.rb:302:in `block in activate_bin_path'
from /usr/share/rubygems/rubygems.rb:301:in `synchronize'
from /usr/share/rubygems/rubygems.rb:301:in `activate_bin_path'
from /usr/bin/irb:23:in `<main>'
/usr/share/rubygems/rubygems/dependency.rb:307:in `to_specs': Could not find 'io-console' (~> 0.5) among 76 total gem(s) (Gem::MissingSpecError)
Checked in 'GEM_PATH=/builddir/.local/share/gem/ruby:/usr/share/gems:/usr/local/share/gems' , execute `gem env` for more information
from /usr/share/rubygems/rubygems/specification.rb:1396:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems/specification.rb:1402:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems.rb:302:in `block in activate_bin_path'
from /usr/share/rubygems/rubygems.rb:301:in `synchronize'
from /usr/share/rubygems/rubygems.rb:301:in `activate_bin_path'
from /usr/bin/irb:23:in `<main>'
~~~
RubyGems 3.2.0 rewored their plugins system for improvement performance
[[1]]. Each RubyGems plugins has now generated loader stub during
installation. This directory needs to have proper ownership.
[1]: https://github.com/rubygems/rubygems/pull/3108
* Extract RSS and REXML into separate subpackages, because they were moved from
default gems to bundled gems.
* Obsolete Net::Telnet and XMLRPC packages, because they were dropped from Ruby.
The detailed changelog leading to this release is preserved in
private-ruby-3.0 branch.
as it's needed for building (gem install ...) gems with binary extensions.
This is a workaround to have /usr/lib/rpm/redhat/redhat-hardened-cc1
on the system, as same CFLAGS are reused from when Ruby was built.
Resolves: rhbz#1905222
Because setting the option makes some tests stable that are currently randomly
failing with error on especially s390x and aarch64.
We observed the failing tests are calling `assert_in_out_err` method
calling `invoke_ruby` calling method.
Then when the `th_stdout.join(timeout)` or `th_stderr.join(timeout)` returns
`nil` as thread timeout in `invoke_ruby` method, it causes the error. [1][2]
The `test_timeout_scale` macro is to set the environment variable
`RUBY_TEST_TIMEOUT_SCALE` to increase the timeout in `apply_timeout_scale`
method as <new timeout> = <timeout> * <timeout scale>.
As an example, `TestBugReporter#test_bug_reporter_add` test's
maximum thread timeout was 56+ seconds for the default timeout 10 seconds. [3]
In this case setting `RUBY_TEST_TIMEOUT_SCALE=6` (6 * 10 = 60) is good enough
for 56+ seconds.
[1] https://github.com/ruby/ruby/blob/v2_7_1/tool/lib/envutil.rb#L149
[2] https://bugs.ruby-lang.org/issues/16492#note-8
[3] https://bugs.ruby-lang.org/issues/16492#note-4