On Mon, May 29, 2023 at 4:54 PM Jarek Prokop <jprokop(a)redhat.com> wrote:
Hi all,
JFYI, latest Fedora 37 Ruby rebase broke a few Ruby package builds due to change in the
URI gem.
recently I did a rebase for Ruby 3.1.4 to address 2 CVEs among other things.
For one of those CVEs (ReDoS vulnerability in URI [0]), upstream merged URI gem
v0.12.0[1] and later to v0.12.1 [2] (full 3.1.3 -> 3.1.4 diff: [3]).
The 0.12.0 brought a change, where URI.parse now returns empty string instead of `nil`
for empty host, this resulted in a few newly FTBFS packages.
I have hit this recently with vagrant-libvirt and found out it is more than that package,
though not by much.
Looking at koschei [4] FTBFS for rubygems on Fedora 37, there aren't that many and
some have been failing on F37 for longer time than Ruby 3.1.4 is in Fedora 37.
The current package set that is FTBFS in koschei on Fedora 37 for one reason or another:
rubygem-clockwork rubygem-eventmachine rubygem-excon
rubygem-hiredis rubygem-loofah rubygem-memfs
rubygem-multi_json rubygem-mysql2 rubygem-net-ssh
rubygem-nifti rubygem-rails-html-sanitizer rubygem-rake-contrib
rubygem-rdoc rubygem-redis rubygem-rest-client
rubygem-ronn-ng rubygem-rubyzip rubygem-selenium-webdriver
rubygem-slim rubygem-sprockets rubygem-websocket-extensions
Regards,
Jarek
[0]
https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
[1]
https://github.com/ruby/ruby/commit/da27583cf364c0d69c085db4abf358c334a8eca1
[2]
https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300
[3]
https://github.com/ruby/ruby/compare/v3_1_3...v3_1_4
[4]
https://koschei.fedoraproject.org/search?q=rubygem-%2A&order_by=state...
Hi Jarek,
Thank you for the useful and detailed report! When we fix it, we may
find the upstream patch to pass the test with Ruby 3.1.4 on the
package upstream projects.
--
Jun | He - Him | Timezone: UTC+1 or 2, Czech Republic
See <
https://www.worldtimebuddy.com/czech-republic-prague-to-utc> for
the timezone.