Bug#1091505: ruby3.3: diff for NMU version 3.3.6-1.1

Sebastian Andrzej Siewior Fri, 10 Jan 2025 14:15:42 -0800

Dear maintainer,

I've prepared an updated NMU for ruby3.3 (versioned as 3.3.6-1.1) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.


Regards.
Sebastian

diff -Nru ruby3.3-3.3.6/debian/changelog ruby3.3-3.3.6/debian/changelog
--- ruby3.3-3.3.6/debian/changelog	2024-12-27 21:16:27.000000000 +0100
+++ ruby3.3-3.3.6/debian/changelog	2025-01-10 21:56:50.000000000 +0100
@@ -1,3 +1,11 @@
+ruby3.3 (3.3.6-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix test failures with OpenSSL 3.4 (Closes: #1087954).
+  * Skip test_bundled_ca, it access internet (Closes: #1091505).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc>  Fri, 10 Jan 2025 21:56:50 +0100
+
 ruby3.3 (3.3.6-1) unstable; urgency=medium
 
   [ Sylvain Beucler ]
diff -Nru ruby3.3-3.3.6/debian/patches/ruby3.3-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch ruby3.3-3.3.6/debian/patches/ruby3.3-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch
--- ruby3.3-3.3.6/debian/patches/ruby3.3-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby3.3-3.3.6/debian/patches/ruby3.3-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch	2025-01-10 16:52:30.000000000 +0100
@@ -0,0 +1,65 @@
+From 4418ceb66e8c6564ddfea0fc76c3abde285d7531 Mon Sep 17 00:00:00 2001
+From: Job Snijders <j...@sobornost.net>
+Date: Tue, 19 Nov 2024 20:49:31 +0000
+Subject: [PATCH] [ruby/openssl] Only CSR version 1 (encoded as 0) is allowed
+ by PKIX standards
+
+RFC 2986, section 4.1 only defines version 1 for CSRs. This version
+is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
+to anything but 1 fails.
+
+Do not attempt to generate a CSR with invalid version (which now fails)
+and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
+subject rather than using an invalid version.
+
+This commit fixes the following error.
+
+```
+ 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
+X509_REQ_set_version: passed invalid argument
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
+`test_version'
+     40:     req = OpenSSL::X509::Request.new(req.to_der)
+     41:     assert_equal(0, req.version)
+     42:
+  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+     44:     assert_equal(1, req.version)
+     45:     req = OpenSSL::X509::Request.new(req.to_der)
+     46:     assert_equal(1, req.version)
+```
+
+https://github.com/ruby/openssl/commit/c06fdeb091
+---
+ test/openssl/test_x509req.rb | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
+index ff17c4116306..b98754b8c8e4 100644
+--- a/test/openssl/test_x509req.rb
++++ b/test/openssl/test_x509req.rb
+@@ -39,11 +39,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
+     assert_equal(0, req.version)
+     req = OpenSSL::X509::Request.new(req.to_der)
+     assert_equal(0, req.version)
+-
+-    req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+-    assert_equal(1, req.version)
+-    req = OpenSSL::X509::Request.new(req.to_der)
+-    assert_equal(1, req.version)
+   end
+ 
+   def test_subject
+@@ -106,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
+     assert_equal(false, req.verify(@rsa2048))
+     assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
+     assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
+-    req.version = 1
++    req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
+     assert_equal(false, req.verify(@rsa1024))
+   rescue OpenSSL::X509::RequestError # RHEL 9 disables SHA1
+   end
+-- 
+2.45.2
+
diff -Nru ruby3.3-3.3.6/debian/patches/series ruby3.3-3.3.6/debian/patches/series
--- ruby3.3-3.3.6/debian/patches/series	2024-12-27 21:11:28.000000000 +0100
+++ ruby3.3-3.3.6/debian/patches/series	2025-01-10 21:16:38.000000000 +0100
@@ -11,3 +11,5 @@
 Do-not-pass-m32-to-arm-32-bits.patch
 Fix-require-calls-falling-in-autopkgtest.patch
 Deduplicate-results-from-getaddrinfo.patch
+ruby3.3-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch
+test-test_bundled_ca-Skip-test-because-it-requires-i.patch
diff -Nru ruby3.3-3.3.6/debian/patches/test-test_bundled_ca-Skip-test-because-it-requires-i.patch ruby3.3-3.3.6/debian/patches/test-test_bundled_ca-Skip-test-because-it-requires-i.patch
--- ruby3.3-3.3.6/debian/patches/test-test_bundled_ca-Skip-test-because-it-requires-i.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby3.3-3.3.6/debian/patches/test-test_bundled_ca-Skip-test-because-it-requires-i.patch	2025-01-10 21:54:51.000000000 +0100
@@ -0,0 +1,25 @@
+From: Sebastian Andrzej Siewior <bige...@linutronix.de>
+Date: Fri, 10 Jan 2025 21:15:18 +0100
+Subject: [PATCH] test: test_bundled_ca: Skip test because it requires internet
+ access.
+
+Signed-off-by: Sebastian Andrzej Siewior <bige...@linutronix.de>
+---
+ test/rubygems/test_bundled_ca.rb | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/rubygems/test_bundled_ca.rb b/test/rubygems/test_bundled_ca.rb
+index a737185681ee2..7baf8fd2c2ed0 100644
+--- a/test/rubygems/test_bundled_ca.rb
++++ b/test/rubygems/test_bundled_ca.rb
+@@ -27,6 +27,7 @@ class TestGemBundledCA < Gem::TestCase
+   end
+ 
+   def assert_https(host)
++    pend "skipping test which requires internet, I can't tell whether ssl would work."
+     assert true
+     http = Gem::Net::HTTP.new(host, 443)
+     http.use_ssl = true
+-- 
+2.47.1
+

Bug#1091505: ruby3.3: diff for NMU version 3.3.6-1.1

Reply via email to