Your message dated Fri, 25 Apr 2025 06:48:29 +0000
with message-id <[email protected]>
and subject line Bug#1095937: Removed package(s) from unstable
has caused the Debian Bug report #1092669,
regarding ruby3.1: diff for NMU version 3.1.2-8.5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1092669: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092669
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ruby3.1
Version: 3.1.2-8.4
Severity: normal
Tags: patch pending
Dear maintainer,
I've prepared an NMU for ruby3.1 (versioned as 3.1.2-8.5) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.
Regards.
Sebastian
diff -Nru ruby3.1-3.1.2/debian/changelog ruby3.1-3.1.2/debian/changelog
--- ruby3.1-3.1.2/debian/changelog 2024-08-26 15:00:57.000000000 +0200
+++ ruby3.1-3.1.2/debian/changelog 2025-01-10 15:56:56.000000000 +0100
@@ -1,3 +1,12 @@
+ruby3.1 (3.1.2-8.5) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix test failures with OpenSSL 3.4 (Closes: #1087960).
+ * CVE-2024-27282 ("Arbitrary memory address read vulnerability with Regex
+ search") (Closes: #1069969).
+
+ -- Sebastian Andrzej Siewior <[email protected]> Fri, 10 Jan 2025 15:56:56 +0100
+
ruby3.1 (3.1.2-8.4) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch
--- ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby3.1-3.1.2/debian/patches/Fix-Use-After-Free-issue-for-Regexp.patch 2025-01-10 15:55:21.000000000 +0100
@@ -0,0 +1,21 @@
+From: Hiroshi SHIBATA <[email protected]>
+Date: Fri, 12 Apr 2024 15:01:47 +1000
+Subject: [PATCH 5/5] Fix Use-After-Free issue for Regexp
+
+Co-authored-by: Isaac Peka <[email protected]>
+---
+ regexec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/regexec.c
++++ b/regexec.c
+@@ -2528,8 +2528,8 @@ match_at(regex_t* reg, const UChar* str,
+ CASE(OP_MEMORY_END_PUSH_REC) MOP_IN(OP_MEMORY_END_PUSH_REC);
+ GET_MEMNUM_INC(mem, p);
+ STACK_GET_MEM_START(mem, stkp); /* should be before push mem-end. */
+- STACK_PUSH_MEM_END(mem, s);
+ mem_start_stk[mem] = GET_STACK_INDEX(stkp);
++ STACK_PUSH_MEM_END(mem, s);
+ MOP_OUT;
+ JUMP;
+
diff -Nru ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch
--- ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby3.1-3.1.2/debian/patches/ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch 2025-01-10 15:39:50.000000000 +0100
@@ -0,0 +1,65 @@
+From 4418ceb66e8c6564ddfea0fc76c3abde285d7531 Mon Sep 17 00:00:00 2001
+From: Job Snijders <[email protected]>
+Date: Tue, 19 Nov 2024 20:49:31 +0000
+Subject: [PATCH] [ruby/openssl] Only CSR version 1 (encoded as 0) is allowed
+ by PKIX standards
+
+RFC 2986, section 4.1 only defines version 1 for CSRs. This version
+is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
+to anything but 1 fails.
+
+Do not attempt to generate a CSR with invalid version (which now fails)
+and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
+subject rather than using an invalid version.
+
+This commit fixes the following error.
+
+```
+ 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
+X509_REQ_set_version: passed invalid argument
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
+/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
+`test_version'
+ 40: req = OpenSSL::X509::Request.new(req.to_der)
+ 41: assert_equal(0, req.version)
+ 42:
+ => 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+ 44: assert_equal(1, req.version)
+ 45: req = OpenSSL::X509::Request.new(req.to_der)
+ 46: assert_equal(1, req.version)
+```
+
+https://github.com/ruby/openssl/commit/c06fdeb091
+---
+ test/openssl/test_x509req.rb | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
+index ff17c4116306..b98754b8c8e4 100644
+--- a/test/openssl/test_x509req.rb
++++ b/test/openssl/test_x509req.rb
+@@ -39,11 +39,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
+ assert_equal(0, req.version)
+ req = OpenSSL::X509::Request.new(req.to_der)
+ assert_equal(0, req.version)
+-
+- req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
+- assert_equal(1, req.version)
+- req = OpenSSL::X509::Request.new(req.to_der)
+- assert_equal(1, req.version)
+ end
+
+ def test_subject
+@@ -106,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
+ assert_equal(false, req.verify(@rsa2048))
+ assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
+ assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
+- req.version = 1
++ req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
+ assert_equal(false, req.verify(@rsa1024))
+ end
+
+--
+2.45.2
+
diff -Nru ruby3.1-3.1.2/debian/patches/series ruby3.1-3.1.2/debian/patches/series
--- ruby3.1-3.1.2/debian/patches/series 2024-08-26 15:00:57.000000000 +0200
+++ ruby3.1-3.1.2/debian/patches/series 2025-01-10 15:55:46.000000000 +0100
@@ -19,3 +19,5 @@
Update-test-certificates.patch
openssl-3.3.patch
deduplicate-getaddrinfo.patch
+ruby3.1-ruby-openssl-Only-CSR-version-1-encoded-as-0-is-allo.patch
+Fix-Use-After-Free-issue-for-Regexp.patch
--- End Message ---
--- Begin Message ---
Version: 3.1.2-8.5+rm
Dear submitter,
as the package ruby3.1 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1095937
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
