Hi all,
JFYI, latest Fedora 37 Ruby rebase broke a few Ruby package builds due to change in the URI gem.
recently I did a rebase for Ruby 3.1.4 to address 2 CVEs among other things. For one of those CVEs (ReDoS vulnerability in URI [0]), upstream merged URI gem v0.12.0[1] and later to v0.12.1 [2] (full 3.1.3 -> 3.1.4 diff: [3]).
The 0.12.0 brought a change, where URI.parse now returns empty string instead of `nil` for empty host, this resulted in a few newly FTBFS packages. I have hit this recently with vagrant-libvirt and found out it is more than that package, though not by much.
Looking at koschei [4] FTBFS for rubygems on Fedora 37, there aren't that many and some have been failing on F37 for longer time than Ruby 3.1.4 is in Fedora 37. The current package set that is FTBFS in koschei on Fedora 37 for one reason or another: rubygem-clockwork rubygem-eventmachine rubygem-excon rubygem-hiredis rubygem-loofah rubygem-memfs rubygem-multi_json rubygem-mysql2 rubygem-net-ssh rubygem-nifti rubygem-rails-html-sanitizer rubygem-rake-contrib rubygem-rdoc rubygem-redis rubygem-rest-client rubygem-ronn-ng rubygem-rubyzip rubygem-selenium-webdriver rubygem-slim rubygem-sprockets rubygem-websocket-extensions
Regards, Jarek
[0] https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ [1] https://github.com/ruby/ruby/commit/da27583cf364c0d69c085db4abf358c334a8eca1 [2] https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 [3] https://github.com/ruby/ruby/compare/v3_1_3...v3_1_4 [4] https://koschei.fedoraproject.org/search?q=rubygem-%2A&order_by=state-f3...
On Mon, May 29, 2023 at 4:54 PM Jarek Prokop jprokop@redhat.com wrote:
Hi all,
JFYI, latest Fedora 37 Ruby rebase broke a few Ruby package builds due to change in the URI gem.
recently I did a rebase for Ruby 3.1.4 to address 2 CVEs among other things. For one of those CVEs (ReDoS vulnerability in URI [0]), upstream merged URI gem v0.12.0[1] and later to v0.12.1 [2] (full 3.1.3 -> 3.1.4 diff: [3]).
The 0.12.0 brought a change, where URI.parse now returns empty string instead of `nil` for empty host, this resulted in a few newly FTBFS packages. I have hit this recently with vagrant-libvirt and found out it is more than that package, though not by much.
Looking at koschei [4] FTBFS for rubygems on Fedora 37, there aren't that many and some have been failing on F37 for longer time than Ruby 3.1.4 is in Fedora 37. The current package set that is FTBFS in koschei on Fedora 37 for one reason or another: rubygem-clockwork rubygem-eventmachine rubygem-excon rubygem-hiredis rubygem-loofah rubygem-memfs rubygem-multi_json rubygem-mysql2 rubygem-net-ssh rubygem-nifti rubygem-rails-html-sanitizer rubygem-rake-contrib rubygem-rdoc rubygem-redis rubygem-rest-client rubygem-ronn-ng rubygem-rubyzip rubygem-selenium-webdriver rubygem-slim rubygem-sprockets rubygem-websocket-extensions
Regards, Jarek
[0] https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ [1] https://github.com/ruby/ruby/commit/da27583cf364c0d69c085db4abf358c334a8eca1 [2] https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 [3] https://github.com/ruby/ruby/compare/v3_1_3...v3_1_4 [4] https://koschei.fedoraproject.org/search?q=rubygem-%2A&order_by=state-f3...
Hi Jarek, Thank you for the useful and detailed report! When we fix it, we may find the upstream patch to pass the test with Ruby 3.1.4 on the package upstream projects.
ruby-sig@lists.fedoraproject.org
-
Jarek Prokop -
Jun Aruga (he / him)