3 files changed, 362 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch
new file mode 100644
index 0000000000..69d774e0b7
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch
@@ -0,0 +1,258 @@
+From 8cebc092cd18f4cfb669f66018ea8ffc6f408584 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Wed, 7 Jul 2021 11:57:15 +0900
+Subject: [PATCH] Ignore IP addresses in PASV responses by default, and add new
+ option use_pasv_ip
+This fixes CVE-2021-31810.
+Reported by Alexandr Savca.
+Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>
+CVE: CVE-2021-31810
+Upstream-Status: Backport
+[https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ lib/net/ftp.rb           |  15 +++-
+ test/net/ftp/test_ftp.rb | 159 ++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 170 insertions(+), 4 deletions(-)
+diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb
+index 88e8655..d6f5cc3 100644
+--- a/lib/net/ftp.rb
+++ b/lib/net/ftp.rb
+@@ -98,6 +98,10 @@ module Net
+     # When +true+, the connection is in passive mode.  Default: +true+.
+     attr_accessor :passive
+ 
+    # When +true+, use the IP address in PASV responses.  Otherwise, it uses
+    # the same IP address for the control connection.  Default: +false+.
+    attr_accessor :use_pasv_ip
+
+     # When +true+, all traffic to and from the server is written
+     # to +$stdout+.  Default: +false+.
+     attr_accessor :debug_mode
+@@ -206,6 +210,9 @@ module Net
+     #                          handshake.
+     #                          See Net::FTP#ssl_handshake_timeout for
+     #                          details.  Default: +nil+.
+    # use_pasv_ip::  When +true+, use the IP address in PASV responses.
+    #                Otherwise, it uses the same IP address for the control
+    #                connection.  Default: +false+.
+     # debug_mode::  When +true+, all traffic to and from the server is
+     #               written to +$stdout+.  Default: +false+.
+     #
+@@ -266,6 +273,7 @@ module Net
+       @open_timeout = options[:open_timeout]
+       @ssl_handshake_timeout = options[:ssl_handshake_timeout]
+       @read_timeout = options[:read_timeout] || 60
+      @use_pasv_ip = options[:use_pasv_ip] || false
+       if host
+         connect(host, options[:port] || FTP_PORT)
+         if options[:username]
+@@ -1371,7 +1379,12 @@ module Net
+         raise FTPReplyError, resp
+       end
+       if m = /\((?<host>\d+(?:,\d+){3}),(?<port>\d+,\d+)\)/.match(resp)
+-        return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"])
+        if @use_pasv_ip
+          host = parse_pasv_ipv4_host(m["host"])
+        else
+          host = @bare_sock.remote_address.ip_address
+        end
+        return host, parse_pasv_port(m["port"])
+       else
+         raise FTPProtoError, resp
+       end
+diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb
+index 023e794..243d4ad 100644
+--- a/test/net/ftp/test_ftp.rb
+++ b/test/net/ftp/test_ftp.rb
+@@ -61,7 +61,7 @@ class FTPTest < Test::Unit::TestCase
+   end
+ 
+   def test_parse227
+-    ftp = Net::FTP.new
+    ftp = Net::FTP.new(nil, use_pasv_ip: true)
+     host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
+     assert_equal("192.168.0.1", host)
+     assert_equal(3106, port)
+@@ -80,6 +80,14 @@ class FTPTest < Test::Unit::TestCase
+     assert_raise(Net::FTPProtoError) do
+       ftp.send(:parse227, "227 ) foo bar (")
+     end
+
+    ftp = Net::FTP.new
+    sock = OpenStruct.new
+    sock.remote_address = OpenStruct.new
+    sock.remote_address.ip_address = "10.0.0.1"
+    ftp.instance_variable_set(:@bare_sock, sock)
+    host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
+    assert_equal("10.0.0.1", host)
+   end
+ 
+   def test_parse228
+@@ -2474,10 +2482,155 @@ EOF
+     end
+   end
+ 
+  def test_ignore_pasv_ip
+    commands = []
+    binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
+    server = create_ftp_server(nil, "127.0.0.1") { |sock|
+      sock.print("220 (test_ftp).\r\n")
+      commands.push(sock.gets)
+      sock.print("331 Please specify the password.\r\n")
+      commands.push(sock.gets)
+      sock.print("230 Login successful.\r\n")
+      commands.push(sock.gets)
+      sock.print("200 Switching to Binary mode.\r\n")
+      line = sock.gets
+      commands.push(line)
+      data_server = TCPServer.new("127.0.0.1", 0)
+      port = data_server.local_address.ip_port
+      sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n",
+                  port.divmod(256).join(","))
+      commands.push(sock.gets)
+      sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
+      conn = data_server.accept
+      binary_data.scan(/.{1,1024}/nm) do |s|
+        conn.print(s)
+      end
+      conn.shutdown(Socket::SHUT_WR)
+      conn.read
+      conn.close
+      data_server.close
+      sock.print("226 Transfer complete.\r\n")
+    }
+    begin
+      begin
+        ftp = Net::FTP.new
+        ftp.passive = true
+        ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
+        ftp.connect("127.0.0.1", server.port)
+        ftp.login
+        assert_match(/\AUSER /, commands.shift)
+        assert_match(/\APASS /, commands.shift)
+        assert_equal("TYPE I\r\n", commands.shift)
+        buf = ftp.getbinaryfile("foo", nil)
+        assert_equal(binary_data, buf)
+        assert_equal(Encoding::ASCII_8BIT, buf.encoding)
+        assert_equal("PASV\r\n", commands.shift)
+        assert_equal("RETR foo\r\n", commands.shift)
+        assert_equal(nil, commands.shift)
+      ensure
+        ftp.close if ftp
+      end
+    ensure
+      server.close
+    end
+  end
+
+  def test_use_pasv_ip
+    commands = []
+    binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
+    server = create_ftp_server(nil, "127.0.0.1") { |sock|
+      sock.print("220 (test_ftp).\r\n")
+      commands.push(sock.gets)
+      sock.print("331 Please specify the password.\r\n")
+      commands.push(sock.gets)
+      sock.print("230 Login successful.\r\n")
+      commands.push(sock.gets)
+      sock.print("200 Switching to Binary mode.\r\n")
+      line = sock.gets
+      commands.push(line)
+      data_server = TCPServer.new("127.0.0.1", 0)
+      port = data_server.local_address.ip_port
+      sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n",
+                  port.divmod(256).join(","))
+      commands.push(sock.gets)
+      sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
+      conn = data_server.accept
+      binary_data.scan(/.{1,1024}/nm) do |s|
+        conn.print(s)
+      end
+      conn.shutdown(Socket::SHUT_WR)
+      conn.read
+      conn.close
+      data_server.close
+      sock.print("226 Transfer complete.\r\n")
+    }
+    begin
+      begin
+        ftp = Net::FTP.new
+        ftp.passive = true
+        ftp.use_pasv_ip = true
+        ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
+        ftp.connect("127.0.0.1", server.port)
+        ftp.login
+        assert_match(/\AUSER /, commands.shift)
+        assert_match(/\APASS /, commands.shift)
+        assert_equal("TYPE I\r\n", commands.shift)
+        buf = ftp.getbinaryfile("foo", nil)
+        assert_equal(binary_data, buf)
+        assert_equal(Encoding::ASCII_8BIT, buf.encoding)
+        assert_equal("PASV\r\n", commands.shift)
+        assert_equal("RETR foo\r\n", commands.shift)
+        assert_equal(nil, commands.shift)
+      ensure
+        ftp.close if ftp
+      end
+    ensure
+      server.close
+    end
+  end
+
+  def test_use_pasv_invalid_ip
+    commands = []
+    binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
+    server = create_ftp_server(nil, "127.0.0.1") { |sock|
+      sock.print("220 (test_ftp).\r\n")
+      commands.push(sock.gets)
+      sock.print("331 Please specify the password.\r\n")
+      commands.push(sock.gets)
+      sock.print("230 Login successful.\r\n")
+      commands.push(sock.gets)
+      sock.print("200 Switching to Binary mode.\r\n")
+      line = sock.gets
+      commands.push(line)
+      sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n")
+      commands.push(sock.gets)
+    }
+    begin
+      begin
+        ftp = Net::FTP.new
+        ftp.passive = true
+        ftp.use_pasv_ip = true
+        ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
+        ftp.connect("127.0.0.1", server.port)
+        ftp.login
+        assert_match(/\AUSER /, commands.shift)
+        assert_match(/\APASS /, commands.shift)
+        assert_equal("TYPE I\r\n", commands.shift)
+        assert_raise(SocketError) do
+          ftp.getbinaryfile("foo", nil)
+        end
+      ensure
+        ftp.close if ftp
+      end
+    ensure
+      server.close
+    end
+  end
+
+   private
+ 
+-  def create_ftp_server(sleep_time = nil)
+-    server = TCPServer.new(SERVER_ADDR, 0)
+  def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR)
+    server = TCPServer.new(addr, 0)
+     @thread = Thread.start do
+       if sleep_time
+         sleep(sleep_time)
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch
new file mode 100644
index 0000000000..b78a74a4b5
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch
@@ -0,0 +1,102 @@
+From e2ac25d0eb66de99f098d6669cf4f06796aa6256 Mon Sep 17 00:00:00 2001
+From: Shugo Maeda <shugo@ruby-lang.org>
+Date: Tue, 11 May 2021 10:31:27 +0900
+Subject: [PATCH] Fix StartTLS stripping vulnerability
+This fixes CVE-2021-32066.
+Reported by Alexandr Savca in <https://hackerone.com/reports/1178562>.
+CVE: CVE-2021-32066
+Upstream-Status: Backport
+[https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ lib/net/imap.rb            |  8 +++++++-
+ test/net/imap/test_imap.rb | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+), 1 deletion(-)
+diff --git a/lib/net/imap.rb b/lib/net/imap.rb
+index 505b4c8950..d45304f289 100644
+--- a/lib/net/imap.rb
+++ b/lib/net/imap.rb
+@@ -1218,12 +1218,14 @@ def get_tagged_response(tag, cmd)
+       end
+       resp = @tagged_responses.delete(tag)
+       case resp.name
+      when /\A(?:OK)\z/ni
+        return resp
+       when /\A(?:NO)\z/ni
+         raise NoResponseError, resp
+       when /\A(?:BAD)\z/ni
+         raise BadResponseError, resp
+       else
+-        return resp
+        raise UnknownResponseError, resp
+       end
+     end
+ 
+@@ -3719,6 +3721,10 @@ class BadResponseError < ResponseError
+     class ByeResponseError < ResponseError
+     end
+ 
+    # Error raised upon an unknown response from the server.
+    class UnknownResponseError < ResponseError
+    end
+
+     RESPONSE_ERRORS = Hash.new(ResponseError)
+     RESPONSE_ERRORS["NO"] = NoResponseError
+     RESPONSE_ERRORS["BAD"] = BadResponseError
+diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb
+index 8b924b524e..85fb71d440 100644
+--- a/test/net/imap/test_imap.rb
+++ b/test/net/imap/test_imap.rb
+@@ -127,6 +127,16 @@ def test_starttls
+         imap.disconnect
+       end
+     end
+
+    def test_starttls_stripping
+      starttls_stripping_test do |port|
+        imap = Net::IMAP.new("localhost", :port => port)
+        assert_raise(Net::IMAP::UnknownResponseError) do
+          imap.starttls(:ca_file => CA_FILE)
+        end
+        imap
+      end
+    end
+   end
+ 
+   def start_server
+@@ -834,6 +844,27 @@ def starttls_test
+     end
+   end
+ 
+  def starttls_stripping_test
+    server = create_tcp_server
+    port = server.addr[1]
+    start_server do
+      sock = server.accept
+      begin
+        sock.print("* OK test server\r\n")
+        sock.gets
+        sock.print("RUBY0001 BUG unhandled command\r\n")
+      ensure
+        sock.close
+        server.close
+      end
+    end
+    begin
+      imap = yield(port)
+    ensure
+      imap.disconnect if imap && !imap.disconnected?
+    end
+  end
+
+   def create_tcp_server
+     return TCPServer.new(server_addr, 0)
+   end
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/ruby/ruby_3.0.1.bb b/meta/recipes-devtools/ruby/ruby_3.0.1.bb
index 944cb81c1d..ae953a0a89 100644
--- a/meta/recipes-devtools/ruby/ruby_3.0.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.0.1.bb
@@ -6,6 +6,8 @@ SRC_URI += " \
           file://remove_has_include_macros.patch \
           file://run-ptest \
           file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
+           file://CVE-2021-31810.patch \
+           file://CVE-2021-32066.patch \
           "
 SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727"

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch new file mode 100644 index 0000000000..69d774e0b7 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch
@@ -0,0 +1,258 @@
		1	From 8cebc092cd18f4cfb669f66018ea8ffc6f408584 Mon Sep 17 00:00:00 2001
		2	From: Yusuke Endoh <mame@ruby-lang.org>
		3	Date: Wed, 7 Jul 2021 11:57:15 +0900
		4	Subject: [PATCH] Ignore IP addresses in PASV responses by default, and add new
		5	option use_pasv_ip
		6
		7	This fixes CVE-2021-31810.
		8	Reported by Alexandr Savca.
		9
		10	Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>
		11
		12	CVE: CVE-2021-31810
		13
		14	Upstream-Status: Backport
		15	[https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd]
		16
		17	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		18	---
		19	lib/net/ftp.rb \| 15 +++-
		20	test/net/ftp/test_ftp.rb \| 159 ++++++++++++++++++++++++++++++++++++++-
		21	2 files changed, 170 insertions(+), 4 deletions(-)
		22
		23	diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb
		24	index 88e8655..d6f5cc3 100644
		25	--- a/lib/net/ftp.rb
		26	+++ b/lib/net/ftp.rb
		27	@@ -98,6 +98,10 @@ module Net
		28	# When +true+, the connection is in passive mode. Default: +true+.
		29	attr_accessor :passive
		30
		31	+ # When +true+, use the IP address in PASV responses. Otherwise, it uses
		32	+ # the same IP address for the control connection. Default: +false+.
		33	+ attr_accessor :use_pasv_ip
		34	+
		35	# When +true+, all traffic to and from the server is written
		36	# to +$stdout+. Default: +false+.
		37	attr_accessor :debug_mode
		38	@@ -206,6 +210,9 @@ module Net
		39	# handshake.
		40	# See Net::FTP#ssl_handshake_timeout for
		41	# details. Default: +nil+.
		42	+ # use_pasv_ip:: When +true+, use the IP address in PASV responses.
		43	+ # Otherwise, it uses the same IP address for the control
		44	+ # connection. Default: +false+.
		45	# debug_mode:: When +true+, all traffic to and from the server is
		46	# written to +$stdout+. Default: +false+.
		47	#
		48	@@ -266,6 +273,7 @@ module Net
		49	@open_timeout = options[:open_timeout]
		50	@ssl_handshake_timeout = options[:ssl_handshake_timeout]
		51	@read_timeout = options[:read_timeout] \|\| 60
		52	+ @use_pasv_ip = options[:use_pasv_ip] \|\| false
		53	if host
		54	connect(host, options[:port] \|\| FTP_PORT)
		55	if options[:username]
		56	@@ -1371,7 +1379,12 @@ module Net
		57	raise FTPReplyError, resp
		58	end
		59	if m = /\((?<host>\d+(?:,\d+){3}),(?<port>\d+,\d+)\)/.match(resp)
		60	- return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"])
		61	+ if @use_pasv_ip
		62	+ host = parse_pasv_ipv4_host(m["host"])
		63	+ else
		64	+ host = @bare_sock.remote_address.ip_address
		65	+ end
		66	+ return host, parse_pasv_port(m["port"])
		67	else
		68	raise FTPProtoError, resp
		69	end
		70	diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb
		71	index 023e794..243d4ad 100644
		72	--- a/test/net/ftp/test_ftp.rb
		73	+++ b/test/net/ftp/test_ftp.rb
		74	@@ -61,7 +61,7 @@ class FTPTest < Test::Unit::TestCase
		75	end
		76
		77	def test_parse227
		78	- ftp = Net::FTP.new
		79	+ ftp = Net::FTP.new(nil, use_pasv_ip: true)
		80	host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
		81	assert_equal("192.168.0.1", host)
		82	assert_equal(3106, port)
		83	@@ -80,6 +80,14 @@ class FTPTest < Test::Unit::TestCase
		84	assert_raise(Net::FTPProtoError) do
		85	ftp.send(:parse227, "227 ) foo bar (")
		86	end
		87	+
		88	+ ftp = Net::FTP.new
		89	+ sock = OpenStruct.new
		90	+ sock.remote_address = OpenStruct.new
		91	+ sock.remote_address.ip_address = "10.0.0.1"
		92	+ ftp.instance_variable_set(:@bare_sock, sock)
		93	+ host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
		94	+ assert_equal("10.0.0.1", host)
		95	end
		96
		97	def test_parse228
		98	@@ -2474,10 +2482,155 @@ EOF
		99	end
		100	end
		101
		102	+ def test_ignore_pasv_ip
		103	+ commands = []
		104	+ binary_data = (0..0xff).map {\|i\| i.chr}.join * 4 * 3
		105	+ server = create_ftp_server(nil, "127.0.0.1") { \|sock\|
		106	+ sock.print("220 (test_ftp).\r\n")
		107	+ commands.push(sock.gets)
		108	+ sock.print("331 Please specify the password.\r\n")
		109	+ commands.push(sock.gets)
		110	+ sock.print("230 Login successful.\r\n")
		111	+ commands.push(sock.gets)
		112	+ sock.print("200 Switching to Binary mode.\r\n")
		113	+ line = sock.gets
		114	+ commands.push(line)
		115	+ data_server = TCPServer.new("127.0.0.1", 0)
		116	+ port = data_server.local_address.ip_port
		117	+ sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n",
		118	+ port.divmod(256).join(","))
		119	+ commands.push(sock.gets)
		120	+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
		121	+ conn = data_server.accept
		122	+ binary_data.scan(/.{1,1024}/nm) do \|s\|
		123	+ conn.print(s)
		124	+ end
		125	+ conn.shutdown(Socket::SHUT_WR)
		126	+ conn.read
		127	+ conn.close
		128	+ data_server.close
		129	+ sock.print("226 Transfer complete.\r\n")
		130	+ }
		131	+ begin
		132	+ begin
		133	+ ftp = Net::FTP.new
		134	+ ftp.passive = true
		135	+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
		136	+ ftp.connect("127.0.0.1", server.port)
		137	+ ftp.login
		138	+ assert_match(/\AUSER /, commands.shift)
		139	+ assert_match(/\APASS /, commands.shift)
		140	+ assert_equal("TYPE I\r\n", commands.shift)
		141	+ buf = ftp.getbinaryfile("foo", nil)
		142	+ assert_equal(binary_data, buf)
		143	+ assert_equal(Encoding::ASCII_8BIT, buf.encoding)
		144	+ assert_equal("PASV\r\n", commands.shift)
		145	+ assert_equal("RETR foo\r\n", commands.shift)
		146	+ assert_equal(nil, commands.shift)
		147	+ ensure
		148	+ ftp.close if ftp
		149	+ end
		150	+ ensure
		151	+ server.close
		152	+ end
		153	+ end
		154	+
		155	+ def test_use_pasv_ip
		156	+ commands = []
		157	+ binary_data = (0..0xff).map {\|i\| i.chr}.join * 4 * 3
		158	+ server = create_ftp_server(nil, "127.0.0.1") { \|sock\|
		159	+ sock.print("220 (test_ftp).\r\n")
		160	+ commands.push(sock.gets)
		161	+ sock.print("331 Please specify the password.\r\n")
		162	+ commands.push(sock.gets)
		163	+ sock.print("230 Login successful.\r\n")
		164	+ commands.push(sock.gets)
		165	+ sock.print("200 Switching to Binary mode.\r\n")
		166	+ line = sock.gets
		167	+ commands.push(line)
		168	+ data_server = TCPServer.new("127.0.0.1", 0)
		169	+ port = data_server.local_address.ip_port
		170	+ sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n",
		171	+ port.divmod(256).join(","))
		172	+ commands.push(sock.gets)
		173	+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
		174	+ conn = data_server.accept
		175	+ binary_data.scan(/.{1,1024}/nm) do \|s\|
		176	+ conn.print(s)
		177	+ end
		178	+ conn.shutdown(Socket::SHUT_WR)
		179	+ conn.read
		180	+ conn.close
		181	+ data_server.close
		182	+ sock.print("226 Transfer complete.\r\n")
		183	+ }
		184	+ begin
		185	+ begin
		186	+ ftp = Net::FTP.new
		187	+ ftp.passive = true
		188	+ ftp.use_pasv_ip = true
		189	+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
		190	+ ftp.connect("127.0.0.1", server.port)
		191	+ ftp.login
		192	+ assert_match(/\AUSER /, commands.shift)
		193	+ assert_match(/\APASS /, commands.shift)
		194	+ assert_equal("TYPE I\r\n", commands.shift)
		195	+ buf = ftp.getbinaryfile("foo", nil)
		196	+ assert_equal(binary_data, buf)
		197	+ assert_equal(Encoding::ASCII_8BIT, buf.encoding)
		198	+ assert_equal("PASV\r\n", commands.shift)
		199	+ assert_equal("RETR foo\r\n", commands.shift)
		200	+ assert_equal(nil, commands.shift)
		201	+ ensure
		202	+ ftp.close if ftp
		203	+ end
		204	+ ensure
		205	+ server.close
		206	+ end
		207	+ end
		208	+
		209	+ def test_use_pasv_invalid_ip
		210	+ commands = []
		211	+ binary_data = (0..0xff).map {\|i\| i.chr}.join * 4 * 3
		212	+ server = create_ftp_server(nil, "127.0.0.1") { \|sock\|
		213	+ sock.print("220 (test_ftp).\r\n")
		214	+ commands.push(sock.gets)
		215	+ sock.print("331 Please specify the password.\r\n")
		216	+ commands.push(sock.gets)
		217	+ sock.print("230 Login successful.\r\n")
		218	+ commands.push(sock.gets)
		219	+ sock.print("200 Switching to Binary mode.\r\n")
		220	+ line = sock.gets
		221	+ commands.push(line)
		222	+ sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n")
		223	+ commands.push(sock.gets)
		224	+ }
		225	+ begin
		226	+ begin
		227	+ ftp = Net::FTP.new
		228	+ ftp.passive = true
		229	+ ftp.use_pasv_ip = true
		230	+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
		231	+ ftp.connect("127.0.0.1", server.port)
		232	+ ftp.login
		233	+ assert_match(/\AUSER /, commands.shift)
		234	+ assert_match(/\APASS /, commands.shift)
		235	+ assert_equal("TYPE I\r\n", commands.shift)
		236	+ assert_raise(SocketError) do
		237	+ ftp.getbinaryfile("foo", nil)
		238	+ end
		239	+ ensure
		240	+ ftp.close if ftp
		241	+ end
		242	+ ensure
		243	+ server.close
		244	+ end
		245	+ end
		246	+
		247	private
		248
		249	- def create_ftp_server(sleep_time = nil)
		250	- server = TCPServer.new(SERVER_ADDR, 0)
		251	+ def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR)
		252	+ server = TCPServer.new(addr, 0)
		253	@thread = Thread.start do
		254	if sleep_time
		255	sleep(sleep_time)
		256	--
		257	2.17.1
		258


diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch new file mode 100644 index 0000000000..b78a74a4b5 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch
@@ -0,0 +1,102 @@
		1	From e2ac25d0eb66de99f098d6669cf4f06796aa6256 Mon Sep 17 00:00:00 2001
		2	From: Shugo Maeda <shugo@ruby-lang.org>
		3	Date: Tue, 11 May 2021 10:31:27 +0900
		4	Subject: [PATCH] Fix StartTLS stripping vulnerability
		5
		6	This fixes CVE-2021-32066.
		7	Reported by Alexandr Savca in <https://hackerone.com/reports/1178562>.
		8
		9	CVE: CVE-2021-32066
		10
		11	Upstream-Status: Backport
		12	[https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256]
		13
		14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		15	---
		16	lib/net/imap.rb \| 8 +++++++-
		17	test/net/imap/test_imap.rb \| 31 +++++++++++++++++++++++++++++++
		18	2 files changed, 38 insertions(+), 1 deletion(-)
		19
		20	diff --git a/lib/net/imap.rb b/lib/net/imap.rb
		21	index 505b4c8950..d45304f289 100644
		22	--- a/lib/net/imap.rb
		23	+++ b/lib/net/imap.rb
		24	@@ -1218,12 +1218,14 @@ def get_tagged_response(tag, cmd)
		25	end
		26	resp = @tagged_responses.delete(tag)
		27	case resp.name
		28	+ when /\A(?:OK)\z/ni
		29	+ return resp
		30	when /\A(?:NO)\z/ni
		31	raise NoResponseError, resp
		32	when /\A(?:BAD)\z/ni
		33	raise BadResponseError, resp
		34	else
		35	- return resp
		36	+ raise UnknownResponseError, resp
		37	end
		38	end
		39
		40	@@ -3719,6 +3721,10 @@ class BadResponseError < ResponseError
		41	class ByeResponseError < ResponseError
		42	end
		43
		44	+ # Error raised upon an unknown response from the server.
		45	+ class UnknownResponseError < ResponseError
		46	+ end
		47	+
		48	RESPONSE_ERRORS = Hash.new(ResponseError)
		49	RESPONSE_ERRORS["NO"] = NoResponseError
		50	RESPONSE_ERRORS["BAD"] = BadResponseError
		51	diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb
		52	index 8b924b524e..85fb71d440 100644
		53	--- a/test/net/imap/test_imap.rb
		54	+++ b/test/net/imap/test_imap.rb
		55	@@ -127,6 +127,16 @@ def test_starttls
		56	imap.disconnect
		57	end
		58	end
		59	+
		60	+ def test_starttls_stripping
		61	+ starttls_stripping_test do \|port\|
		62	+ imap = Net::IMAP.new("localhost", :port => port)
		63	+ assert_raise(Net::IMAP::UnknownResponseError) do
		64	+ imap.starttls(:ca_file => CA_FILE)
		65	+ end
		66	+ imap
		67	+ end
		68	+ end
		69	end
		70
		71	def start_server
		72	@@ -834,6 +844,27 @@ def starttls_test
		73	end
		74	end
		75
		76	+ def starttls_stripping_test
		77	+ server = create_tcp_server
		78	+ port = server.addr[1]
		79	+ start_server do
		80	+ sock = server.accept
		81	+ begin
		82	+ sock.print("* OK test server\r\n")
		83	+ sock.gets
		84	+ sock.print("RUBY0001 BUG unhandled command\r\n")
		85	+ ensure
		86	+ sock.close
		87	+ server.close
		88	+ end
		89	+ end
		90	+ begin
		91	+ imap = yield(port)
		92	+ ensure
		93	+ imap.disconnect if imap && !imap.disconnected?
		94	+ end
		95	+ end
		96	+
		97	def create_tcp_server
		98	return TCPServer.new(server_addr, 0)
		99	end
		100	--
		101	2.25.1
		102


diff --git a/meta/recipes-devtools/ruby/ruby_3.0.1.bb b/meta/recipes-devtools/ruby/ruby_3.0.1.bb index 944cb81c1d..ae953a0a89 100644 --- a/meta/recipes-devtools/ruby/ruby_3.0.1.bb +++ b/meta/recipes-devtools/ruby/ruby_3.0.1.bb
@@ -6,6 +6,8 @@ SRC_URI += " \
6	file://remove_has_include_macros.patch \	6	file://remove_has_include_macros.patch \
7	file://run-ptest \	7	file://run-ptest \
8	file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \	8	file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
		9	file://CVE-2021-31810.patch \
		10	file://CVE-2021-32066.patch \
9	"	11	"
10		12
11	SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727"	13	SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727"