From cf25b0bd9ced1b969d16c0da3bbfa23f10faeddf Mon Sep 17 00:00:00 2001 From: git Date: Mon, 20 Apr 2026 07:26:35 +0000 Subject: [PATCH 1/5] [DOC] Update bundled gems list at 35e7f2c2f4840de027e5ebb6e7a5f9 --- NEWS.md | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/NEWS.md b/NEWS.md index 9ef91778c28894..ce9345ecd8c80e 100644 --- a/NEWS.md +++ b/NEWS.md @@ -166,26 +166,6 @@ A lot of work has gone into making Ractors more stable, performant, and usable. [Feature #21853]: https://bugs.ruby-lang.org/issues/21853 [Feature #21861]: https://bugs.ruby-lang.org/issues/21861 [Feature #21932]: https://bugs.ruby-lang.org/issues/21932 -[rbs-v3.10.1]: https://github.com/ruby/rbs/releases/tag/v3.10.1 -[rbs-v3.10.2]: https://github.com/ruby/rbs/releases/tag/v3.10.2 -[rbs-v3.10.3]: https://github.com/ruby/rbs/releases/tag/v3.10.3 -[rbs-v3.10.4]: https://github.com/ruby/rbs/releases/tag/v3.10.4 -[rbs-v4.0.0.dev.5]: https://github.com/ruby/rbs/releases/tag/v4.0.0.dev.5 -[rbs-v4.0.0]: https://github.com/ruby/rbs/releases/tag/v4.0.0 -[rbs-v4.0.2]: https://github.com/ruby/rbs/releases/tag/v4.0.2 -[bigdecimal-v4.1.0]: https://github.com/ruby/bigdecimal/releases/tag/v4.1.0 -[bigdecimal-v4.1.1]: https://github.com/ruby/bigdecimal/releases/tag/v4.1.1 -[bigdecimal-v4.1.2]: https://github.com/ruby/bigdecimal/releases/tag/v4.1.2 -[resolv-replace-v0.2.0]: https://github.com/ruby/resolv-replace/releases/tag/v0.2.0 -[syslog-v0.4.0]: https://github.com/ruby/syslog/releases/tag/v0.4.0 -[repl_type_completor-v0.1.13]: https://github.com/ruby/repl_type_completor/releases/tag/v0.1.13 -[repl_type_completor-v0.1.14]: https://github.com/ruby/repl_type_completor/releases/tag/v0.1.14 -[repl_type_completor-v0.1.15]: https://github.com/ruby/repl_type_completor/releases/tag/v0.1.15 -[pstore-v0.2.1]: https://github.com/ruby/pstore/releases/tag/v0.2.1 -[rdoc-v7.1.0]: https://github.com/ruby/rdoc/releases/tag/v7.1.0 -[rdoc-v7.2.0]: https://github.com/ruby/rdoc/releases/tag/v7.2.0 -[win32ole-v1.9.3]: https://github.com/ruby/win32ole/releases/tag/v1.9.3 -[irb-v1.17.0]: https://github.com/ruby/irb/releases/tag/v1.17.0 [RubyGems-v4.0.4]: https://github.com/rubygems/rubygems/releases/tag/v4.0.4 [RubyGems-v4.0.5]: https://github.com/rubygems/rubygems/releases/tag/v4.0.5 [RubyGems-v4.0.6]: https://github.com/rubygems/rubygems/releases/tag/v4.0.6 @@ -223,3 +203,23 @@ A lot of work has gone into making Ractors more stable, performant, and usable. [test-unit-3.7.6]: https://github.com/test-unit/test-unit/releases/tag/3.7.6 [test-unit-3.7.7]: https://github.com/test-unit/test-unit/releases/tag/3.7.7 [net-imap-v0.6.3]: https://github.com/ruby/net-imap/releases/tag/v0.6.3 +[rbs-v3.10.1]: https://github.com/ruby/rbs/releases/tag/v3.10.1 +[rbs-v3.10.2]: https://github.com/ruby/rbs/releases/tag/v3.10.2 +[rbs-v3.10.3]: https://github.com/ruby/rbs/releases/tag/v3.10.3 +[rbs-v3.10.4]: https://github.com/ruby/rbs/releases/tag/v3.10.4 +[rbs-v4.0.0.dev.5]: https://github.com/ruby/rbs/releases/tag/v4.0.0.dev.5 +[rbs-v4.0.0]: https://github.com/ruby/rbs/releases/tag/v4.0.0 +[rbs-v4.0.2]: https://github.com/ruby/rbs/releases/tag/v4.0.2 +[bigdecimal-v4.1.0]: https://github.com/ruby/bigdecimal/releases/tag/v4.1.0 +[bigdecimal-v4.1.1]: https://github.com/ruby/bigdecimal/releases/tag/v4.1.1 +[bigdecimal-v4.1.2]: https://github.com/ruby/bigdecimal/releases/tag/v4.1.2 +[resolv-replace-v0.2.0]: https://github.com/ruby/resolv-replace/releases/tag/v0.2.0 +[syslog-v0.4.0]: https://github.com/ruby/syslog/releases/tag/v0.4.0 +[repl_type_completor-v0.1.13]: https://github.com/ruby/repl_type_completor/releases/tag/v0.1.13 +[repl_type_completor-v0.1.14]: https://github.com/ruby/repl_type_completor/releases/tag/v0.1.14 +[repl_type_completor-v0.1.15]: https://github.com/ruby/repl_type_completor/releases/tag/v0.1.15 +[pstore-v0.2.1]: https://github.com/ruby/pstore/releases/tag/v0.2.1 +[rdoc-v7.1.0]: https://github.com/ruby/rdoc/releases/tag/v7.1.0 +[rdoc-v7.2.0]: https://github.com/ruby/rdoc/releases/tag/v7.2.0 +[win32ole-v1.9.3]: https://github.com/ruby/win32ole/releases/tag/v1.9.3 +[irb-v1.17.0]: https://github.com/ruby/irb/releases/tag/v1.17.0 From 359f671f885bc082eda6ab5fb2804306c9e8c39c Mon Sep 17 00:00:00 2001 From: ndossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 18 Apr 2026 13:19:32 +0200 Subject: [PATCH 2/5] [ruby/openssl] x509name: check for error of X509_NAME_cmp() These functions may return -2 to indicate an error according to the manual [1]. This can also be confirmed when looking at the code as it may call into i2d_X509_NAME() which can fail [2]. In such cases, the failure is reinterpreted as a "less than" comparison and the error is not reported, potentially leading to wrong results in userland code. [1] https://manpages.opensuse.org/Tumbleweed/openssl-3-doc/X509_NAME_cmp.33ssl.en.html [2] https://github.com/openssl/openssl/blob/f023662d1bde1fcb7fecf976b25a45afd55734b8/crypto/x509/x509_cmp.c#L269-L271 https://github.com/ruby/openssl/commit/08e5547b85 --- ext/openssl/ossl_x509name.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 2b66a4a097c29e..eb97b23c026c4f 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -366,11 +366,17 @@ static int ossl_x509name_cmp0(VALUE self, VALUE other) { X509_NAME *name1, *name2; + int result; GetX509Name(self, name1); GetX509Name(other, name2); - return X509_NAME_cmp(name1, name2); + result = X509_NAME_cmp(name1, name2); + if (result == -2) { + ossl_raise(eX509NameError, NULL); + } + + return result; } /* From 83b7a4d9a5506944c9dfc0627bb4d4c5e58543ed Mon Sep 17 00:00:00 2001 From: ndossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 18 Apr 2026 14:25:20 +0200 Subject: [PATCH 3/5] [ruby/openssl] x509cert: check for error of X509_set_serialNumber() This function may return 0 on error [1]. [1] https://manpages.debian.org/stretch/libssl-doc/X509_set_serialNumber.3ssl.en.html https://github.com/ruby/openssl/commit/c6caa4f1c1 --- ext/openssl/ossl_x509cert.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index de246759ab7af3..08dd184a0c7525 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -311,7 +311,9 @@ ossl_x509_set_serial(VALUE self, VALUE num) X509 *x509; GetX509(self, x509); - X509_set_serialNumber(x509, num_to_asn1integer(num, X509_get_serialNumber(x509))); + if (!X509_set_serialNumber(x509, num_to_asn1integer(num, X509_get_serialNumber(x509)))) { + ossl_raise(eX509CertError, NULL); + } return num; } From b4c8c8a6f0e8ffd40a301f2dd85508f9b6a4ffad Mon Sep 17 00:00:00 2001 From: ndossche Date: Mon, 20 Apr 2026 11:29:32 +0200 Subject: [PATCH 4/5] [ruby/openssl] pkcs7: fix error check of PKCS7_RECIP_INFO_set() This function actually returns a value <=0 on error, but it is not documented as such. Example from OpenSSL code [1] and implementation [2] indicate as such. [1] https://github.com/openssl/openssl/blob/4b8ddae690d6449005e474bfdfe73106d4d6c5ea/crypto/pkcs7/pk7_lib.c#L578 [2] https://github.com/openssl/openssl/blob/4b8ddae690d6449005e474bfdfe73106d4d6c5ea/crypto/pkcs7/pk7_lib.c#L625 https://github.com/ruby/openssl/commit/e70a63fabe --- ext/openssl/ossl_pkcs7.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index ae0d35b7235923..79bc5d76f59247 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -1055,7 +1055,7 @@ ossl_pkcs7ri_initialize(VALUE self, VALUE cert) x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */ GetPKCS7ri(self, p7ri); - if (!PKCS7_RECIP_INFO_set(p7ri, x509)) { + if (PKCS7_RECIP_INFO_set(p7ri, x509) <= 0) { ossl_raise(ePKCS7Error, NULL); } From 1dcb7acbc60de7b75fec14ae802cde72a205942a Mon Sep 17 00:00:00 2001 From: ndossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 18 Apr 2026 14:40:04 +0200 Subject: [PATCH 5/5] [ruby/openssl] x509store, ssl: check for error of CRYPTO_set_ex_data() This can technically fail because it internally performs allocations. Also confirmed by the man page [1]. [1] (among other functions on this page) https://docs.openssl.org/3.5/man3/BIO_get_ex_new_index https://github.com/ruby/openssl/commit/c0de3f5c83 --- ext/openssl/ossl_ssl.c | 6 ++++-- ext/openssl/ossl_x509store.c | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index c6dec32a9e5e82..5a6ef726094d72 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -91,7 +91,8 @@ ossl_sslctx_s_alloc(VALUE klass) SSL_CTX_set_mode(ctx, mode); SSL_CTX_set_dh_auto(ctx, 1); RTYPEDDATA_DATA(obj) = ctx; - SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj); + if (!SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj)) + ossl_raise(eSSLError, "SSL_CTX_set_ex_data"); return obj; } @@ -1672,7 +1673,8 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) ossl_raise(eSSLError, NULL); RTYPEDDATA_DATA(self) = ssl; - SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void *)self); + if (!SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void *)self)) + ossl_raise(eSSLError, "SSL_set_ex_data"); SSL_set_info_callback(ssl, ssl_info_cb); rb_call_super(0, NULL); diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index 408e18c6c418ff..9e43336c4406f2 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -190,8 +190,9 @@ ossl_x509store_set_vfy_cb(VALUE self, VALUE cb) X509_STORE *store; GetX509Store(self, store); + if (!X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb)) + ossl_raise(eX509StoreError, "X509_STORE_set_ex_data"); rb_iv_set(self, "@verify_callback", cb); - X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb); RB_OBJ_WRITTEN(self, Qundef, cb); return cb; @@ -608,7 +609,8 @@ ossl_x509stctx_verify(VALUE self) GetX509StCtx(self, ctx); VALUE cb = rb_iv_get(self, "@verify_callback"); - X509_STORE_CTX_set_ex_data(ctx, stctx_ex_verify_cb_idx, (void *)cb); + if (!X509_STORE_CTX_set_ex_data(ctx, stctx_ex_verify_cb_idx, (void *)cb)) + ossl_raise(eX509StoreError, "X509_STORE_CTX_set_ex_data"); RB_OBJ_WRITTEN(self, Qundef, cb); switch (X509_verify_cert(ctx)) {