Accepting request 1291484 from devel:languages:ruby

OBS-URL: https://build.opensuse.org/request/show/1291484 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mruby?expand=0&rev=8
Update to 3.4.0 fixes boo#1246138
2025-07-09 15:29:36 +00:00 · 2025-07-09 12:08:35 +00:00
8 changed files with 125 additions and 56 deletions
--- a/CVE-2022-1212.patch
+++ b/CVE-2022-1212.patch
@@ -1,14 +0,0 @@
-diff -Nur old/src/vm.c new/src/vm.c
--- old/src/vm.c	2023-02-15 19:48:53.507676314 +0100
-+++ new/src/vm.c	2023-02-15 19:49:00.159805055 +0100
-@@ -2280,9 +2280,9 @@
-           }
-           if (ci->cci > CINFO_NONE) {
-             ci = cipop(mrb);
-+            mrb->exc = (struct RObject*)break_new(mrb, RBREAK_TAG_BREAK, proc, v);
-             mrb_gc_arena_restore(mrb, ai);
-             mrb->c->vmexec = FALSE;
-            mrb->exc = (struct RObject*)break_new(mrb, RBREAK_TAG_BREAK, proc, v);
-             mrb->jmp = prev_jmp;
-             MRB_THROW(prev_jmp);
-           }
--- a/CVE-2022-1286.patch
+++ b/CVE-2022-1286.patch
@@ -1,15 +0,0 @@
-diff -Nur old/src/class.c new/src/class.c
--- old/src/class.c	2023-02-15 19:48:06.910773088 +0100
-+++ new/src/class.c	2023-02-15 19:48:22.539076311 +0100
-@@ -2363,7 +2363,10 @@
-   MRB_CLASS_ORIGIN(c);
-   h = c->mt;
- 
-  if (h && mt_del(mrb, h, mid)) return;
-+  if (h && mt_del(mrb, h, mid)) {
-+    mrb_mc_clear_by_class(mrb, c);
-+    return;
-+  }
-   mrb_name_error(mrb, mid, "method '%n' not defined in %C", mid, c);
- }
- 
--- a/CVE-2025-7207.patch
+++ b/CVE-2025-7207.patch
@@ -0,0 +1,13 @@
+diff --git a/mrbgems/mruby-compiler/core/codegen.c b/mrbgems/mruby-compiler/core/codegen.c
+index be0bf875af..9deaa7fec5 100644
+--- a/mrbgems/mruby-compiler/core/codegen.c
+++ b/mrbgems/mruby-compiler/core/codegen.c
+@@ -4012,7 +4012,7 @@ scope_new(mrb_state *mrb, codegen_scope *prev, node *nlv)
+ 
+   s->lv = nlv;
+   s->sp += node_len(nlv)+1;        /* add self */
+-  s->nlocals = s->sp;
+  s->nlocals = s->nregs = s->sp;
+   if (nlv) {
+     mrb_sym *lv;
+     node *n = nlv;
--- a/link-with-soname.patch
+++ b/link-with-soname.patch
@@ -1,10 +1,10 @@
-diff -Nur mruby-3.1.0/build_config/host-shared.rb new/build_config/host-shared.rb
--- mruby-3.1.0/build_config/host-shared.rb	2022-05-12 05:19:10.000000000 +0200
-+++ new/build_config/host-shared.rb	2023-02-15 19:40:18.649494310 +0100
-@@ -18,12 +18,12 @@
+diff -Nur mruby-3.4.0/build_config/host-shared.rb new/build_config/host-shared.rb
+--- mruby-3.4.0/build_config/host-shared.rb	2025-04-20 06:08:22.000000000 +0200
+++ new/build_config/host-shared.rb	2025-07-09 13:57:53.778707930 +0200
+@@ -15,12 +15,12 @@
 
   conf.archiver do |archiver|
-     archiver.command = 'gcc'
+     archiver.command = cc.command
 -    archiver.archive_options = '-shared -o %{outfile} %{objs}'
 +    archiver.archive_options = '-shared -Wl,-soname,%{filename} -o %{outfile} %{objs}'
   end
@@ -16,9 +16,9 @@ diff -Nur mruby-3.1.0/build_config/host-shared.rb new/build_config/host-shared.r
   end
 
   # file separator
-diff -Nur mruby-3.1.0/lib/mruby/build/command.rb new/lib/mruby/build/command.rb
--- mruby-3.1.0/lib/mruby/build/command.rb	2022-05-12 05:19:10.000000000 +0200
-+++ new/lib/mruby/build/command.rb	2023-02-15 19:39:00.763898579 +0100
+diff -Nur mruby-3.4.0/lib/mruby/build/command.rb new/lib/mruby/build/command.rb
+--- mruby-3.4.0/lib/mruby/build/command.rb	2025-04-20 06:08:22.000000000 +0200
+++ new/lib/mruby/build/command.rb	2025-07-09 13:56:55.668375790 +0200
@@ -4,7 +4,7 @@
   class Command
     include Rake::DSL
@@ -28,7 +28,7 @@ diff -Nur mruby-3.1.0/lib/mruby/build/command.rb new/lib/mruby/build/command.rb
     attr_accessor :build, :command
 
     def initialize(build)
-@@ -234,7 +234,7 @@
+@@ -240,7 +240,7 @@
     def run(outfile, objfiles)
       mkdir_p File.dirname(outfile)
       _pp "AR", outfile.relative_path
@@ -37,18 +37,18 @@ diff -Nur mruby-3.1.0/lib/mruby/build/command.rb new/lib/mruby/build/command.rb
     end
   end
 
-diff -Nur mruby-3.1.0/lib/mruby/build.rb new/lib/mruby/build.rb
--- mruby-3.1.0/lib/mruby/build.rb	2022-05-12 05:19:10.000000000 +0200
-+++ new/lib/mruby/build.rb	2023-02-15 19:39:00.763898579 +0100
-@@ -6,6 +6,7 @@
+diff -Nur mruby-3.4.0/lib/mruby/build.rb new/lib/mruby/build.rb
+--- mruby-3.4.0/lib/mruby/build.rb	2025-04-20 06:08:22.000000000 +0200
+++ new/lib/mruby/build.rb	2025-07-09 13:56:55.668457919 +0200
+@@ -7,6 +7,7 @@
   autoload :Gem, "mruby/gem"
   autoload :Lockfile, "mruby/lockfile"
   autoload :Presym, "mruby/presym"
 +  autoload :Source, 'mruby/source'
 
-   class << self
-     def targets
-@@ -382,6 +383,10 @@
+   INSTALL_PREFIX = ENV['PREFIX'] || ENV['INSTALL_PREFIX'] || '/usr/local'
+   INSTALL_DESTDIR = ENV['DESTDIR'] || ''
+@@ -425,6 +426,10 @@
       end
     end
 
@@ -59,7 +59,7 @@ diff -Nur mruby-3.1.0/lib/mruby/build.rb new/lib/mruby/build.rb
     def exefile(name)
       if name.is_a?(Array)
         name.flatten.map { |n| exefile(n) }
-@@ -405,7 +410,7 @@
+@@ -448,7 +453,7 @@
       if name.is_a?(Array)
         name.flatten.map { |n| libfile(n) }
       else
--- a/mruby-3.1.0.tar.gz
+++ b/mruby-3.1.0.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:64ce0a967028a1a913d3dfc8d3f33b295332ab73be6f68e96d0f675f18c79ca8
-size 741088
--- a/mruby-3.4.0.tar.gz
+++ b/mruby-3.4.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:183711c7a26d932b5342e64860d16953f1cc6518d07b2c30a02937fb362563f8
+size 843682
--- a/mruby.changes
+++ b/mruby.changes
@@ -1,3 +1,90 @@
+-------------------------------------------------------------------
+Wed Jul  9 11:41:30 UTC 2025 - Ferdinand Thiessen <rpm@fthiessen.de>
+
+- Update to 3.4.0
+  - mruby now supports `private` and `protected` visibility
+    - Maximum length of inlined symbols reduced from 5 to 4 characters
+      to provide space for visibility flags
+    - Many methods are made private according to CRuby visibility
+    - `initialize` method will be always private
+  - Add new hooks `method_removed`, `method_undefined`
+  - Add new hooks `singleton_method_removed`, `singleton_method_undefined`
+  - Hash `to_s` format has changed
+  - Remove Float bit-operation
+  - use SWAR technique for strlen performance
+  - use merge sort for `Array#sort`
+  - C API changes:
+    - pool.c renamed to mempool.c (and mrb_pool to mrb_mempool)
+    - mrb_pool_value renamed to mrb_irep_pool to reduce confusion
+    - rename BOXNIX_SET_VALUE to BOXNO_SET_VALUE
+    - `MRB_FROZEN_P()` is replaced by `mrb_frozen_p()`
+    - rename `color` to `gc_color`
+    - add `obj->frozen` instead of flags `MRB_SET_FROZEN_FLAG`/`MRB_UNSET_FROZEN_FLAG`
+  - Changes in mrbgems:
+    - **mruby-print**: removed; if you do not use `mruby-io`, mruby use `#print` etc. in the core
+    - **mruby-toplevel-ext**: top-level public/private/protected moved to the core
+    - **mruby-metaprog**: method list methods now works according to the visibility
+    - **mruby-encoding**: MRB_UTF8_STRING turned on automatically with this gem
+- Update to 3.3.0
+  - aliases work properly with `super`
+  - `callee` method work differently with aliases in mruby
+  - define `Kernel#respond_to_missing?` method
+  - `_inspect` method (`inspect` with recursive check) is removed
+  - `__printstr__` method is removed; use `print` instead
+  - New method `String#bytesplice`
+  - Allow `return` in blocks to cross C boundaries
+  - mruby memory API
+    - `mrb_default_allocf` can be overridden by the application
+    - `mrb_open_allocf` will be deprecated
+  - Changes in C API
+    - add new error handling API functions
+    - Add `mrb_vm_ci_env_clear()` function with `MRB_API`
+    - a new function `mrb_check_frozen_value()`
+    - avoid formatting in `mrb_bug()`
+    - stop using `mrbc_` prefix for compiler context
+    - Allow `Class#allocate` to be prohibited. To disable `#allocate`, use `MRB_UNDEF_ALLOCATOR()`.
+  - Changes in mrbgems
+    - **mruby-binding**: renamed from `mruby-binding-core` of mruby3.2
+    - **mruby-binding**: implemented `Binding#initialize_copy` method
+    - **mruby-binding**: `Kernel#binding` responds only to calls from Ruby
+    - **mruby-enumerator**: remove internal attribute methods `obj`, `args`, `kwd`, `meth`, `fib`.
+  - Other breaking changes
+    - `mrb_f_raise()` is now an internal function
+    - `mrb_make_exception()` is now an internal function with different parameters
+    - The `File#path` method no longer uses the `#to_path` method for implicit conversion
+- Update to 3.2.0
+  - Now `a::B = c` should evaluate `a` then `c`.
+  - Anonymous arguments `*`, `**`, `&` can be passed for forwarding.
+  - Multi-precision integer is available now via `mruby-bigint` gem.
+  - mruby VM and bytecode
+    - `OP_ARYDUP` was renamed to `OP_ARYSPLAT`. The instruction name
+      was changed but instruction number and basic behavior have not
+      changed (except that `ARYDUP nil` makes `[]`).
+  - `mruby` tool
+    - `-b` only specifies the script is the binary.
+      The files loaded by `-r` are not affected by the option.
+    - `mruby` now loads complied binary if the suffix is `.mrb`.
+  - `mrbc` tool
+    - Add `--no-optimize` option to disable optimization.
+  - mrbgems
+    - mruby-class-ext: Add `Class#subclasses` method.
+    - mruby-class-ext: Add `Module#undefined_instance_methods` method.
+    - mruby-errno is now included
+    - mruby-set is now included
+    - mruby-dir is now included
+  - Fixed security issues:
+    - CVE-2022-0080, CVE-2022-0240, CVE-2022-0326, CVE-2022-0631,
+      CVE-2022-0481, CVE-2022-0525, CVE-2022-0570, CVE-2022-0614,
+      CVE-2022-0623, CVE-2022-0630, CVE-2022-0631, CVE-2022-0632,
+      CVE-2022-0717, CVE-2022-0890, CVE-2022-1106, CVE-2022-1212,
+      CVE-2022-1276, CVE-2022-1286, CVE-2022-1934
+- Removed upstream merged patches
+  - CVE-2022-1286.patch
+  - CVE-2022-1212.patch
+- Added CVE-2025-7207.patch as an upstream patch for CVE-2025-7207
+  also known as boo#1246138
+- Updated link-with-soname.patch
+
 -------------------------------------------------------------------
 Wed Feb 15 18:26:15 UTC 2023 - Ferdinand Thiessen <rpm@fthiessen.de>

--- a/mruby.spec
+++ b/mruby.spec
@@ -2,7 +2,7 @@
 #
 # spec file for package mruby
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2012 Pascal Bleser <pascal.bleser@opensuse.org>
 #
 # All modifications and additions to the file contributed by third parties
@@ -19,9 +19,9 @@


 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects
-%define sover 3_1_0
+%define sover 3_4_0
 Name:           mruby
-Version:        3.1.0
+Version:        3.4.0
 Release:        0
 Summary:        Lightweight Ruby
 License:        MIT
@@ -30,10 +30,8 @@ URL:            https://github.com/mruby/mruby/
 Source:         %{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # PATCH-FIX-OPENSUSE PATCH-FEATURE-UPSTREAM link-with-soname.patch -- Add SONAME to library
 Patch0:         link-with-soname.patch
-# PATCH-FIX-UPSTREAM CVE-2022-1286.patch -- boo#1198289 https://github.com/mruby/mruby/commit/b1d0296a
-Patch2:         CVE-2022-1286.patch
-# PATCH-FIX-UPSTREAM CVE-2022-1212.patch -- https://github.com/mruby/mruby/commit/3cf291f72224715942beaf8553e42ba8891ab3c6
-Patch3:         CVE-2022-1212.patch
+# PATCH-FIX-UPSTREAM CVE-2025-7207.patch -- upstream patch for CVE-2025-7207 known as boo#1246138
+Patch1:         https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9.diff#/CVE-2025-7207.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  pkgconfig