Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2229539/?format=api
{ "id": 2229539, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2229539/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260428125709.31994-1-titouan.christophe@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/1.2/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260428125709.31994-1-titouan.christophe@mind.be>", "list_archive_url": null, "date": "2026-04-28T12:57:09", "name": "[for,2025.02.x] package/ruby: add patch for CVE-2026-41316", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "88ed0b99a8bfdb894d4763943ae010c8778fd47d", "submitter": { "id": 90763, "url": "http://patchwork.ozlabs.org/api/1.2/people/90763/?format=api", "name": "Titouan Christophe", "email": "titouan.christophe@mind.be" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260428125709.31994-1-titouan.christophe@mind.be/mbox/", "series": [ { "id": 501844, "url": "http://patchwork.ozlabs.org/api/1.2/series/501844/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=501844", "date": "2026-04-28T12:57:09", "name": "[for,2025.02.x] package/ruby: add patch for CVE-2026-41316", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501844/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2229539/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2229539/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=qcSprrgH;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4gSw5t3mz1xrS\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Tue, 28 Apr 2026 22:57:36 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id B5981825C3;\n\tTue, 28 Apr 2026 12:57:34 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 3HaLowiXc_U9; Tue, 28 Apr 2026 12:57:32 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 724E582531;\n\tTue, 28 Apr 2026 12:57:32 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id DC2071B8\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 12:57:30 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id CD8004072A\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 12:57:30 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id DaiKEbY4sRRO for <buildroot@buildroot.org>;\n Tue, 28 Apr 2026 12:57:30 +0000 (UTC)", "from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com\n [IPv6:2a00:1450:4864:20::32d])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 3EE764071B\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 12:57:28 +0000 (UTC)", "by mail-wm1-x32d.google.com with SMTP id\n 5b1f17b1804b1-4838c15e3cbso105786075e9.3\n for <buildroot@buildroot.org>; Tue, 28 Apr 2026 05:57:28 -0700 (PDT)", "from dragon.home ([2a02:a03f:73a7:c001:1291:d1ff:fe92:3b5a])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a774d9bd1sm28887015e9.3.2026.04.28.05.57.25\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 05:57:25 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org 724E582531", "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3EE764071B" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777381052;\n\tbh=spOIDNKzBOjKydYlrskeafHERHqDOSp82pXIEC+SrgE=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:Cc:From;\n\tb=qcSprrgHLHKWsw6j5bViRe0YSTU2mcTDnQ1cUAoQjJX8z/8gvOodoSkLAG0JE0hdn\n\t srdzSSduryVq65tL7DNX+P1KwoPpUzC5o0DoChM57lt+Wc7VejK7MP2MpiBFV4gPag\n\t aZ7roJ4avzHxzzDOIZgN9uurraO2oRTXEvSf0qhrinYFNOuSIrSRuttiUhYG87s5b2\n\t SFyGTWmRjPyQSJfVnlZHduQify5I2M4dbSAgOC8DHbCV1DZZgs7SfJwC98qFavXIYA\n\t whtprmRHjqm7oPaKtt+fmeX/KQ37RVkbnPlyKOJWEm1l+ZWzwmDB3gxGFJbgeR64M1\n\t C9inqAB3Cig4w==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::32d; helo=mail-wm1-x32d.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org 3EE764071B", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777381046; x=1777985846;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Xd7jaeNzRLGmYmReFYoYkQhDYjFxzrQEIlwGKbm0zjM=;\n b=OOQtJwxr7N4c6W9iRq2dMegYICaGifQvReGNsqeit9mSzKXYCbQhMP5qjyJSETCKer\n HQneG2TRB1xcbMtfp7FdVoycXN+a87ISXluCWup0O8ZCV9fAyBbGDW/whCE/N7nBBrqb\n LY3ikNfW8ty2628pWs+t0BbImxOf8PDhefvyv1B3VNwzwNzVKR9QMTuOXsCdLmiYPKRK\n yPTUCma/AxiPUEeFcDp7NeCM9D7ZFTBdUnlpSNg6f2QoDmq6jAcd9g6FOLctuPiWLvEI\n 2Boldo5AU5mbjCYWbG0KmYZnR/onXq0VkXNOeYKfgbK/dEU8hcicd4Vg7X7Ol8XwNM7J\n F+hA==", "X-Gm-Message-State": "AOJu0YwuNVjaiu6jvxy7BTbG+LWmdwsrSDN7nRJWS43Uoc8WNg/N4sFQ\n QNNfuwr3oYAm+dkxLRB4yVtxZ5t/GaOIvYhUCsOIftdWWn9G3k97FqiSaSPtk7JbyMwORUP1Qyd\n DdTZVHUw=", "X-Gm-Gg": "AeBDiev1xw/5+w7X/jIHmK9rwkI/A3bl+oS+FE5dx/hkded4E8dT5opTIwhb7Q2TRaQ\n vaAq0XpOpXa22cFAtHYSNtU77WNoBmJjEkkiL3im9D82YtcegNCsaz2d8PKjYfm7figfwTuAIX9\n f3PErb1qYt1ggXovOGIlZ4A+miud5bsjvlgFp/4D/sVe0yKMrZ28wZ2TQisTeii5z7WPD37fm+O\n 8OYSBy4Zw5OAfJV4jKiD1VYRmuQlu8Lywm50mW/yzLgfMWfuei72MnGEYw8qe566TZWmVZdcgJC\n aqR0TKC+glnrMkmjubNF0hQn49kwPIHx3V/dkSU2UDbkjvhXu7XSuNe6zj58BACBJb4lQKFPt8h\n j7R3M91igdM+kgU0BfAgGsSP4YB90t3hkcBYpTnNeqHuhSCpik2GqxGVclu2PpE8y44NFykJ3ye\n t6zWYRN5gJ3xwuX7nkDGEnl3vfgn7WuFbT70wz8ZTCNKVDdhY=", "X-Received": "by 2002:a05:600c:1d0a:b0:488:a824:fdff with SMTP id\n 5b1f17b1804b1-48a77b1f0bdmr49805245e9.22.1777381046363;\n Tue, 28 Apr 2026 05:57:26 -0700 (PDT)", "To": "buildroot@buildroot.org", "Date": "Tue, 28 Apr 2026 14:57:09 +0200", "Message-ID": "<20260428125709.31994-1-titouan.christophe@mind.be>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1777381046; x=1777985846; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=Xd7jaeNzRLGmYmReFYoYkQhDYjFxzrQEIlwGKbm0zjM=;\n b=K5rF6Stw2g+fN/9a4/Bd+33knYH94/4QTFbFm96MOVp/yJWdKBMk1uqU2PiuTC3IAS\n M23pjkuE87wkWQTAi3NN3MZIOXNDm2HtPjvw1gnrwzUhvbMzehwMr/OEsS8bgvgjH03B\n IsmnklX2NDT2E+NEax61rFis+/60Mq0mHvCeQLioBkUMiHiR/NiVgG0OJVinJ1DGgeaZ\n OCw0U/orjaLGzkgVdActRgkAF3J8MN24AknkqsKuHt5SFASrjb+bA90M3jgPisRrLYnK\n sKfndwj67LyFTBWYbs55hBjld6/1HR1UQ0DRDEMWGFGiZUnhUhXCCmxsDeT6/qaVsvyI\n Jl3w==", "X-Mailman-Original-Authentication-Results": [ "smtp2.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp2.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=K5rF6Stw" ], "Subject": "[Buildroot] [PATCH for 2025.02.x] package/ruby: add patch for\n CVE-2026-41316", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Titouan Christophe via buildroot <buildroot@buildroot.org>", "Reply-To": "Titouan Christophe <titouan.christophe@mind.be>", "Cc": "thomas.perale@mind.be", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "This is the change from Ruby 4.0.2 to 4.0.3, rebased on top of Ruby 3.4\n\nSigned-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n package/ruby/0001-fix-CVE-2026-41316.patch | 73 ++++++++++++++++++++++\n package/ruby/ruby.mk | 3 +\n 2 files changed, 76 insertions(+)\n create mode 100644 package/ruby/0001-fix-CVE-2026-41316.patch", "diff": "diff --git a/package/ruby/0001-fix-CVE-2026-41316.patch b/package/ruby/0001-fix-CVE-2026-41316.patch\nnew file mode 100644\nindex 0000000000..1c5949c221\n--- /dev/null\n+++ b/package/ruby/0001-fix-CVE-2026-41316.patch\n@@ -0,0 +1,73 @@\n+From c35379df5279777fb4e02d989064eecd9cbbf338 Mon Sep 17 00:00:00 2001\n+From: Takashi Kokubun <takashikkbn@gmail.com>\n+Date: Tue, 21 Apr 2026 16:27:44 +0900\n+Subject: [PATCH] [ruby/erb] Prohibit def_method on marshal-loaded ERB instances\n+\n+Extends the @_init guard to def_method so that an ERB object created\n+via Marshal.load (which bypasses initialize) raises ArgumentError\n+instead of evaluating arbitrary source. def_module and def_class both\n+delegate to def_method and are covered by the same check.\n+\n+Co-authored-by: Tristan Madani <TristanInSec@gmail.com>\n+\n+Upstream: https://github.com/ruby/ruby/commit/c35379df5279777fb4e02d989064eecd9cbbf338\n+CVE: CVE-2026-41316\n+[Titouan: Rebase on top of Ruby 3.4.9]\n+Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n+---\n+ lib/erb.rb | 3 +++\n+ test/erb/test_erb.rb | 27 +++++++++++++++++++++++++++\n+ 2 files changed, 30 insertions(+)\n+\n+diff --git a/lib/erb.rb b/lib/erb.rb\n+index bc1615d7da..a7317c0856 100644\n+--- a/lib/erb.rb\n++++ b/lib/erb.rb\n+@@ -463,6 +463,9 @@ def new_toplevel(vars = nil)\n+ # erb.def_method(MyClass, 'render(arg1, arg2)', filename)\n+ # print MyClass.new.render('foo', 123)\n+ def def_method(mod, methodname, fname='(ERB)')\n++ unless @_init.equal?(self.class.singleton_class)\n++ raise ArgumentError, \"not initialized\"\n++ end\n+ src = self.src.sub(/^(?!#|$)/) {\"def #{methodname}\\n\"} << \"\\nend\\n\"\n+ mod.module_eval do\n+ eval(src, binding, fname, -1)\n+diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb\n+index 09496d31e25ca2..9eec43da158c0c 100644\n+--- a/test/erb/test_erb.rb\n++++ b/test/erb/test_erb.rb\n+@@ -664,6 +664,33 @@ def test_prohibited_marshal_load\n+ assert_raise(ArgumentError) {erb.result}\n+ end\n+ \n++ def test_prohibited_marshal_load_def_method\n++ erb = ERB.allocate\n++ erb.instance_variable_set(:@src, \"\")\n++ erb.instance_variable_set(:@lineno, 1)\n++ erb.instance_variable_set(:@_init, true)\n++ erb = Marshal.load(Marshal.dump(erb))\n++ assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')}\n++ end\n++\n++ def test_prohibited_marshal_load_def_module\n++ erb = ERB.allocate\n++ erb.instance_variable_set(:@src, \"\")\n++ erb.instance_variable_set(:@lineno, 1)\n++ erb.instance_variable_set(:@_init, true)\n++ erb = Marshal.load(Marshal.dump(erb))\n++ assert_raise(ArgumentError) {erb.def_module}\n++ end\n++\n++ def test_prohibited_marshal_load_def_class\n++ erb = ERB.allocate\n++ erb.instance_variable_set(:@src, \"\")\n++ erb.instance_variable_set(:@lineno, 1)\n++ erb.instance_variable_set(:@_init, true)\n++ erb = Marshal.load(Marshal.dump(erb))\n++ assert_raise(ArgumentError) {erb.def_class}\n++ end\n++\n+ def test_multi_line_comment_lineno\n+ erb = ERB.new(<<~EOS)\n+ <%= __LINE__ %>\ndiff --git a/package/ruby/ruby.mk b/package/ruby/ruby.mk\nindex c56d2510be..a66bbd4cbf 100644\n--- a/package/ruby/ruby.mk\n+++ b/package/ruby/ruby.mk\n@@ -19,6 +19,9 @@ RUBY_LICENSE_FILES = LEGAL COPYING BSDL\n \n RUBY_CPE_ID_VENDOR = ruby-lang\n \n+# 0001-fix-CVE-2026-41316.patch\n+RUBY_IGNORE_CVES += CVE-2026-41316\n+\n RUBY_DEPENDENCIES = host-pkgconf host-ruby\n HOST_RUBY_DEPENDENCIES = host-libyaml host-pkgconf host-openssl\n RUBY_MAKE_ENV = $(TARGET_MAKE_ENV)\n", "prefixes": [ "for", "2025.02.x" ] }