Revert "Ruby: upgrade to 2.6.9 to fix CVE-2021-41817, CVE-2021-41819 (#2366)"

This reverts commit 4c46342.

Author: jslobodzian

SPECS/ruby/CVE-2021-32066.patch

@@ -0,0 +1,108 @@
+From a21a3b7d23704a01d34bd79d09dc37897e00922a Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <[email protected]>
+Date: Wed, 7 Jul 2021 12:06:44 +0900
+Subject: [PATCH] Fix StartTLS stripping vulnerability
+
+Reported by Alexandr Savca in https://hackerone.com/reports/1178562
+
+Co-authored-by: Shugo Maeda <[email protected]>
+---
+ lib/net/imap.rb            |  8 +++++++-
+ test/net/imap/test_imap.rb | 31 +++++++++++++++++++++++++++++++
+ version.h                  |  2 +-
+ 3 files changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/lib/net/imap.rb b/lib/net/imap.rb
+index 1c7e89b..91df89b 100644
+--- a/lib/net/imap.rb
++++ b/lib/net/imap.rb
+@@ -1215,12 +1215,14 @@ module Net
+       end
+       resp = @tagged_responses.delete(tag)
+       case resp.name
++      when /\A(?:OK)\z/ni
++        return resp
+       when /\A(?:NO)\z/ni
+         raise NoResponseError, resp
+       when /\A(?:BAD)\z/ni
+         raise BadResponseError, resp
+       else
+-        return resp
++        raise UnknownResponseError, resp
+       end
+     end
+ 
+@@ -3716,6 +3718,10 @@ module Net
+     class ByeResponseError < ResponseError
+     end
+ 
++    # Error raised upon an unknown response from the server.
++    class UnknownResponseError < ResponseError
++    end
++
+     RESPONSE_ERRORS = Hash.new(ResponseError)
+     RESPONSE_ERRORS["NO"] = NoResponseError
+     RESPONSE_ERRORS["BAD"] = BadResponseError
+diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb
+index 936f4e0..217b611 100644
+--- a/test/net/imap/test_imap.rb
++++ b/test/net/imap/test_imap.rb
+@@ -127,6 +127,16 @@ class IMAPTest < Test::Unit::TestCase
+         imap.disconnect
+       end
+     end
++
++    def test_starttls_stripping
++      starttls_stripping_test do |port|
++        imap = Net::IMAP.new("localhost", :port => port)
++        assert_raise(Net::IMAP::UnknownResponseError) do
++          imap.starttls(:ca_file => CA_FILE)
++        end
++        imap
++      end
++    end
+   end
+ 
+   def test_unexpected_eof
+@@ -762,6 +772,27 @@ EOF
+     end
+   end
+ 
++  def starttls_stripping_test
++    server = create_tcp_server
++    port = server.addr[1]
++    start_server do
++      sock = server.accept
++      begin
++        sock.print("* OK test server\r\n")
++        sock.gets
++        sock.print("RUBY0001 BUG unhandled command\r\n")
++      ensure
++        sock.close
++        server.close
++      end
++    end
++    begin
++      imap = yield(port)
++    ensure
++      imap.disconnect if imap && !imap.disconnected?
++    end
++  end
++
+   def create_tcp_server
+     return TCPServer.new(server_addr, 0)
+   end
+diff --git a/version.h b/version.h
+index 1c491eb..2f4fcdf 100644
+--- a/version.h
++++ b/version.h
+@@ -1,6 +1,6 @@
+ #define RUBY_VERSION "2.6.7"
+ #define RUBY_RELEASE_DATE "2021-04-05"
+-#define RUBY_PATCHLEVEL 197
++#define RUBY_PATCHLEVEL 198
+ 
+ #define RUBY_RELEASE_YEAR 2021
+ #define RUBY_RELEASE_MONTH 4
+-- 
+2.17.1

SPECS/ruby/ruby.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "ruby-2.6.9.tar.xz": "6a041d82ae6e0f02ccb1465e620d94a7196489d8a13d6018a160da42ebc1eece"
+  "ruby-2.6.7.tar.xz": "f43ead5626202d5432d2050eeab606e547f0554299cc1e5cf573d45670e59611"
  }
 }

SPECS/ruby/ruby.spec

@@ -1,14 +1,14 @@
 Summary:        Ruby
 Name:           ruby
-Version:        2.6.9
-Release:        1%{?dist}
+Version:        2.6.7
+Release:        3%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Security
 URL:            https://www.ruby-lang.org/en/
 Source0:        https://cache.ruby-lang.org/pub/ruby/2.6/%{name}-%{version}.tar.xz
-
+Patch0:         CVE-2021-32066.patch
 BuildRequires:  openssl-devel
 BuildRequires:  readline
 BuildRequires:  readline-devel
@@ -62,9 +62,6 @@ sudo -u test make test TESTS="-v"
 %{_mandir}/man5/*
 
 %changelog
-* Tue Mar 01 2022 Nicolas Guibourge <[email protected]> - 2.6.9-1
-- Upgrade to 2.6.9 to fix CVE-2021-41817, CVE-2021-41819
-
 * Thu Jan 20 2022 Cameron Baird <[email protected]> - 2.6.7-3
 - Bump release to build and republish with mariner-rpm-macros fix to filter out references to module_info.ld in pkgconfig files
 

cgmanifest.json

@@ -7145,8 +7145,8 @@
         "type": "other",
         "other": {
           "name": "ruby",
-          "version": "2.6.9",
-          "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.tar.xz"
+          "version": "2.6.7",
+          "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.xz"
         }
       }
     },