Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5848
Ruby 3.2.0 Preview 3 Released
14 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
Original Bulletin:
https://www.ruby-lang.org/en/news/2022/11/11/ruby-3-2-0-preview3-released/
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
Ruby 3.2.0 Preview 3 Released
Posted by naruse on 11 Nov 2022
We are pleased to announce the release of Ruby 3.2.0-preview3. Ruby 3.2 adds
many features and performance improvements.
WASI based WebAssembly support
This is an initial port of WASI based WebAssembly support. This enables a CRuby
binary to be available on Web browser, Serverless Edge environment, and other
WebAssembly/WASI embedders. Currently this port passes basic and bootstrap test
suites not using Thread API.
[opCgKy2]
Background
WebAssembly (Wasm) is originally introduced to run programs safely and fast in
web browsers. But its objective - running programs efficinently with security
on various environment - is long wanted not only by web but also by general
applications.
WASI (The WebAssembly System Interface) is designed for such use cases. Though
such applications need to communicate with operating systems, WebAssembly runs
on a virtual machine which didn t have a system interface. WASI standardizes
it.
WebAssembly/WASI Support in Ruby intends to leverage those projects. It enables
Ruby developers to write applications which runs on such promised platform.
Use case
This support encourages developers can utilize CRuby in WebAssembly
environment. An example use case of it is TryRuby playground s CRuby support.
Now you can try original CRuby in your web browser.
Technical points
Today s WASI and WebAssembly itself has some missing features to implement
Fiber, exception, and GC because it s still evolving and also for security
reasons. So CRuby fills the gap by using Asyncify, which is a binary
transformation technique to control execution in userland.
In addition, we built a VFS on top of WASI so that we can easily pack Ruby apps
into a single .wasm file. This makes distribution of Ruby apps a bit easier.
Related links
o Add WASI based WebAssembly support #5407
o An Update on WebAssembly/WASI Support in Ruby
Regexp improvements against ReDoS
It is known that Regexp matching may take unexpectedly long. If your code
attempts to match an possibly inefficient Regexp against an untrusted input, an
attacker may exploit it for efficient Denial of Service (so-called Regular
expression DoS, or ReDoS).
We have introduced two improvements that significantly mitigate ReDoS.
Improved Regexp matching algorithm
Since Ruby 3.2, Regexp s matching algorithm has been greatly improved by using
memoization technique.
# This matching takes 10 sec. in Ruby 3.1, and does 0.003 sec. in Ruby 3.2
/^a*ba*$/ =~ "a" * 50000 + "x"
The improved matching algorithm allows most of Regexp matching (about 90% in
our experiments) to be completed in linear time.
(For preview users: this optimization may consume memory proportional to the
input length for each matching. We expect no practical problems to arise
because this memory allocation is usually delayed, and a normal Regexp matching
should consume at most 10 times as much memory as the input length. If you run
out of memory when matching Regexps in a real-world application, please report
it.)
The original proposal is https://bugs.ruby-lang.org/issues/19104
Regexp timeout
The optimization above cannot be applied to some kind of regular expressions,
such as including advanced features (e.g., back-references or look-around), or
with huge fixed number of repetitions. As a fallback measure, a timeout feature
for Regexp matching is also introduced.
Regexp.timeout = 1.0
/^a*ba*()\1$/ =~ "a" * 50000 + "x"
#=> Regexp::TimeoutError is raised in one second
Note that Regexp.timeout is a global configuration. If you want to use
different timeout settings for some special Regexps, you may want to use
timeout keyword for Regexp.new .
Regexp.timeout = 1.0
# This regexp has no timeout
long_time_re = Regexp.new("^a*ba*()\1$", timeout: Float::INFINITY)
long_time_re =~ "a" * 50000 + "x" # never interrupted
The original proposal is https://bugs.ruby-lang.org/issues/17837
Other Notable New Features
No longer bundle 3rd party sources
o We no longer bundle 3rd party sources like libyaml , libffi .
libyaml source has been removed from psych. You may need to install
libyaml-dev with Ubuntu/Debian platfrom. The package name is different
each platforms.
bundled libffi source is also removed from fiddle
Language
o Anonymous rest and keyword rest arguments can now be passed as arguments,
instead of just used in method parameters. [ Feature #18351 ]
def foo(*)
bar(*)
end
def baz(**)
quux(**)
end
o A proc that accepts a single positional argument and keywords will no
longer autosplat. [ Bug #18633 ]
proc{|a, **k| a}.call([1, 2])
# Ruby 3.1 and before
# => 1
# Ruby 3.2 and after
# => [1, 2]
o Constant assignment evaluation order for constants set on explicit objects
has been made consistent with single attribute assignment evaluation order.
With this code:
foo::BAR = baz
foo is now called before baz . Similarly, for multiple assignments to
constants, left-to-right evaluation order is used. With this code:
foo1::BAR1, foo2::BAR2 = baz1, baz2
The following evaluation order is now used:
1. foo1
2. foo2
3. baz1
4. baz2
[ Bug #15928 ]
o Find pattern is no longer experimental. [ Feature #18585 ]
o Methods taking a rest parameter (like *args ) and wishing to delegate
keyword arguments through foo(*args) must now be marked with ruby2_keywords
(if not already the case). In other words, all methods wishing to delegate
keyword arguments through *args must now be marked with ruby2_keywords ,
with no exception. This will make it easier to transition to other ways of
delegation once a library can require Ruby 3+. Previously, the
ruby2_keywords flag was kept if the receiving method took *args , but this
was a bug and an inconsistency. A good technique to find the
potentially-missing ruby2_keywords is to run the test suite, for where it
fails find the last method which must receive keyword arguments, use puts
nil, caller, nil there, and check each method/block on the call chain which
must delegate keywords is correctly marked as ruby2_keywords . [ Bug #18625
] [ Bug #16466 ]
def target(**kw)
end
# Accidentally worked without ruby2_keywords in Ruby 2.7-3.1, ruby2_keywords
# needed in 3.2+. Just like (*args, **kwargs) or (...) would be needed on
# both #foo and #bar when migrating away from ruby2_keywords.
ruby2_keywords def bar(*args)
target(*args)
end
ruby2_keywords def foo(*args)
bar(*args)
end
foo(k: 1)
Performance improvements
YJIT
o Support arm64 / aarch64 on UNIX platforms.
o Building YJIT requires Rust 1.58.1+. [ Feature #18481 ]
Other notable changes since 3.1
o Hash
Hash#shift now always returns nil if the hash is empty, instead of
returning the default value or calling the default proc. [ Bug #16908 ]
o MatchData
MatchData#byteoffset has been added. [ Feature #13110 ]
o Module
Module.used_refinements has been added. [ Feature #14332 ]
Module#refinements has been added. [ Feature #12737 ]
Module#const_added has been added. [ Feature #17881 ]
o Proc
Proc#dup returns an instance of subclass. [ Bug #17545 ]
Proc#parameters now accepts lambda keyword. [ Feature #15357 ]
o Refinement
Refinement#refined_class has been added. [ Feature #12737 ]
o RubyVM::AbstractSyntaxTree
Add error_tolerant option for parse , parse_file and of . [[Feature #
19013]]
o Set
Set is now available as a builtin class without the need for require
"set" . [ Feature #16989 ] It is currently autoloaded via the Set
constant or a call to Enumerable#to_set .
o String
String#byteindex and String#byterindex have been added. [ Feature #
13110 ]
Update Unicode to Version 14.0.0 and Emoji Version 14.0. [ Feature #
18037 ] (also applies to Regexp)
String#bytesplice has been added. [ Feature #18598 ]
o Struct
A Struct class can also be initialized with keyword arguments without
keyword_init: true on Struct.new [ Feature #16806 ]
Compatibility issues
Note: Excluding feature bug fixes.
Removed constants
The following deprecated constants are removed.
o Fixnum and Bignum [ Feature #12005 ]
o Random::DEFAULT [ Feature #17351 ]
o Struct::Group
o Struct::Passwd
Removed methods
The following deprecated methods are removed.
o Dir.exists [ Feature #17391 ]
o File.exists [ Feature #17391 ]
o Kernel#=~ [ Feature #15231 ]
o Kernel#taint , Kernel#untaint , Kernel#tainted [ Feature #16131 ]
o Kernel#trust , Kernel#untrust , Kernel#untrusted [ Feature #16131 ]
Stdlib compatibility issues
o Psych no longer bundles libyaml sources. Users need to install the libyaml
library themselves via the package system. [ Feature #18571 ]
C API updates
Updated C APIs
The following APIs are updated.
o PRNG update rb_random_interface_t updated and versioned. Extension
libraries which use this interface and built for older versions. Also
init_int32 function needs to be defined.
Removed C APIs
The following deprecated APIs are removed.
o rb_cData variable.
o taintedness and trustedness functions. [ Feature #16131 ]
Standard libraries updates
o SyntaxSuggest
The feature of syntax_suggest formerly dead_end is integrated in Ruby.
[ Feature #18159 ]
o ErrorHighlight
Now it points an argument(s) of TypeError and ArgumentError
test.rb:2:in `+': nil can't be coerced into Integer (TypeError)
sum = ary[0] + ary[1]
^^^^^^
o The following default gems are updated.
RubyGems 3.4.0.dev
bigdecimal 3.1.2
bundler 2.4.0.dev
cgi 0.3.2
date 3.2.3
error_highlight 0.4.0
etc 1.4.0
io-console 0.5.11
io-nonblock 0.1.1
io-wait 0.3.0.pre
ipaddr 1.2.4
json 2.6.2
logger 1.5.1
net-http 0.2.2
net-protocol 0.1.3
ostruct 0.5.5
psych 5.0.0.dev
reline 0.3.1
securerandom 0.2.0
set 1.0.3
stringio 3.0.3
syntax_suggest 0.0.1
timeout 0.3.0
o The following bundled gems are updated.
minitest 5.16.3
net-imap 0.2.3
rbs 2.6.0
typeprof 0.21.3
debug 1.6.2
o The following default gems are now bundled gems.
See NEWS or commit logs for more details.
With those changes, 2719 files changed, 191269 insertions(+), 120315 deletions
(-) since Ruby 3.1.0!
Download
o https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.0-preview3.tar.gz
SIZE: 20086542
SHA1: dafca8116d36ceaa32482ab38359768de8c3ae5e
SHA256: c041d1488e62730d3a10dbe7cf7a3b3e4268dc867ec20ec991e7d16146640487
SHA512: 860634d95e4b9c48f18d38146dfbdc3c389666d45454248a4ccdfc3a5d3cd0c71c73533aabf359558117de9add1472af228d8eaec989c9336b1a3a6f03f1ae88
o https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.0-preview3.tar.xz
SIZE: 14799804
SHA1: c94e2add05502cb5c39afffc995b7c8f000f7df0
SHA256: d3f5619de544240d92a5d03aa289e71bd1103379622c523a0e80ed029a74b3bb
SHA512: c1864e2e07c3711eaa17d0f85dfbcc6e0682b077782bb1c155315af45139ae66dc4567c73682d326975b0f472111eb0a70f949811cb54bed0b3a816ed6ac34df
o https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.0-preview3.zip
SIZE: 24426893
SHA1: 346c051c4be7ab8d0b551fd2ff8169785697db62
SHA256: cf49aa70e7ebd8abebffd5e49cd3bd92e5b9f3782d587cc7ed88c98dd5f17069
SHA512: 4f22b5ea91be17ef5f68cf0acb1e3a226dcc549ad71cc9b40e623220087c4065ca9bea942710f668e5c94ca0323da8d2ccd565f95a9085c1a0e38e9c0543b22f
What is Ruby
Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993, and is now
developed as Open Source. It runs on multiple platforms and is used all over
the world especially for web development.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3GroMkNZI30y1K9AQgaHRAAsM90GsTZ023Pbx4bmU+7nYuPxp6cFTma
IYVB1FWVJrG7f37u0uClKX0MjJkFCOlJ6M4gVDD3ZSSSFBXbewGDTd3Dq++qlgpQ
QsT1lKMKG8norqLSQsJabFX4PhDHpCxBfwiNUoQHt2UToZvvLXna2Zq2ADuPqPw9
QyH/3NOZLz9W2gHUmxbTHEGeSUC4yE3wALX4/F4+Sdz7ojcpHPsZJGsdL5Rxr7KE
9uMITxQCpMk69O+NfjxC/fuHgotf0LMQ/nUbie2peAbcHWX/2ETSKrJ3ab3QxSSF
KQTYhLGYyZgfH+NLne+V5hwlnLk3GH3zfpF/EjGBNpOtZph2Wegb/4aZTc1GQkeo
R5elENdAkgrOTtsiTohsUDEWCETfgp4mHRbUAm4bC+pNvsfJXBGC0NJhlyhgthzT
+gDAUjGl1ZokOEeYv+V/sbpgete9qjR6BQoVL5lasHXt3ExI9syEpmgqpGzX7oXb
xk1rF3+zj/5soCFAxNgM8jDAsLXTIORzG23CbOktWn+QaDYNh18u5Ofmu1kRcdA0
hexARi8YbhhvYH0lTtCwuV0aUf0f7MHI+e3seX5l1FZGsmqD5UqZtRxuD+idteRJ
tqIZCEH16aPMCgDsDIn7cbvPfZFPHv3AB3m2Nz5Pi9H06x1mvE4wEWViHt7mp/GC
sHMKquZIArM=
=+yhV
-----END PGP SIGNATURE-----