From: "jeremyevans0 (Jeremy Evans) via ruby-core" Date: 2023-05-05T20:08:58+00:00 Subject: [ruby-core:113406] [Ruby master Bug#19629] Fix for CVE-2023-28755 breaks "puppet apply" run Issue #19629 has been updated by jeremyevans0 (Jeremy Evans). Status changed from Open to Third Party's Issue In Ruby 2.7.8 and 3.0.6, URI#host returns `nil`. Ruby 3.1.4 and 3.2.2 return `""`: ``` $ ruby32 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host' "" $ ruby31 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host' "" $ ruby30 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host' nil $ ruby27 -r uri -e 'p URI("puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades").host' nil ``` Not sure why the Ubuntu Ruby 2.7 behavior is different, but I would guess it is due to how they backported it. You should probably report the issue to the Ubuntu developers. Looking at the PuppetLabs ticket, they say basically the same thing. ---------------------------------------- Bug #19629: Fix for CVE-2023-28755 breaks "puppet apply" run https://bugs.ruby-lang.org/issues/19629#change-102978 * Author: ManuelKiessling (Manuel Kie�ling) * Status: Third Party's Issue * Priority: Normal * ruby -v: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux-gnu] * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN ---------------------------------------- (Not neccessarily a bug in Ruby - chances are I should have formatted my Puppet file URIs differently from the get-go.) However, since yesterday I'm getting these errors when running `puppet apply`: Could not evaluate: Could not retrieve file metadata for puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades: Failed to open TCP connection to :8140 (Connection refused - connect(2) for "" port 8140) I think the reason this happens now in an otherwise completely unchanged environment is that on my Ubuntu system, a new ruby2.7 package has been installed, due to CVE-2023-28755. See http://changelogs.ubuntu.com/changelogs/pool/main/r/ruby2.7/ruby2.7_2.7.0-5ubuntu1.9/changelog for the backport info. The patch info (URI.parse should set empty string in host instead of nil in lib/uri/rfc3986_parser.rb, raise ArgumentError with empty host url again in lib/net/http/generic_request.rb.) sounds exactly like the reason I'm suddenly running into this error: `puppet:///modules/unattended_upgrades/etc/apt/apt.conf.d/50unattended-upgrades` is an URI with an empty hostname - or is it? It's actually meant to refer to a local file, not a file on remote host ""; however, this is how it now seems to be interpreted: protocol `puppet`, hostname ``, path `/modules/unattended_upgrades...`. Because the patched code now returns `""` for the hostname instead of `nil`, it tries to do a hostname lookup for `""` which of course fails. Not sure if this is an intended consequence of the patch in this specific context, which is why I'm reporting it. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/