[GR-30578] Update to Ruby 2.7.3

PullRequest: truffleruby/2632

Author: eregon

.ruby-version

@@ -1 +1 @@
-2.7.2
+2.7.3

3rd_party_licenses.txt

@@ -13,6 +13,7 @@ Bug fixes:
 
 Compatibility:
 
+* Updated to Ruby 2.7.3. The `resolv` stdlib was not updated (`resolv` in 2.7.3 has [bugs](https://bugs.ruby-lang.org/issues/17748)).
 * Make interpolated strings frozen for compatibility with Ruby 2.7 (#2304, @kirs).
 * `require 'socket'` now also requires `'io/wait'` like CRuby (#2326).
 * Support precision when formatting strings (#2281, @kirs).
@@ -39,6 +40,10 @@ Performance:
 Changes:
 
 
+Security:
+
+* Updated to Ruby 2.7.3 to fix CVE-2021-28965 and CVE-2021-28966.
+
 # 21.1.0
 
 New features:

CHANGELOG.md

@@ -15,6 +15,8 @@ To update a specific default gem to a newer version than in the MRI release, run
 cd ruby
 git checkout -b truffleruby-updates-$VERSION vn_n_n
 ruby tool/sync_default_gems.rb $GEM
+
+git push -u eregon HEAD
 ```
 to update the default gem in MRI.
 Then follow the instructions below to reimport MRI files and to update default gems.
@@ -26,6 +28,20 @@ Set the environment variable `$VERSION` to the target version:
 export VERSION=n.n.n
 ```
 
+Re-install the target MRI version using the commands, to have a clean set of gems:
+```
+rm -rf ~/.rubies/ruby-$VERSION
+ruby-install ruby $VERSION
+# OR
+rm -rf ~/.rubies/ruby-$VERSION
+bin/ruby-build $VERSION ~/.rubies/ruby-$VERSION
+ruby-install -r ~/tmp ruby $VERSION
+```
+
+`ruby-build` does not keep the build directory
+(required as `RUBY_BUILD_DIR` for `tool/import-mri-files.sh`),
+so one needs the extra `ruby-install` command when using `ruby-build`.
+
 ## Create reference branches
 
 For both the current version of Ruby you're using, and the new version, create
@@ -48,18 +64,14 @@ update.
 
 ## Update MRI with modifications
 
-Re-install the target MRI version using the commands, to have a clean set of gems:
-```
-rm -rf ~/.rubies/ruby-$VERSION
-ruby-install ruby $VERSION
-```
-
-In your working branch you can import MRI files again, and you can re-apply
-old patches using the old reference branch.
+In your working branch you can cherry-pick the new reference branch,
+and then re-apply old patches using the old reference branch.
 
 ```bash
-tool/import-mri-files.sh
-git revert vNN
+# Commit message: Import files from MRI n.n.n
+git cherry-pick vNew
+# Commit message: Re-apply changes on top of n.n.n files
+git revert vOld
 ```
 
 You'll usually get some conflicts to work out.
@@ -140,9 +152,9 @@ ruby tool/patch-default-gemspecs.rb
 ## Updating bin/ executables
 
 ```
-rm -rf bin
-cp -R ~/.rubies/ruby-$VERSION/bin .
-rm -f bin/ruby
+rm -rf exe
+cp -R ~/.rubies/ruby-$VERSION/bin exe
+rm -f exe/ruby
 ruby tool/patch_launchers.rb
 ```
 
@@ -151,7 +163,8 @@ ruby tool/patch_launchers.rb
 In a separate commit, update all of these:
 
 * Update `.ruby-version`, `TruffleRuby.LANGUAGE_VERSION`
-* Update `versions.json` (from `../ruby/gems/bundled_gems`)
+* Reset `lib/cext/ABI_version.txt` and `lib/cext/ABI_check.txt` to `1` if `RUBY_VERSION` was updated.
+* Update `versions.json` (from `cat ../ruby/gems/bundled_gems`, `ls -l lib/gems/specifications/default` and `jt gem --version`)
 * Copy and paste `-h` and `--help` output to `RubyLauncher`
 * Copy and paste the TruffleRuby `--help` output to `doc/user/options.md`
 * Update `doc/user/compatibility.md` and `README.md`
@@ -161,7 +174,6 @@ In a separate commit, update all of these:
 * Grep for the old version with `git grep -F x.y.z`
 * If `tool/id.def` or `lib/cext/include/truffleruby/internal/id.h` has changed, `jt build core-symbols` and check for correctness.
 * Update the list of `:next` specs and change the "next version" in `spec/truffleruby.mspec`.
-* Reset `lib/cext/ABI_version.txt` and `lib/cext/ABI_check.txt` to `1` if `RUBY_VERSION` was updated.
 
 ## Last step
 

doc/contributor/updating-ruby.md

@@ -19,7 +19,7 @@ See `epl-2.0.txt`, `gpl-2.txt`, `lgpl-2.1.txt`.
 ## MRI
 
 The standard implementation of Ruby is MRI. TruffleRuby contains code from MRI
-version 2.7.2, including:
+version 2.7.3, including:
 
 * the standard library in `lib/mri`, 
 * Ruby C extension API in `lib/cext/include` and `src/main/c/cext`, 

doc/legal/legal.md

@@ -1,7 +1,7 @@
 # Compatibility
 
 TruffleRuby aims to be fully compatible with the standard implementation of
-Ruby, MRI, version 2.7.2, [including C extensions](#c-extension-compatibility).
+Ruby, MRI, version 2.7.3, [including C extensions](#c-extension-compatibility).
 TruffleRuby is still in development, so it is not 100% compatible yet.
 
 Any incompatibility with MRI is considered a bug, except for rare cases detailed below.

doc/user/compatibility.md

@@ -27,6 +27,8 @@ Cross-reference with the details on [the MRI website](https://www.ruby-lang.org/
 
 Number | Description | Their Mitigation | Test | Our Mitigation
 --- | --- | --- | --- | ---
+CVE-2021-28966 | Path traversal in Tempfile on Windows | Sanitization of paths in tmpdir.rb | In `test/mri/tests/test_tmpdir.rb` | Sanitization of paths in tmpdir.rb
+CVE-2021-28965 | XML round-trip vulnerability in REXML | Update to REXML 3.2.5 | In ruby/rexml | Update to REXML 3.2.5 
 CVE-2020-10663 | Unsafe Object Creation Vulnerability in JSON (Additional fix) | [Fix](https://bugs.ruby-lang.org/issues/16698) | [Spec](https://github.com/ruby/spec/pull/764) | The pure Ruby version of JSON we use is safe
 CVE-2019-16255 | A code injection vulnerability of Shell#[] and Shell#test | [Fix](https://github.com/ruby/ruby/commit/d6adc68dc9c74a33b3ca012af171e2d59f0dea10) | MRI test | Same
 CVE-2019-16254 | HTTP response splitting in WEBrick (Additional fix) | [Fix](https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc) | MRI test | Same

doc/user/known-cves.md

@@ -21,7 +21,6 @@ Usage: truffleruby [switches] [--] [programfile] [arguments]
   -rlibrary       require the library before executing your script
   -s              enable some switch parsing for switches after script name
   -S              look for the script using PATH environment variable
-  -T[level=1]     turn on tainting checks
   -v              print the version number, then turn on verbose mode
   -w              turn warnings on for your script
   -W[level=2|:category]
@@ -42,7 +41,7 @@ Features:
   rubyopt         RUBYOPT environment variable (default: enabled)
   frozen-string-literal
                   freeze all string literals (default: disabled)
-                  
+
 Warning categories:
   deprecated      deprecated features
   experimental    experimental features

doc/user/options.md

@@ -1 +1 @@
-2
+1

lib/cext/ABI_check.txt

@@ -486,6 +486,7 @@ void rb_sparc_flush_register_windows(void);
 # if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
      defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || \
      defined(__powerpc64__) || \
+     defined(__aarch64__) || \
      defined(__mc68020__)
 #   define UNALIGNED_WORD_ACCESS 1
 # else