(PA-6386) Patch/Upgrade Ruby for CVE-2024-27282

 - Patches the ruby 'Use-After-Free' issue for regexp for 7.x (ruby 2.7.8).
 - Upstream fix commit: ruby/ruby@90b194b
 - Bump projects using ruby 3.2.3 to ruby 3.2.4 since 3.2.4 has addressed the CVE.

configs/components/ruby-2.7.8.rb

@@ -38,6 +38,7 @@
   base = 'resources/patches/ruby_27'
   # Patch for https://bugs.ruby-lang.org/issues/14972
   pkg.apply_patch "#{base}/net_http_eof_14972_r2.5.patch"
+  pkg.apply_patch "#{base}/regexp_use_after_free.patch"
 
   pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch"
 

configs/components/ruby-3.2.3.rb → configs/components/ruby-3.2.4.rb

@@ -1,7 +1,7 @@
 # The file name of the ruby component must match the ruby_version
-component 'ruby-3.2.3' do |pkg, settings, platform|
-  pkg.version '3.2.3'
-  pkg.sha256sum 'af7f1757d9ddb630345988139211f1fd570ff5ba830def1cc7c468ae9b65c9ba'
+component 'ruby-3.2.4' do |pkg, settings, platform|
+  pkg.version '3.2.4'
+  pkg.sha256sum 'c72b3c5c30482dca18b0f868c9075f3f47d8168eaf626d4e682ce5b59c858692'
 
   # rbconfig-update is used to munge rbconfigs after the fact.
   pkg.add_source("file://resources/files/ruby/rbconfig-update.rb")

configs/projects/agent-runtime-main.rb

@@ -1,7 +1,7 @@
 project 'agent-runtime-main' do |proj|
 
   # Set preferred component versions if they differ from defaults:
-  proj.setting :ruby_version, '3.2.3'
+  proj.setting :ruby_version, '3.2.4'
   proj.setting :rubygem_deep_merge_version, '1.2.2'
   proj.setting :rubygem_highline_version, '3.0.1'
   proj.setting :rubygem_hocon_version, '1.4.0'

configs/projects/pdk-runtime.rb

@@ -48,7 +48,7 @@
   proj.setting(:includedir, File.join(proj.prefix, 'include'))
   proj.setting(:bindir, File.join(proj.prefix, 'bin'))
 
-  proj.setting(:ruby_version, '3.2.3')
+  proj.setting(:ruby_version, '3.2.4')
   proj.setting(:ruby_major_version, 3)
   proj.setting(:ruby_api, '3.2.0')
 

configs/projects/pe-bolt-server-runtime-main.rb

@@ -6,7 +6,7 @@
   # Once we are no longer using ruby 2.5 we can update.
   proj.setting(:no_doc, true)
 
-  proj.setting(:ruby_version, '3.2.3')
+  proj.setting(:ruby_version, '3.2.4')
   proj.setting(:openssl_version, '3.0')
 
   # We enable legacy algorithms for winrm transport. Currently the winrm transport

configs/projects/pe-installer-runtime-main.rb

@@ -1,5 +1,5 @@
 project 'pe-installer-runtime-main' do |proj|
-  proj.setting(:ruby_version, '3.2.3')
+  proj.setting(:ruby_version, '3.2.4')
   proj.setting(:openssl_version, '3.0')
   # NLTM uses MD4 unconditionally in its protocol, so legacy algos must be
   # enabled in OpenSSL >= 3.0 for Bolt's WinRM transport to work.

resources/patches/ruby_27/regexp_use_after_free.patch

@@ -0,0 +1,13 @@
+diff --git a/regexec.c b/regexec.c
+index 73694ab14a..140691ad42 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -3449,8 +3449,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
+     CASE(OP_MEMORY_END_PUSH_REC)  MOP_IN(OP_MEMORY_END_PUSH_REC);
+       GET_MEMNUM_INC(mem, p);
+       STACK_GET_MEM_START(mem, stkp); /* should be before push mem-end. */
+-      STACK_PUSH_MEM_END(mem, s);
+       mem_start_stk[mem] = GET_STACK_INDEX(stkp);
++      STACK_PUSH_MEM_END(mem, s);
+       MOP_OUT;
+       JUMP;

resources/patches/ruby_32/revert-ruby-double-load-symlink.patch

@@ -147,7 +147,7 @@ index 604ddf09d8..6ffa1eaa1f 100644
      bug3756 = '[ruby-core:31913]'
      assert_in_out_err(['-e', '$LOADED_FEATURES.freeze; require "ostruct"'], "",
 diff --git a/vm.c b/vm.c
-index 4c2ef9834e..4fa4ec2b54 100644
+index 493034623d..77d0af75f6 100644
 --- a/vm.c
 +++ b/vm.c
 @@ -2702,7 +2702,6 @@ rb_vm_update_references(void *ptr)
@@ -157,7 +157,7 @@ index 4c2ef9834e..4fa4ec2b54 100644
 -        vm->loaded_features_realpaths = rb_gc_location(vm->loaded_features_realpaths);
          vm->top_self = rb_gc_location(vm->top_self);
          vm->orig_progname = rb_gc_location(vm->orig_progname);
- 
+
 @@ -2793,7 +2792,6 @@ rb_vm_mark(void *ptr)
          rb_gc_mark_movable(vm->expanded_load_path);
          rb_gc_mark_movable(vm->loaded_features);
@@ -167,14 +167,14 @@ index 4c2ef9834e..4fa4ec2b54 100644
          rb_gc_mark_movable(vm->orig_progname);
          RUBY_MARK_MOVABLE_UNLESS_NULL(vm->coverages);
 diff --git a/vm_core.h b/vm_core.h
-index 4f6e07d818..6b9cfca2cd 100644
+index 1842519edd..eb2265c97d 100644
 --- a/vm_core.h
 +++ b/vm_core.h
-@@ -679,7 +679,6 @@ typedef struct rb_vm_struct {
+@@ -675,7 +675,6 @@ typedef struct rb_vm_struct {
      VALUE expanded_load_path;
      VALUE loaded_features;
      VALUE loaded_features_snapshot;
 -    VALUE loaded_features_realpaths;
      struct st_table *loaded_features_index;
      struct st_table *loading_table;
- #if EXTSTATIC
+     // For running the init function of statically linked

resources/patches/ruby_32/revert_speed_up_rebuilding_loaded_feature_index.patch

@@ -132,14 +132,14 @@ index de43d022c0..d009a5f64a 100644
          rb_gc_mark_movable(vm->orig_progname);
          RUBY_MARK_MOVABLE_UNLESS_NULL(vm->coverages);
 diff --git a/vm_core.h b/vm_core.h
-index b6adeadd87..d86fdbaecd 100644
+index a8c1e6b917..1842519edd 100644
 --- a/vm_core.h
 +++ b/vm_core.h
-@@ -680,7 +680,6 @@ typedef struct rb_vm_struct {
+@@ -676,7 +676,6 @@ typedef struct rb_vm_struct {
      VALUE loaded_features;
      VALUE loaded_features_snapshot;
      VALUE loaded_features_realpaths;
 -    VALUE loaded_features_realpath_map;
      struct st_table *loaded_features_index;
      struct st_table *loading_table;
- #if EXTSTATIC
+     // For running the init function of statically linked