Backport 2 fixes from 1.8.7p420

Symlink race condition in FileUtils.remove_entry_secure (bug 678913)
bypass of $SAFE mechanism in Exception#to_s (bug 678920)

ruby-1.8.6.x-untainted_strings_can_be_tainted.patch

@@ -0,0 +1,23 @@
+--- ruby-1.8.6-p420/error.c.tainted	2008-08-04 12:16:55.000000000 +0900
++++ ruby-1.8.6-p420/error.c	2011-02-21 04:44:14.000000000 +0900
+@@ -404,7 +404,6 @@
+     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
+ 
+     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
+     return mesg;
+ }
+ 
+@@ -668,10 +667,9 @@
+     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+     StringValue(str);
+     if (str != mesg) {
+-	rb_iv_set(exc, "mesg", mesg = str);
++	OBJ_INFECT(str, mesg);
+     }
+-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
+-    return mesg;
++    return str;
+ }
+ 
+ /*

ruby-1.8.7p334-symlink-race-in-FileUtils-remove_entry_secure.patch

@@ -0,0 +1,29 @@
+--- ruby-1.8.7-p330/lib/fileutils.rb	2010-06-08 15:31:50.000000000 +0900
++++ ruby-1.8.7-p334/lib/fileutils.rb	2011-02-18 21:18:10.000000000 +0900
+@@ -658,10 +658,10 @@
+   # removing directories.  This requires the current process is the
+   # owner of the removing whole directory tree, or is the super user (root).
+   #
+-  # WARNING: You must ensure that *ALL* parent directories are not
+-  # world writable.  Otherwise this method does not work.
+-  # Only exception is temporary directory like /tmp and /var/tmp,
+-  # whose permission is 1777.
++  # WARNING: You must ensure that *ALL* parent directories cannot be
++  # moved by other untrusted users.  For example, parent directories
++  # should not be owned by untrusted users, and should not be world
++  # writable except when the sticky bit set.
+   #
+   # WARNING: Only the owner of the removing directory tree, or Unix super
+   # user (root) should invoke this method.  Otherwise this method does not
+@@ -704,6 +704,11 @@
+       end
+       f.chown euid, -1
+       f.chmod 0700
++      unless fu_stat_identical_entry?(st, File.lstat(fullpath))
++        # TOC-to-TOU attack?
++        File.unlink fullpath
++        return
++      end
+     }
+     # ---- tree root is frozen ----
+     root = Entry_.new(path)

ruby.spec

@@ -18,7 +18,7 @@
 
 Name:		ruby
 Version:	%{rubyver}%{?dotpatchlevel}
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	Ruby or GPLv2
 URL:		http://www.ruby-lang.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -95,6 +95,12 @@ Patch37:        ruby-1.8.x-ext_tk-flatten-level-revert.patch
 Patch38:        ruby-1.8.x-null-class-must-be-Qnil.patch
 # Once revert this patch to apply Patch34 cleanly
 Patch39:        ruby-1.8.6-openssl-digest-once-revert-for-simplify-patch.patch
+# patch from ruby_1_8_7 branch (between 1.8.7p330 and 1.8.7p334)
+# bug 678913, Symlink race condition in FileUtils.remove_entry_secure
+Patch40:	ruby-1.8.7p334-symlink-race-in-FileUtils-remove_entry_secure.patch
+# Patch from ruby_1_8_7 branch, a bit modified for 1.8.6.x
+# bug 678920, bypass of $SAFE mechanism in Exception#to_s
+Patch41:	ruby-1.8.6.x-untainted_strings_can_be_tainted.patch
 
 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@@ -250,6 +256,8 @@ pushd %{name}-%{arcver}
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
+%patch40 -p1
+%patch41 -p1
 popd
 
 %build
@@ -640,6 +648,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_emacs_sitestartdir}/ruby-mode-init.el
 
 %changelog
+* Mon Feb 21 2011 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 1.8.6.420-2
+- Backport 2 fixes from 1.8.7p420
+  - Symlink race condition in FileUtils.remove_entry_secure (bug 678913)
+  - bypass of $SAFE mechanism in Exception#to_s (bug 678920)
+
 * Sun Dec 26 2010 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 1.8.6.420-1
 - Update to 1.8.6 p420