Also backport fix for the left part of CVE-2011-1005 (causing the
same issue as CVE-2012-4464) (Vít Ondruch <vondruch@redhat.com>)
This commit is contained in:
parent
4adf276cbf
commit
f95865cef3
3 changed files with 36 additions and 15 deletions
29
ruby-1.8.7-p358-CVE-2012-4464-4466.patch
Normal file
29
ruby-1.8.7-p358-CVE-2012-4464-4466.patch
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
Backported fix for CVE-2012-4464,4466 on trunk:rev37068 to 1.8.7 branch.
|
||||
Note that for ruby-1.8 branch, there was a fix for CVE-2011-1005 on rev 30903,
|
||||
however the fix proved to be incomplete.
|
||||
|
||||
Mamoru Tasaka <mtasaka@fedoraproject.org>
|
||||
|
||||
|
||||
--- ruby-1.8.7-p358/error.c.sec 2011-02-18 21:32:35.000000000 +0900
|
||||
+++ ruby-1.8.7-p358/error.c 2012-10-04 23:58:12.000000000 +0900
|
||||
@@ -665,9 +665,11 @@
|
||||
|
||||
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
|
||||
StringValue(str);
|
||||
+#if 0
|
||||
if (str != mesg) {
|
||||
OBJ_INFECT(str, mesg);
|
||||
}
|
||||
+#endif
|
||||
return str;
|
||||
}
|
||||
|
||||
@@ -757,7 +759,6 @@
|
||||
args[2] = d;
|
||||
mesg = rb_f_sprintf(3, args);
|
||||
}
|
||||
- if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg);
|
||||
return mesg;
|
||||
}
|
||||
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch
|
||||
Mamoru Tasaka <mtasaka@fedoraproject.org>
|
||||
|
||||
--- ruby-1.8.7-p358/error.c.sec 2011-02-18 21:32:35.000000000 +0900
|
||||
+++ ruby-1.8.7-p358/error.c 2012-10-04 22:32:06.000000000 +0900
|
||||
@@ -757,7 +757,6 @@ name_err_mesg_to_str(obj)
|
||||
args[2] = d;
|
||||
mesg = rb_f_sprintf(3, args);
|
||||
}
|
||||
- if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg);
|
||||
return mesg;
|
||||
}
|
||||
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
|
||||
Name: ruby
|
||||
Version: %{rubyver}%{?dotpatchlevel}
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
# Please check if ruby upstream changes this to "Ruby or GPLv2+"
|
||||
License: Ruby or GPLv2
|
||||
URL: http://www.ruby-lang.org/
|
||||
|
|
@ -64,7 +64,7 @@ Patch33: ruby-1.8.7-p249-mkmf-use-shared.patch
|
|||
# bug 718695
|
||||
Patch34: ruby-1.8.7-p352-path-uniq.patch
|
||||
# Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch
|
||||
Patch35: ruby-1.8.7-p358-CVE-2012-4466.patch
|
||||
Patch35: ruby-1.8.7-p358-CVE-2012-4464-4466.patch
|
||||
# Change ruby load path to conform to Fedora/ruby
|
||||
# library placement (various 1.8.6 patches consolidated into this)
|
||||
Patch100: ruby-1.8.7-lib-paths.patch
|
||||
|
|
@ -547,6 +547,11 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_datadir}/ri
|
||||
|
||||
%changelog
|
||||
* Fri Oct 04 2012 Mamoru Tasaka <mtasaka@fedoraproject.org> - 1.8.7.358-4
|
||||
- Also backport fix for the left part of CVE-2011-1005 (causing the
|
||||
same issue as CVE-2012-4464)
|
||||
(Vít Ondruch <vondruch@redhat.com>)
|
||||
|
||||
* Thu Oct 04 2012 Mamoru Tasaka <mtasaka@fedoraproject.org> - 1.8.7.358-3
|
||||
- Backport fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue