From a3252d210197989572d450c4116d5dd84f95c38a Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Sat, 20 Oct 2007 10:58:07 +0000 Subject: [PATCH 01/11] Initialize branch F-8 for ruby --- branch | 1 + 1 file changed, 1 insertion(+) create mode 100644 branch diff --git a/branch b/branch new file mode 100644 index 0000000..e9e7ccd --- /dev/null +++ b/branch @@ -0,0 +1 @@ +F-8 From 0b98fe29b34c6cf86547ea28f4a414ccef21240c Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Mon, 29 Oct 2007 12:53:12 +0000 Subject: [PATCH 02/11] - New upstream release. - ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes at trunk to enable the fix without any modifications on the users' scripts. Note that Net::HTTP#enable_post_connection_check isn't available anymore. If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE to Net::HTTP#verify_mode= instead of. --- .cvsignore | 1 + ruby-1.8.6-CVE-2007-5162.patch | 99 ------------------------------ ruby-1.8.6.111-CVE-2007-5162.patch | 97 +++++++++++++++++++++++++++++ ruby.spec | 18 +++--- sources | 3 +- 5 files changed, 110 insertions(+), 108 deletions(-) delete mode 100644 ruby-1.8.6-CVE-2007-5162.patch create mode 100644 ruby-1.8.6.111-CVE-2007-5162.patch diff --git a/.cvsignore b/.cvsignore index 99e711a..f855092 100644 --- a/.cvsignore +++ b/.cvsignore @@ -15,3 +15,4 @@ ruby-1.8.5-p12.tar.gz ruby-1.8.6.tar.bz2 ruby-1.8.6-p36.tar.bz2 ruby-1.8.6-p110.tar.bz2 +ruby-1.8.6-p111.tar.bz2 diff --git a/ruby-1.8.6-CVE-2007-5162.patch b/ruby-1.8.6-CVE-2007-5162.patch deleted file mode 100644 index d4e4d68..0000000 --- a/ruby-1.8.6-CVE-2007-5162.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb ---- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb 2007-10-04 22:38:48.000000000 +0900 -@@ -88,7 +88,7 @@ - end - } - end -- raise SSLError, "hostname not match" -+ raise SSLError, "hostname not match with the server certificate" - end - end - -diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb ---- ruby-1.8.6-p110.orig/lib/net/http.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p110/lib/net/http.rb 2007-10-04 22:41:34.000000000 +0900 -@@ -470,6 +470,7 @@ - @debug_output = nil - @use_ssl = false - @ssl_context = nil -+ @enable_post_connection_check = true - end - - def inspect -@@ -526,6 +527,9 @@ - false # redefined in net/https - end - -+ # specify enabling SSL server certificate and hostname checking. -+ attr_accessor :enable_post_connection_check -+ - # Opens TCP connection and HTTP session. - # - # When this method is called with block, gives a HTTP object -@@ -584,6 +588,14 @@ - HTTPResponse.read_new(@socket).value - end - s.connect -+ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE -+ begin -+ s.post_connection_check(@address) -+ rescue OpenSSL::SSL::SSLError => ex -+ raise ex if @enable_post_connection_check -+ warn ex.message -+ end -+ end - end - on_connect - end -diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb ---- ruby-1.8.6-p110.orig/lib/open-uri.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p110/lib/open-uri.rb 2007-10-04 22:42:18.000000000 +0900 -@@ -229,6 +229,7 @@ - if target.class == URI::HTTPS - require 'net/https' - http.use_ssl = true -+ http.enable_post_connection_check = true - http.verify_mode = OpenSSL::SSL::VERIFY_PEER - store = OpenSSL::X509::Store.new - store.set_default_paths -@@ -240,16 +241,6 @@ - - resp = nil - http.start { -- if target.class == URI::HTTPS -- # xxx: information hiding violation -- sock = http.instance_variable_get(:@socket) -- if sock.respond_to?(:io) -- sock = sock.io # 1.9 -- else -- sock = sock.instance_variable_get(:@socket) # 1.8 -- end -- sock.post_connection_check(target_host) -- end - req = Net::HTTP::Get.new(request_uri, header) - if options.include? :http_basic_authentication - user, pass = options[:http_basic_authentication] -diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h ---- ruby-1.8.6-p110.orig/version.h 2007-09-23 09:01:50.000000000 +0900 -+++ ruby-1.8.6-p110/version.h 2007-10-04 22:42:37.000000000 +0900 -@@ -1,15 +1,15 @@ - #define RUBY_VERSION "1.8.6" --#define RUBY_RELEASE_DATE "2007-09-23" -+#define RUBY_RELEASE_DATE "2007-09-24" - #define RUBY_VERSION_CODE 186 --#define RUBY_RELEASE_CODE 20070923 --#define RUBY_PATCHLEVEL 110 -+#define RUBY_RELEASE_CODE 20070924 -+#define RUBY_PATCHLEVEL 111 - - #define RUBY_VERSION_MAJOR 1 - #define RUBY_VERSION_MINOR 8 - #define RUBY_VERSION_TEENY 6 - #define RUBY_RELEASE_YEAR 2007 - #define RUBY_RELEASE_MONTH 9 --#define RUBY_RELEASE_DAY 23 -+#define RUBY_RELEASE_DAY 24 - - #ifdef RUBY_EXTERN - RUBY_EXTERN const char ruby_version[]; diff --git a/ruby-1.8.6.111-CVE-2007-5162.patch b/ruby-1.8.6.111-CVE-2007-5162.patch new file mode 100644 index 0000000..5ed628d --- /dev/null +++ b/ruby-1.8.6.111-CVE-2007-5162.patch @@ -0,0 +1,97 @@ +diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb +--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900 ++++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900 +@@ -29,13 +29,23 @@ require 'net/ftp' + + module Net + class FTPTLS < FTP ++ def connect(host, port=FTP_PORT) ++ @hostname = host ++ super ++ end ++ + def login(user = "anonymous", passwd = nil, acct = nil) ++ store = OpenSSL::X509::Store.new ++ store.set_default_paths + ctx = OpenSSL::SSL::SSLContext.new('SSLv23') ++ ctx.cert_store = store ++ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.key = nil + ctx.cert = nil + voidcmd("AUTH TLS") + @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) + @sock.connect ++ @sock.post_connection_check(@hostname) + super(user, passwd, acct) + voidcmd("PBSZ 0") + end +diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb +--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900 ++++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900 +@@ -134,6 +134,9 @@ module Net + @sock.verify_callback = @options['VerifyCallback'] + @sock.verify_depth = @options['VerifyDepth'] + @sock.connect ++ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE ++ @sock.post_connection_check(@options['Host']) ++ end + @ssl = true + end + '' +diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb +--- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900 ++++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900 +@@ -470,7 +470,6 @@ module Net #:nodoc: + @debug_output = nil + @use_ssl = false + @ssl_context = nil +- @enable_post_connection_check = false + end + + def inspect +@@ -527,9 +526,6 @@ module Net #:nodoc: + false # redefined in net/https + end + +- # specify enabling SSL server certificate and hostname checking. +- attr_accessor :enable_post_connection_check +- + # Opens TCP connection and HTTP session. + # + # When this method is called with block, gives a HTTP object +@@ -589,12 +585,7 @@ module Net #:nodoc: + end + s.connect + if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE +- begin +- s.post_connection_check(@address) +- rescue OpenSSL::SSL::SSLError => ex +- raise ex if @enable_post_connection_check +- warn ex.message +- end ++ s.post_connection_check(@address) + end + end + on_connect +diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb +--- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900 ++++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900 +@@ -900,6 +900,7 @@ module Net + end + @sock = SSLSocket.new(@sock, context) + @sock.connect # start ssl session. ++ @sock.post_connection_check(@host) if verify + else + @usessl = false + end +diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb +--- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900 ++++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900 +@@ -229,7 +229,6 @@ module OpenURI + if target.class == URI::HTTPS + require 'net/https' + http.use_ssl = true +- http.enable_post_connection_check = true + http.verify_mode = OpenSSL::SSL::VERIFY_PEER + store = OpenSSL::X509::Store.new + store.set_default_paths diff --git a/ruby.spec b/ruby.spec index eacf5ae..f9e8ae8 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %define manver 1.4.6 %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 110 +%define _patchlevel 111 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define sitedir %{_libdir}/ruby/site_ruby @@ -11,7 +11,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 2%{?dist} +Release: 1%{?dist} License: Ruby or GPL+ URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,7 +36,7 @@ Patch20: ruby-rubyprefix.patch Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch -Patch24: ruby-1.8.6-CVE-2007-5162.patch +Patch24: ruby-1.8.6.111-CVE-2007-5162.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -180,10 +180,6 @@ export CFLAGS --disable-rpath \ --with-ruby-prefix=%{_prefix}/lib -%ifarch ppc -cp Makefile Makefile.orig -sed -e 's/^EXTMK_ARGS[[:space:]].*=\(.*\) --$/EXTMK_ARGS=\1 --disable-tcl-thread --/' Makefile.orig > Makefile -%endif make RUBY_INSTALL_NAME=ruby %{?_smp_mflags} %ifarch ia64 # Miscompilation? Buggy code? @@ -467,6 +463,14 @@ rm -rf tmp-ruby-docs %endif %changelog +* Mon Oct 29 2007 Akira TAGOH - 1.8.6.111-1 +- New upstream release. +- ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes + at trunk to enable the fix without any modifications on the users' scripts. + Note that Net::HTTP#enable_post_connection_check isn't available anymore. + If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE + to Net::HTTP#verify_mode= instead of. + * Mon Oct 15 2007 Akira TAGOH - 1.8.6.110-2 - Enable pthread support for ppc too. (#201452) - Fix unexpected dependencies appears in ruby-libs. (#253325) diff --git a/sources b/sources index effd85c..840df49 100644 --- a/sources +++ b/sources @@ -2,5 +2,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 7f3e181c0be9a1579e43a5a8b26372d6 rubyfaq-990927.tar.bz2 8aa2e2da327dc43ff6e46e634eb657b6 rubyfaq-jp-990927.tar.bz2 -eb7f25818cb6993839b38d1f21bd4ea1 ruby-1.8.6-p36.tar.bz2 -39cbf0cc610e636983cb3311bef3f2d0 ruby-1.8.6-p110.tar.bz2 +e1d38b7d4f1be55726d6927a3395ce3b ruby-1.8.6-p111.tar.bz2 From 847867517b11722f1ba1fe61554c932587a51ab3 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Mon, 10 Mar 2008 07:32:01 +0000 Subject: [PATCH 03/11] - Security fix for CVE-2008-1145. - Improve a spec file. (#226381) - Correct License tag. - Fix a timestamp issue. - Own a arch-specific directory. --- .cvsignore | 1 + ruby-1.8.6.111-gcc43.patch | 16 ++ ruby.spec | 418 ++++++++++++++++++++++--------------- sources | 6 +- 4 files changed, 273 insertions(+), 168 deletions(-) create mode 100644 ruby-1.8.6.111-gcc43.patch diff --git a/.cvsignore b/.cvsignore index f855092..9dd3d12 100644 --- a/.cvsignore +++ b/.cvsignore @@ -16,3 +16,4 @@ ruby-1.8.6.tar.bz2 ruby-1.8.6-p36.tar.bz2 ruby-1.8.6-p110.tar.bz2 ruby-1.8.6-p111.tar.bz2 +ruby-1.8.6-p114.tar.bz2 diff --git a/ruby-1.8.6.111-gcc43.patch b/ruby-1.8.6.111-gcc43.patch new file mode 100644 index 0000000..9e1b297 --- /dev/null +++ b/ruby-1.8.6.111-gcc43.patch @@ -0,0 +1,16 @@ +diff -pruN ruby-1.8.6-p111.orig/ext/socket/socket.c ruby-1.8.6-p111/ext/socket/socket.c +--- ruby-1.8.6-p111.orig/ext/socket/socket.c 2007-05-23 00:08:43.000000000 +0900 ++++ ruby-1.8.6-p111/ext/socket/socket.c 2008-02-19 11:24:22.000000000 +0900 +@@ -893,10 +893,10 @@ port_str(port, pbuf, len) + } + + #ifndef NI_MAXHOST +-# define 1025 ++# define NI_MAXHOST 1025 + #endif + #ifndef NI_MAXSERV +-# define 32 ++# define NI_MAXSERV 32 + #endif + + static struct addrinfo* diff --git a/ruby.spec b/ruby.spec index f9e8ae8..4d0e325 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,18 +1,19 @@ -%define manver 1.4.6 %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 111 +%define _patchlevel 114 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} +%define arcver %{rubyver}%{?patchlevel} %define sitedir %{_libdir}/ruby/site_ruby # This is required to ensure that noarch files puts under /usr/lib/... for # multilib because ruby library is installed under /usr/{lib,lib64}/ruby anyway. %define sitedir2 %{_prefix}/lib/ruby/site_ruby +%define _normalized_cpu %(echo `echo %{_target_cpu} | sed 's/^ppc/powerpc/'`) Name: ruby Version: %{rubyver}%{?dotpatchlevel} Release: 1%{?dist} -License: Ruby or GPL+ +License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: readline readline-devel ncurses ncurses-devel gdbm gdbm-devel glibc-devel tcl-devel tk-devel libX11-devel autoconf gcc unzip openssl-devel db4-devel byacc @@ -20,15 +21,13 @@ BuildRequires: readline readline-devel ncurses ncurses-devel gdbm gdbm-devel gli BuildRequires: emacs %endif -Source0: ftp://ftp.ruby-lang.org/pub/%{name}/%{name}-%{rubyver}%{?patchlevel}.tar.bz2 -##Source1: ftp://ftp.ruby-lang.org/pub/%{name}/doc/%{name}-man-%{manver}.tar.gz -Source1: %{name}-man-%{manver}.tar.bz2 -Source2: http://www7.tok2.com/home/misc/files/%{name}/%{name}-refm-rdp-1.8.1-ja-html.tar.gz -##Source3: ftp://ftp.ruby-lang.org/pub/%{name}/doc/rubyfaq-990927.tar.gz -Source3: rubyfaq-990927.tar.bz2 -##Source4: ftp://ftp.ruby-lang.org/pub/%{name}/doc/rubyfaq-jp-990927.tar.gz -Source4: rubyfaq-jp-990927.tar.bz2 -Source5: irb.1 +Source0: ftp://ftp.ruby-lang.org/pub/%{name}/%{rubyxver}/%{name}-%{arcver}.tar.bz2 +## Dead link +##Source1: http://www7.tok2.com/home/misc/files/%{name}/%{name}-refm-rdp-1.8.1-ja-html.tar.gz +Source1: %{name}-refm-rdp-1.8.1-ja-html.tar.gz +Source2: ftp://ftp.ruby-lang.org/pub/%{name}/doc/rubyfaq-990927.tar.gz +Source3: ftp://ftp.ruby-lang.org/pub/%{name}/doc/rubyfaq-jp-990927.tar.gz +Source4: irb.1 Source10: ruby-mode-init.el Patch1: ruby-deadcode.patch @@ -37,6 +36,7 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch24: ruby-1.8.6.111-CVE-2007-5162.patch +Patch25: ruby-1.8.6.111-gcc43.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -64,6 +64,7 @@ This package includes the libruby, necessary to run Ruby. Summary: A Ruby development environment Group: Development/Languages Requires: %{name}-libs = %{version}-%{release} +Provides: %{name}-libs-static = %{version}-%{release} %description devel Header files and libraries for building a extension library for the @@ -94,7 +95,8 @@ from the terminal. %package rdoc Summary: A tool to generate documentation from Ruby source files Group: Development/Languages -Requires: %{name} = %{version}-%{release} +## ruby-irb requires ruby +#Requires: %{name} = %{version}-%{release} Requires: %{name}-irb = %{version}-%{release} Provides: rdoc = %{version}-%{release} Obsoletes: rdoc <= %{version}-%{release} @@ -127,7 +129,8 @@ Emacs Lisp ruby-mode for the object-oriented scripting language Ruby. %package ri Summary: Ruby interactive reference Group: Documentation -Requires: %{name} = %{version}-%{release} +## ruby-irb requires ruby, which ruby-rdoc requires +#Requires: %{name} = %{version}-%{release} Requires: %{name}-rdoc = %{version}-%{release} Provides: ri = %{version}-%{release} Obsoletes: ri <= %{version}-%{release} @@ -140,12 +143,12 @@ along with a list of the methods the class or module implements. %prep -%setup -q -c -a 1 -a 3 -a 4 +%setup -q -c -a 2 -a 3 mkdir -p ruby-refm-ja pushd ruby-refm-ja -tar fxz %{SOURCE2} +tar fxz %{SOURCE1} popd -pushd %{name}-%{rubyver}%{?patchlevel} +pushd %{name}-%{arcver} %patch1 -p1 %patch20 -p1 %patch21 -p1 @@ -154,10 +157,11 @@ pushd %{name}-%{rubyver}%{?patchlevel} %patch23 -p1 %endif %patch24 -p1 +%patch25 -p1 popd %build -pushd %{name}-%{rubyver}%{?patchlevel} +pushd %{name}-%{arcver} for i in config.sub config.guess; do test -f %{_datadir}/libtool/$i && cp %{_datadir}/libtool/$i . done @@ -180,7 +184,7 @@ export CFLAGS --disable-rpath \ --with-ruby-prefix=%{_prefix}/lib -make RUBY_INSTALL_NAME=ruby %{?_smp_mflags} +make RUBY_INSTALL_NAME=ruby %{?_smp_mflags} COPY="cp -p" %{?_smp_mflags} %ifarch ia64 # Miscompilation? Buggy code? rm -f parse.o @@ -190,7 +194,7 @@ make OPT=-O0 RUBY_INSTALL_NAME=ruby %{?_smp_mflags} popd %check -pushd %{name}-%{rubyver}%{?patchlevel} +pushd %{name}-%{arcver} %ifnarch ppc64 make test %endif @@ -200,32 +204,31 @@ popd rm -rf $RPM_BUILD_ROOT %ifnarch ppc64 -%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode -%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/site-start.d -#%{__mkdir_p} $RPM_BUILD_ROOT%{_libdir}/xemacs/xemacs-packages/lisp/ruby-mode -#%{__mkdir_p} $RPM_BUILD_ROOT%{_libdir}/xemacs/xemacs-packages/lisp/site-start.d +mkdir -p $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode +mkdir -p $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/site-start.d %endif # installing documents and exapmles... +rm -rf tmp-ruby-docs mkdir tmp-ruby-docs cd tmp-ruby-docs # for ruby.rpm mkdir ruby ruby-libs ruby-devel ruby-tcltk ruby-docs irb cd ruby -(cd ../../%{name}-%{rubyver}%{?patchlevel} && tar cf - sample) | tar xvf - +(cd ../../%{name}-%{arcver} && tar cf - sample) | tar xvf - cd .. # for ruby-libs cd ruby-libs -(cd ../../%{name}-%{rubyver}%{?patchlevel} && tar cf - lib/README*) | tar xvf - -(cd ../../%{name}-%{rubyver}%{?patchlevel}/doc && tar cf - .) | tar xvf - -(cd ../../%{name}-%{rubyver}%{?patchlevel} && +(cd ../../%{name}-%{arcver} && tar cf - lib/README*) | tar xf - +(cd ../../%{name}-%{arcver}/doc && tar cf - .) | tar xf - +(cd ../../%{name}-%{arcver} && tar cf - `find ext \ -mindepth 1 \ \( -path '*/sample/*' -o -path '*/demo/*' \) -o \ \( -name '*.rb' -not -path '*/lib/*' -not -name extconf.rb \) -o \ - \( -name 'README*' -o -name '*.txt*' -o -name 'MANUAL*' \)`) | tar xvf - + \( -name 'README*' -o -name '*.txt*' -o -name 'MANUAL*' \)`) | tar xf - cd .. # for irb @@ -244,7 +247,7 @@ cd ruby-tcltk for target in tcltklib tk do (cd ../ruby-libs && - tar cf - `find . -path "*/$target/*"`) | tar xvf - + tar cf - `find . -path "*/$target/*"`) | tar xf - (cd ../ruby-libs && rm -rf `find . -name "$target" -type d`) done @@ -252,11 +255,10 @@ cd .. # for ruby-docs cd ruby-docs -mkdir doc-en refm-ja faq-en faq-ja -(cd ../../ruby-man-`echo %{manver} | sed -e 's/\.[0-9]*$//'` && tar cf - .) | (cd doc-en && tar xvf -) -(cd ../../ruby-refm-ja && tar cf - .) | (cd refm-ja && tar xvf -) -(cd ../../rubyfaq && tar cf - .) | (cd faq-en && tar xvf -) -(cd ../../rubyfaq-jp && tar cf - .) | (cd faq-ja && tar xvf -) +mkdir refm-ja faq-en faq-ja +(cd ../../ruby-refm-ja && tar cf - .) | (cd refm-ja && tar xf -) +(cd ../../rubyfaq && tar cf - .) | (cd faq-en && tar xf -) +(cd ../../rubyfaq-jp && tar cf - .) | (cd faq-ja && tar xf -) (cd faq-ja && for f in rubyfaq-jp*.html @@ -265,15 +267,12 @@ mkdir doc-en refm-ja faq-en faq-ja < $f > `echo $f | sed -e's/-jp//'` rm -f $f; \ done) -# make sure that all doc files are the world-readable -find -type f | xargs chmod 0644 - cd .. # fixing `#!' paths for f in `find . -type f` do - sed -e 's,^#![ ]*\([^ ]*\)/\(ruby\|with\|perl\|env\),#!/usr/bin/\2,' < $f > $f.n + sed -e 's,^#![ ]*\([^ ]*\)/\(ruby\|wish\|perl\|env\),#!/usr/bin/\2,' < $f > $f.n if ! cmp $f $f.n then mv -f $f.n $f @@ -282,35 +281,39 @@ do fi done +# make sure that all doc files are the world-readable +find -type f | xargs chmod 0644 + +# convert to utf-8 +for i in `find -type f`; do + iconv -f utf-8 -t utf-8 $i > /dev/null 2>&1 || (iconv -f euc-jp -t utf-8 $i > $i.new && mv $i.new $i || exit 1) + if [ $? != 0 ]; then + iconv -f iso8859-1 -t utf-8 $i > $.new && mv $i.new $i || exit 1 + fi +done + # done cd .. # installing binaries ... -make -C $RPM_BUILD_DIR/%{name}-%{version}/%{name}-%{rubyver}%{?patchlevel} DESTDIR=$RPM_BUILD_ROOT install - -_cpu=`echo %{_target_cpu} | sed 's/^ppc/powerpc/'` +make -C $RPM_BUILD_DIR/%{name}-%{version}/%{name}-%{arcver} DESTDIR=$RPM_BUILD_ROOT install # generate ri doc -rubybuilddir=$RPM_BUILD_DIR/%{name}-%{version}/%{name}-%{rubyver}%{?patchlevel} -LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} RUBYLIB=$RPM_BUILD_ROOT%{_libdir}/ruby/%{rubyxver}:$RPM_BUILD_ROOT%{_libdir}/ruby/%{rubyxver}/$_cpu-%{_target_os} make -C $rubybuilddir DESTDIR=$RPM_BUILD_ROOT install-doc -#DESTDIR=$RPM_BUILD_ROOT LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/ruby -I $rubybuilddir -I $RPM_BUILD_ROOT%{_libdir}/ruby/%{rubyxver}/$_cpu-%{_target_os}/ -I $rubybuilddir/lib $RPM_BUILD_ROOT%{_bindir}/rdoc --all --ri-system $rubybuilddir +rubybuilddir=$RPM_BUILD_DIR/%{name}-%{version}/%{name}-%{arcver} +rm -rf %{name}-%{arcver}/.ext/rdoc +LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} RUBYLIB=$RPM_BUILD_ROOT%{_libdir}/ruby/%{rubyxver}:$RPM_BUILD_ROOT%{_libdir}/ruby/%{rubyxver}/%{_normalized_cpu}-%{_target_os} make -C $rubybuilddir DESTDIR=$RPM_BUILD_ROOT install-doc +#DESTDIR=$RPM_BUILD_ROOT LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/ruby -I $rubybuilddir -I $RPM_BUILD_ROOT%{_libdir}/ruby/%{rubyxver}/%{_normalized_cpu}-%{_target_os}/ -I $rubybuilddir/lib $RPM_BUILD_ROOT%{_bindir}/rdoc --all --ri-system $rubybuilddir -%{__mkdir_p} $RPM_BUILD_ROOT%{sitedir2}/%{rubyxver} -%{__mkdir_p} $RPM_BUILD_ROOT%{sitedir}/%{rubyxver}/$_cpu-%{_target_os} - -%ifarch ppc64 s390x sparc64 x86_64 -# correct archdir -#mv $RPM_BUILD_ROOT%{_prefix}/lib/ruby/%{rubyxver}/$_cpu-%{_target_os}/* $RPM_BUILD_ROOT%{_libdir}/ruby/%{rubyxver}/$_cpu-%{_target_os}/ -#rmdir $RPM_BUILD_ROOT%{_prefix}/lib/ruby/%{rubyxver}/$_cpu-%{_target_os} -%endif +mkdir -p $RPM_BUILD_ROOT%{sitedir2}/%{rubyxver} +mkdir -p $RPM_BUILD_ROOT%{sitedir}/%{rubyxver}/%{_normalized_cpu}-%{_target_os} # XXX: installing irb -install -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_mandir}/man1/ +install -p -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_mandir}/man1/ %ifnarch ppc64 # installing ruby-mode -cd %{name}-%{rubyver}%{?patchlevel} -cp misc/*.el $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode +cd %{name}-%{arcver} +cp -p misc/*.el $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode ## for ruby-mode pushd $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode @@ -320,149 +323,234 @@ EOF emacs --no-site-file -q -batch -l path.el -f batch-byte-compile *.el rm -f path.el* popd -install -m 644 %{SOURCE10} \ +install -p -m 644 %{SOURCE10} \ $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/site-start.d cd .. %endif -# listing all files in ruby-all.files -(find $RPM_BUILD_ROOT -type f -o -type l) | - sort | uniq | sed -e "s,^$RPM_BUILD_ROOT,," \ - -e "s,\(/man/man./.*\)$,\1*," > ruby-all.files -egrep '(\.[ah]|libruby\.so)$' ruby-all.files > ruby-devel.files - -_rubytmpfile=`mktemp -t %{name}-%{version}-%{release}-tmp-%(%{__id_u -n}).XXXXXXXXXX` -# for ruby-tcltk.rpm -cp /dev/null ruby-tcltk.files -for f in `find %{name}-%{rubyver}%{?patchlevel}/ext/tk/lib -type f; find %{name}-%{rubyver}%{?patchlevel}/.ext -type f -name '*.so'; find %{name}-%{rubyver}%{?patchlevel}/ext/tk -type f -name '*.so'` -do - egrep "tcl|tk" ruby-all.files | grep "/`basename $f`$" >> ruby-tcltk.files || : +# remove shebang +for i in $RPM_BUILD_ROOT%{_prefix}/lib/ruby/1.8/{abbrev,generator,irb/{cmd/subirb,ext/save-history},matrix,rdoc/{markup/sample/rdoc2latex,parsers/parse_rb},set,tsort}.rb; do + sed -i -e '/^#!.*/,1D' $i done -sort ruby-tcltk.files | uniq - $_rubytmpfile && mv $_rubytmpfile ruby-tcltk.files - -# for irb.rpm -fgrep 'irb' ruby-all.files > irb.files - -# for ri -cp /dev/null ri.files -fgrep '%{_datadir}/ri' ruby-all.files >> ri.files -fgrep '%{_bindir}/ri' ruby-all.files >> ri.files - -# for rdoc -cp /dev/null rdoc.files -fgrep rdoc ruby-all.files >> rdoc.files - -# for ruby-libs -cp /dev/null ruby-libs.files -(fgrep '%{_prefix}/lib' ruby-all.files; - fgrep -h '%{_prefix}/lib' ruby-devel.files ruby-tcltk.files irb.files ri.files rdoc.files) | egrep -v "elc?$" | \ - sort | uniq -u > ruby-libs.files - -%ifnarch ppc64 -# for ruby-mode -cp /dev/null ruby-mode.files -fgrep '.el' ruby-all.files >> ruby-mode.files -%else -touch ruby-mode.files -%endif - -# for ruby.rpm -sort ruby-all.files \ - ruby-libs.files ruby-devel.files ruby-tcltk.files irb.files ruby-mode.files ri.files rdoc.files | - uniq -u > ruby.files - -# for arch-dependent dir -rbconfig=`find $RPM_BUILD_ROOT -name rbconfig.rb` -export LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} -arch=`$RPM_BUILD_ROOT%{_bindir}/ruby -r $rbconfig -e 'printf ("%s\n", Config::CONFIG["arch"])'` -cat <<__EOF__ >> ruby-libs.files -%%dir %%{_libdir}/ruby/%%{rubyxver}/$arch -%%dir %%{_libdir}/ruby/%%{rubyxver}/$arch/digest -__EOF__ %clean rm -rf $RPM_BUILD_ROOT -rm -f *.files rm -rf tmp-ruby-docs %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig -%files -f ruby.files -%defattr(-, root, root) -%doc %{name}-%{rubyver}%{?patchlevel}/COPYING* -%doc %{name}-%{rubyver}%{?patchlevel}/ChangeLog -%doc %{name}-%{rubyver}%{?patchlevel}/GPL -%doc %{name}-%{rubyver}%{?patchlevel}/LEGAL -%doc %{name}-%{rubyver}%{?patchlevel}/LGPL -%doc %{name}-%{rubyver}%{?patchlevel}/NEWS -%doc %{name}-%{rubyver}%{?patchlevel}/README -%lang(ja) %doc %{name}-%{rubyver}%{?patchlevel}/README.ja -%doc %{name}-%{rubyver}%{?patchlevel}/ToDo -%doc %{name}-%{rubyver}%{?patchlevel}/doc/ChangeLog-1.8.0 -%doc %{name}-%{rubyver}%{?patchlevel}/doc/NEWS-1.8.0 +%files +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL +%doc %{name}-%{arcver}/NEWS +%doc %{name}-%{arcver}/README +%lang(ja) %doc %{name}-%{arcver}/README.ja +%doc %{name}-%{arcver}/ToDo +%doc %{name}-%{arcver}/doc/ChangeLog-1.8.0 +%doc %{name}-%{arcver}/doc/NEWS-1.8.0 %doc tmp-ruby-docs/ruby/* +%{_bindir}/ruby +%{_bindir}/erb +%{_bindir}/testrb +%{_mandir}/man1/ruby.1* -%files devel -f ruby-devel.files -%defattr(-, root, root) -%doc %{name}-%{rubyver}%{?patchlevel}/README.EXT -%lang(ja) %doc %{name}-%{rubyver}%{?patchlevel}/README.EXT.ja +%files devel +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL +%doc %{name}-%{arcver}/README.EXT +%lang(ja) %doc %{name}-%{arcver}/README.EXT.ja +%{_libdir}/libruby.so +%{_libdir}/libruby-static.a +%{_libdir}/ruby/%{rubyxver}/*/*.h -%files libs -f ruby-libs.files -%defattr(-, root, root) -%doc %{name}-%{rubyver}%{?patchlevel}/README -%lang(ja) %doc %{name}-%{rubyver}%{?patchlevel}/README.ja -%doc %{name}-%{rubyver}%{?patchlevel}/COPYING* -%doc %{name}-%{rubyver}%{?patchlevel}/ChangeLog -%doc %{name}-%{rubyver}%{?patchlevel}/GPL -%doc %{name}-%{rubyver}%{?patchlevel}/LEGAL -%doc %{name}-%{rubyver}%{?patchlevel}/LGPL -%dir %{_libdir}/ruby +%files libs +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/README +%lang(ja) %doc %{name}-%{arcver}/README.ja +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL %dir %{_prefix}/lib/ruby -%dir %{_libdir}/ruby/%{rubyxver} %dir %{_prefix}/lib/ruby/%{rubyxver} -%dir %{_prefix}/lib/ruby/%{rubyxver}/cgi -%dir %{_prefix}/lib/ruby/%{rubyxver}/net -%dir %{_prefix}/lib/ruby/%{rubyxver}/shell -%dir %{_prefix}/lib/ruby/%{rubyxver}/uri -%{sitedir} -%{sitedir2} - -%files tcltk -f ruby-tcltk.files -%defattr(-, root, root) -%doc tmp-ruby-docs/ruby-tcltk/ext/* - -%files rdoc -f rdoc.files -%defattr(-, root, root) +%ifnarch ppc64 s390x sparc64 x86_64 +%dir %{_prefix}/lib/ruby/%{rubyxver}/%{_normalized_cpu}-%{_target_os} +%endif +%ifarch ppc64 s390x sparc64 x86_64 %dir %{_libdir}/ruby %dir %{_libdir}/ruby/%{rubyxver} +%dir %{_libdir}/ruby/%{rubyxver}/%{_normalized_cpu}-%{_target_os} +%{sitedir} +%endif +%{sitedir2} +## the following files should goes into ruby-tcltk package. +%exclude %{_prefix}/lib/ruby/%{rubyxver}/*tk.rb +%exclude %{_prefix}/lib/ruby/%{rubyxver}/tcltk.rb +%exclude %{_prefix}/lib/ruby/%{rubyxver}/tk +%exclude %{_prefix}/lib/ruby/%{rubyxver}/tk*.rb +%exclude %{_prefix}/lib/ruby/%{rubyxver}/tkextlib +%exclude %{_libdir}/ruby/%{rubyxver}/*/tcltklib.so +%exclude %{_libdir}/ruby/%{rubyxver}/*/tkutil.so +## the following files should goes into ruby-rdoc package. +%exclude %{_prefix}/lib/ruby/%{rubyxver}/rdoc +## the following files should goes into ruby-irb package. +%exclude %{_prefix}/lib/ruby/%{rubyxver}/irb.rb +%exclude %{_prefix}/lib/ruby/%{rubyxver}/irb +## files in ruby-libs from here +%{_prefix}/lib/ruby/%{rubyxver}/*.rb +%{_prefix}/lib/ruby/%{rubyxver}/bigdecimal +%{_prefix}/lib/ruby/%{rubyxver}/cgi +%{_prefix}/lib/ruby/%{rubyxver}/date +%{_prefix}/lib/ruby/%{rubyxver}/digest +%{_prefix}/lib/ruby/%{rubyxver}/dl +%{_prefix}/lib/ruby/%{rubyxver}/drb +%{_prefix}/lib/ruby/%{rubyxver}/io +%{_prefix}/lib/ruby/%{rubyxver}/net +%{_prefix}/lib/ruby/%{rubyxver}/openssl +%{_prefix}/lib/ruby/%{rubyxver}/optparse +%{_prefix}/lib/ruby/%{rubyxver}/racc +%{_prefix}/lib/ruby/%{rubyxver}/rexml +%{_prefix}/lib/ruby/%{rubyxver}/rinda +%{_prefix}/lib/ruby/%{rubyxver}/rss +%{_prefix}/lib/ruby/%{rubyxver}/runit +%{_prefix}/lib/ruby/%{rubyxver}/shell +%{_prefix}/lib/ruby/%{rubyxver}/soap +%{_prefix}/lib/ruby/%{rubyxver}/test +%{_prefix}/lib/ruby/%{rubyxver}/uri +%{_prefix}/lib/ruby/%{rubyxver}/webrick +%{_prefix}/lib/ruby/%{rubyxver}/wsdl +%{_prefix}/lib/ruby/%{rubyxver}/xmlrpc +%{_prefix}/lib/ruby/%{rubyxver}/xsd +%{_prefix}/lib/ruby/%{rubyxver}/yaml +%{_libdir}/libruby.so.* +%{_libdir}/ruby/%{rubyxver}/*/*.so +%{_libdir}/ruby/%{rubyxver}/*/digest +%{_libdir}/ruby/%{rubyxver}/*/io +%{_libdir}/ruby/%{rubyxver}/*/racc +%{_libdir}/ruby/%{rubyxver}/*/rbconfig.rb -%files irb -f irb.files -%defattr(-, root, root) +%files tcltk +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL +%doc tmp-ruby-docs/ruby-tcltk/ext/* +%{_prefix}/lib/ruby/%{rubyxver}/*-tk.rb +%{_prefix}/lib/ruby/%{rubyxver}/tcltk.rb +%{_prefix}/lib/ruby/%{rubyxver}/tk +%{_prefix}/lib/ruby/%{rubyxver}/tk*.rb +%{_prefix}/lib/ruby/%{rubyxver}/tkextlib +%{_libdir}/ruby/%{rubyxver}/*/tcltklib.so +%{_libdir}/ruby/%{rubyxver}/*/tkutil.so + +%files rdoc +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL +%{_bindir}/rdoc +%{_prefix}/lib/ruby/%{rubyxver}/rdoc + +%files irb +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL %doc tmp-ruby-docs/irb/* -%dir %{_prefix}/lib/ruby/%{rubyxver}/irb -%dir %{_prefix}/lib/ruby/%{rubyxver}/irb/lc -%dir %{_prefix}/lib/ruby/%{rubyxver}/irb/lc/ja +%{_bindir}/irb +%{_prefix}/lib/ruby/%{rubyxver}/irb.rb +%{_prefix}/lib/ruby/%{rubyxver}/irb +%{_mandir}/man1/irb.1* -%files ri -f ri.files -%defattr(-, root, root) -%dir %{_datadir}/ri +%files ri +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL +%{_bindir}/ri +%{_datadir}/ri %files docs -%defattr(-, root, root) +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL %doc tmp-ruby-docs/ruby-docs/* %doc tmp-ruby-docs/ruby-libs/* %ifnarch ppc64 -%files mode -f ruby-mode.files -%defattr(-, root, root) -%doc %{name}-%{rubyver}%{?patchlevel}/misc/README -%dir %{_datadir}/emacs/site-lisp/ruby-mode +%files mode +%defattr(-, root, root, -) +%doc %{name}-%{arcver}/COPYING* +%doc %{name}-%{arcver}/ChangeLog +%doc %{name}-%{arcver}/GPL +%doc %{name}-%{arcver}/LEGAL +%doc %{name}-%{arcver}/LGPL +%doc %{name}-%{arcver}/misc/README +%{_datadir}/emacs/site-lisp/ruby-mode +%{_datadir}/emacs/site-lisp/site-start.d/ruby-mode-init.el %endif %changelog +* Tue Mar 4 2008 Akira TAGOH - 1.8.6.114-1 +- Security fix for CVE-2008-1145. +- Improve a spec file. (#226381) + - Correct License tag. + - Fix a timestamp issue. + - Own a arch-specific directory. + +* Tue Feb 19 2008 Fedora Release Engineering - 1.8.6.111-9 +- Autorebuild for GCC 4.3 + +* Tue Feb 19 2008 Akira TAGOH - 1.8.6.111-8 +- Rebuild for gcc-4.3. + +* Tue Jan 15 2008 Akira TAGOH - 1.8.6.111-7 +- Revert the change of libruby-static.a. (#428384) + +* Fri Jan 11 2008 Akira TAGOH - 1.8.6.111-6 +- Fix an unnecessary replacement for shebang. (#426835) + +* Fri Jan 4 2008 Akira TAGOH - 1.8.6.111-5 +- Rebuild. + +* Fri Dec 28 2007 Akira TAGOH - 1.8.6.111-4 +- Clean up again. + +* Fri Dec 21 2007 Akira TAGOH - 1.8.6.111-3 +- Clean up the spec file. +- Remove ruby-man-1.4.6 stuff. this is entirely the out-dated document. + this could be replaced by ri. +- Disable the static library building. + +* Tue Dec 04 2007 Release Engineering - 1.8.6.111-2 + - Rebuild for openssl bump + +* Wed Oct 31 2007 Akira TAGOH +- Fix the dead link. + * Mon Oct 29 2007 Akira TAGOH - 1.8.6.111-1 - New upstream release. - ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes diff --git a/sources b/sources index 840df49..dff6ae6 100644 --- a/sources +++ b/sources @@ -1,5 +1,5 @@ 8336b859400795ec51d05878c1a658b7 ruby-man-1.4.6.tar.bz2 d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz -7f3e181c0be9a1579e43a5a8b26372d6 rubyfaq-990927.tar.bz2 -8aa2e2da327dc43ff6e46e634eb657b6 rubyfaq-jp-990927.tar.bz2 -e1d38b7d4f1be55726d6927a3395ce3b ruby-1.8.6-p111.tar.bz2 +634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz +4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz +b4d0c74497f684814bcfbb41b7384a71 ruby-1.8.6-p114.tar.bz2 From 762e6cbf3335c0e33b05151b4e745182b9bedc06 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Tue, 24 Jun 2008 02:23:53 +0000 Subject: [PATCH 04/11] - New upstream release. - Security fixes. (#452293) - CVE-2008-1891: WEBrick CGI source disclosure. - CVE-2008-2662: Integer overflow in rb_str_buf_append(). - CVE-2008-2663: Integer overflow in rb_ary_store(). - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). - CVE-2008-2725: Integer overflow in rb_ary_splice(). - CVE-2008-2726: Integer overflow in rb_ary_splice(). - ruby-1.8.6.111-CVE-2007-5162.patch: removed. --- .cvsignore | 1 + ruby-1.8.6.111-CVE-2007-5162.patch | 97 ------------------------------ ruby.spec | 15 ++++- sources | 2 +- 4 files changed, 14 insertions(+), 101 deletions(-) delete mode 100644 ruby-1.8.6.111-CVE-2007-5162.patch diff --git a/.cvsignore b/.cvsignore index 9dd3d12..97c8a0b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -17,3 +17,4 @@ ruby-1.8.6-p36.tar.bz2 ruby-1.8.6-p110.tar.bz2 ruby-1.8.6-p111.tar.bz2 ruby-1.8.6-p114.tar.bz2 +ruby-1.8.6-p230.tar.bz2 diff --git a/ruby-1.8.6.111-CVE-2007-5162.patch b/ruby-1.8.6.111-CVE-2007-5162.patch deleted file mode 100644 index 5ed628d..0000000 --- a/ruby-1.8.6.111-CVE-2007-5162.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900 -@@ -29,13 +29,23 @@ require 'net/ftp' - - module Net - class FTPTLS < FTP -+ def connect(host, port=FTP_PORT) -+ @hostname = host -+ super -+ end -+ - def login(user = "anonymous", passwd = nil, acct = nil) -+ store = OpenSSL::X509::Store.new -+ store.set_default_paths - ctx = OpenSSL::SSL::SSLContext.new('SSLv23') -+ ctx.cert_store = store -+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER - ctx.key = nil - ctx.cert = nil - voidcmd("AUTH TLS") - @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) - @sock.connect -+ @sock.post_connection_check(@hostname) - super(user, passwd, acct) - voidcmd("PBSZ 0") - end -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900 -@@ -134,6 +134,9 @@ module Net - @sock.verify_callback = @options['VerifyCallback'] - @sock.verify_depth = @options['VerifyDepth'] - @sock.connect -+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE -+ @sock.post_connection_check(@options['Host']) -+ end - @ssl = true - end - '' -diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb ---- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900 -@@ -470,7 +470,6 @@ module Net #:nodoc: - @debug_output = nil - @use_ssl = false - @ssl_context = nil -- @enable_post_connection_check = false - end - - def inspect -@@ -527,9 +526,6 @@ module Net #:nodoc: - false # redefined in net/https - end - -- # specify enabling SSL server certificate and hostname checking. -- attr_accessor :enable_post_connection_check -- - # Opens TCP connection and HTTP session. - # - # When this method is called with block, gives a HTTP object -@@ -589,12 +585,7 @@ module Net #:nodoc: - end - s.connect - if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE -- begin -- s.post_connection_check(@address) -- rescue OpenSSL::SSL::SSLError => ex -- raise ex if @enable_post_connection_check -- warn ex.message -- end -+ s.post_connection_check(@address) - end - end - on_connect -diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb ---- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900 -@@ -900,6 +900,7 @@ module Net - end - @sock = SSLSocket.new(@sock, context) - @sock.connect # start ssl session. -+ @sock.post_connection_check(@host) if verify - else - @usessl = false - end -diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb ---- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900 -@@ -229,7 +229,6 @@ module OpenURI - if target.class == URI::HTTPS - require 'net/https' - http.use_ssl = true -- http.enable_post_connection_check = true - http.verify_mode = OpenSSL::SSL::VERIFY_PEER - store = OpenSSL::X509::Store.new - store.set_default_paths diff --git a/ruby.spec b/ruby.spec index 4d0e325..3d6a2fb 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 114 +%define _patchlevel 230 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define arcver %{rubyver}%{?patchlevel} @@ -35,7 +35,6 @@ Patch20: ruby-rubyprefix.patch Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch -Patch24: ruby-1.8.6.111-CVE-2007-5162.patch Patch25: ruby-1.8.6.111-gcc43.patch Summary: An interpreter of object-oriented scripting language @@ -156,7 +155,6 @@ pushd %{name}-%{arcver} %patch22 -p1 %patch23 -p1 %endif -%patch24 -p1 %patch25 -p1 popd @@ -514,6 +512,17 @@ rm -rf tmp-ruby-docs %endif %changelog +* Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 +- New upstream release. +- Security fixes. (#452293) + - CVE-2008-1891: WEBrick CGI source disclosure. + - CVE-2008-2662: Integer overflow in rb_str_buf_append(). + - CVE-2008-2663: Integer overflow in rb_ary_store(). + - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). + - CVE-2008-2725: Integer overflow in rb_ary_splice(). + - CVE-2008-2726: Integer overflow in rb_ary_splice(). +- ruby-1.8.6.111-CVE-2007-5162.patch: removed. + * Tue Mar 4 2008 Akira TAGOH - 1.8.6.114-1 - Security fix for CVE-2008-1145. - Improve a spec file. (#226381) diff --git a/sources b/sources index dff6ae6..33ddadd 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz 4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz -b4d0c74497f684814bcfbb41b7384a71 ruby-1.8.6-p114.tar.bz2 +3eceb42d4fc56398676c20a49ac7e044 ruby-1.8.6-p230.tar.bz2 From b358caa3b81b73496b96688e01001539edd11d43 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Wed, 25 Jun 2008 07:52:10 +0000 Subject: [PATCH 05/11] - Fix a segfault issue. (#452798) --- ruby-1.8.6.230-string-str_buf_cat.patch | 28 +++++++++++++++++++++++++ ruby.spec | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.6.230-string-str_buf_cat.patch diff --git a/ruby-1.8.6.230-string-str_buf_cat.patch b/ruby-1.8.6.230-string-str_buf_cat.patch new file mode 100644 index 0000000..287ddc9 --- /dev/null +++ b/ruby-1.8.6.230-string-str_buf_cat.patch @@ -0,0 +1,28 @@ +diff -pruN ruby-1.8.6-p230.orig/string.c ruby-1.8.6-p230/string.c +--- ruby-1.8.6-p230.orig/string.c 2008-06-20 18:24:53.000000000 +0900 ++++ ruby-1.8.6-p230/string.c 2008-06-25 16:10:17.000000000 +0900 +@@ -693,9 +693,13 @@ str_buf_cat(str, ptr, len) + const char *ptr; + long len; + { +- long capa, total; ++ long capa, total, off = -1; + + rb_str_modify(str); ++ if (ptr >= RSTRING(str)->ptr && ptr <= RSTRING(str)->ptr + RSTRING(str)->len) { ++ off = ptr - RSTRING(str)->ptr; ++ } ++ if (len == 0) return 0; + if (FL_TEST(str, STR_ASSOC)) { + FL_UNSET(str, STR_ASSOC); + capa = RSTRING(str)->aux.capa = RSTRING(str)->len; +@@ -717,6 +721,9 @@ str_buf_cat(str, ptr, len) + } + RESIZE_CAPA(str, capa); + } ++ if (off != -1) { ++ ptr = RSTRING(str)->ptr + off; ++ } + memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len); + RSTRING(str)->len = total; + RSTRING(str)->ptr[total] = '\0'; /* sentinel */ diff --git a/ruby.spec b/ruby.spec index 3d6a2fb..f390b3e 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 1%{?dist} +Release: 2%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,6 +36,7 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch +Patch26: ruby-1.8.6.230-string-str_buf_cat.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -156,6 +157,7 @@ pushd %{name}-%{arcver} %patch23 -p1 %endif %patch25 -p1 +%patch26 -p1 popd %build @@ -512,6 +514,9 @@ rm -rf tmp-ruby-docs %endif %changelog +* Wed Jun 25 2008 Akira TAGOH - 1.8.6.230-2 +- Fix a segfault issue. (#452798) + * Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 - New upstream release. - Security fixes. (#452293) From 11e1fc9cd2dc42a6e3c3007e1a928cdae39ea3a4 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Mon, 30 Jun 2008 03:46:12 +0000 Subject: [PATCH 06/11] - Backported from upstream SVN to fix a segfault issue. (#452825) - Backported from upstream SVN to fix an integer overflow in rb_ary_fill. --- .cvsignore | 4 ++- ruby-1.8.6.230-p238.patch | 58 +++++++++++++++++++++++++++++++++++++++ ruby-1.8.6.230-p248.patch | 16 +++++++++++ ruby.spec | 10 ++++++- 4 files changed, 86 insertions(+), 2 deletions(-) create mode 100644 ruby-1.8.6.230-p238.patch create mode 100644 ruby-1.8.6.230-p248.patch diff --git a/.cvsignore b/.cvsignore index 97c8a0b..170000a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,9 +1,11 @@ +*.bz2 +*.gz +*.rpm ruby-1.8.1.tar.gz ruby-man-1.4.6.tar.bz2 ruby-refm-rdp-1.8.1-ja-html.tar.gz rubyfaq-990927.tar.bz2 rubyfaq-jp-990927.tar.bz2 -*.rpm ruby-1.8.2.tar.gz ruby-1.8.3.tar.gz ruby-1.8.4-preview1.tar.gz diff --git a/ruby-1.8.6.230-p238.patch b/ruby-1.8.6.230-p238.patch new file mode 100644 index 0000000..1cf26ff --- /dev/null +++ b/ruby-1.8.6.230-p238.patch @@ -0,0 +1,58 @@ +diff -pruN ruby-1.8.6-p230.orig/class.c ruby-1.8.6-p230/class.c +--- ruby-1.8.6-p230.orig/class.c 2008-06-15 21:06:33.000000000 +0900 ++++ ruby-1.8.6-p230/class.c 2008-06-30 11:21:41.000000000 +0900 +@@ -62,10 +62,7 @@ clone_method(mid, body, data) + NODE *fbody = body->nd_body; + + if (fbody && nd_type(fbody) == NODE_SCOPE) { +- VALUE cref = data->klass ? +- (VALUE)NEW_NODE(NODE_CREF,data->klass,0,fbody->nd_rval) : +- fbody->nd_rval; +- fbody = NEW_NODE(NODE_SCOPE, fbody->nd_tbl, cref, fbody->nd_next); ++ fbody = rb_copy_node_scope(fbody, ruby_cref); + } + st_insert(data->tbl, mid, (st_data_t)NEW_METHOD(fbody, body->nd_noex)); + return ST_CONTINUE; +diff -pruN ruby-1.8.6-p230.orig/eval.c ruby-1.8.6-p230/eval.c +--- ruby-1.8.6-p230.orig/eval.c 2008-06-16 15:43:48.000000000 +0900 ++++ ruby-1.8.6-p230/eval.c 2008-06-30 11:19:15.000000000 +0900 +@@ -2239,8 +2239,8 @@ rb_mod_alias_method(mod, newname, oldnam + return mod; + } + +-static NODE* +-copy_node_scope(node, rval) ++NODE* ++rb_copy_node_scope(node, rval) + NODE *node; + NODE *rval; + { +@@ -3948,7 +3948,7 @@ rb_eval(self, n) + noex |= NOEX_NOSUPER; + } + +- defn = copy_node_scope(node->nd_defn, ruby_cref); ++ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); + rb_add_method(ruby_class, node->nd_mid, defn, noex); + if (scope_vmode == SCOPE_MODFUNC) { + rb_add_method(rb_singleton_class(ruby_class), +@@ -3984,7 +3984,7 @@ rb_eval(self, n) + rb_warning("redefine %s", rb_id2name(node->nd_mid)); + } + } +- defn = copy_node_scope(node->nd_defn, ruby_cref); ++ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); + rb_add_method(klass, node->nd_mid, defn, + NOEX_PUBLIC|(body?body->nd_noex&NOEX_UNDEF:0)); + result = Qnil; +diff -pruN ruby-1.8.6-p230.orig/node.h ruby-1.8.6-p230/node.h +--- ruby-1.8.6-p230.orig/node.h 2007-05-23 00:01:22.000000000 +0900 ++++ ruby-1.8.6-p230/node.h 2008-06-30 11:20:06.000000000 +0900 +@@ -371,6 +371,7 @@ typedef unsigned int rb_event_t; + #define RUBY_EVENT_ALL 0xff + + typedef void (*rb_event_hook_func_t) _((rb_event_t,NODE*,VALUE,ID,VALUE)); ++NODE *rb_copy_node_scope _((NODE *, NODE *)); + void rb_add_event_hook _((rb_event_hook_func_t,rb_event_t)); + int rb_remove_event_hook _((rb_event_hook_func_t)); + diff --git a/ruby-1.8.6.230-p248.patch b/ruby-1.8.6.230-p248.patch new file mode 100644 index 0000000..1279c48 --- /dev/null +++ b/ruby-1.8.6.230-p248.patch @@ -0,0 +1,16 @@ +diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c +--- ruby-1.8.6-p230.orig/array.c 2008-06-20 15:53:16.000000000 +0900 ++++ ruby-1.8.6-p230/array.c 2008-06-30 11:33:00.000000000 +0900 +@@ -2272,10 +2272,10 @@ rb_ary_fill(argc, argv, ary) + break; + } + rb_ary_modify(ary); +- end = beg + len; +- if (end < 0) { ++ if (len > ARY_MAX_SIZE - beg) { + rb_raise(rb_eArgError, "argument too big"); + } ++ end = beg + len; + if (end > RARRAY(ary)->len) { + if (end >= RARRAY(ary)->aux.capa) { + REALLOC_N(RARRAY(ary)->ptr, VALUE, end); diff --git a/ruby.spec b/ruby.spec index f390b3e..d4a90ba 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 2%{?dist} +Release: 3%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -37,6 +37,8 @@ Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch Patch26: ruby-1.8.6.230-string-str_buf_cat.patch +Patch27: ruby-1.8.6.230-p238.patch +Patch28: ruby-1.8.6.230-p248.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -158,6 +160,8 @@ pushd %{name}-%{arcver} %endif %patch25 -p1 %patch26 -p1 +%patch27 -p1 +%patch28 -p1 popd %build @@ -514,6 +518,10 @@ rm -rf tmp-ruby-docs %endif %changelog +* Mon Jun 30 2008 Akira TAGOH - 1.8.6.230-3 +- Backported from upstream SVN to fix a segfault issue. (#452825) +- Backported from upstream SVN to fix an integer overflow in rb_ary_fill. + * Wed Jun 25 2008 Akira TAGOH - 1.8.6.230-2 - Fix a segfault issue. (#452798) From 6ebbfce19f42fcc92ef031ad5952a49cc3908bee Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Tue, 1 Jul 2008 08:47:11 +0000 Subject: [PATCH 07/11] - Backported from upstream SVN to fix a segfault issue with Array#fill. --- ruby-1.8.6.230-p257.patch | 12 ++++++++++++ ruby.spec | 7 ++++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.6.230-p257.patch diff --git a/ruby-1.8.6.230-p257.patch b/ruby-1.8.6.230-p257.patch new file mode 100644 index 0000000..dbae14a --- /dev/null +++ b/ruby-1.8.6.230-p257.patch @@ -0,0 +1,12 @@ +diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c +--- ruby-1.8.6-p230.orig/array.c 2008-07-01 16:32:12.000000000 +0900 ++++ ruby-1.8.6-p230/array.c 2008-07-01 16:34:01.000000000 +0900 +@@ -2272,7 +2272,7 @@ rb_ary_fill(argc, argv, ary) + break; + } + rb_ary_modify(ary); +- if (len > ARY_MAX_SIZE - beg) { ++ if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) { + rb_raise(rb_eArgError, "argument too big"); + } + end = beg + len; diff --git a/ruby.spec b/ruby.spec index d4a90ba..fd3a95a 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 3%{?dist} +Release: 4%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -39,6 +39,7 @@ Patch25: ruby-1.8.6.111-gcc43.patch Patch26: ruby-1.8.6.230-string-str_buf_cat.patch Patch27: ruby-1.8.6.230-p238.patch Patch28: ruby-1.8.6.230-p248.patch +Patch29: ruby-1.8.6.230-p257.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -162,6 +163,7 @@ pushd %{name}-%{arcver} %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 popd %build @@ -518,6 +520,9 @@ rm -rf tmp-ruby-docs %endif %changelog +* Tue Jul 1 2008 Akira TAGOH - 1.8.6.230-4 +- Backported from upstream SVN to fix a segfault issue with Array#fill. + * Mon Jun 30 2008 Akira TAGOH - 1.8.6.230-3 - Backported from upstream SVN to fix a segfault issue. (#452825) - Backported from upstream SVN to fix an integer overflow in rb_ary_fill. From 72862efc8e57d75dccfd815786bee43a9bdc784f Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Sat, 23 Aug 2008 09:12:42 +0000 Subject: [PATCH 08/11] - New upstream release. - Security fixes. - CVE-2008-3655: Ruby does not properly restrict access to critical variables and methods at various safe levels. - CVE-2008-3656: DoS vulnerability in WEBrick. - CVE-2008-3657: Lack of taintness check in dl. - CVE-2008-1447: DNS spoofing vulnerability in resolv.rb. - CVE-2008-3443: Memory allocation failure in Ruby regex engine. - Remove the unnecessary backported patches. --- .cvsignore | 1 + ruby-1.8.6.230-p238.patch | 58 ------------------------- ruby-1.8.6.230-p248.patch | 16 ------- ruby-1.8.6.230-p257.patch | 12 ----- ruby-1.8.6.230-string-str_buf_cat.patch | 28 ------------ ruby-fix-autoconf-magic-code.patch | 11 ----- ruby.spec | 23 +++++----- sources | 2 +- 8 files changed, 15 insertions(+), 136 deletions(-) delete mode 100644 ruby-1.8.6.230-p238.patch delete mode 100644 ruby-1.8.6.230-p248.patch delete mode 100644 ruby-1.8.6.230-p257.patch delete mode 100644 ruby-1.8.6.230-string-str_buf_cat.patch delete mode 100644 ruby-fix-autoconf-magic-code.patch diff --git a/.cvsignore b/.cvsignore index 170000a..c3a8483 100644 --- a/.cvsignore +++ b/.cvsignore @@ -20,3 +20,4 @@ ruby-1.8.6-p110.tar.bz2 ruby-1.8.6-p111.tar.bz2 ruby-1.8.6-p114.tar.bz2 ruby-1.8.6-p230.tar.bz2 +ruby-1.8.6-p287.tar.bz2 diff --git a/ruby-1.8.6.230-p238.patch b/ruby-1.8.6.230-p238.patch deleted file mode 100644 index 1cf26ff..0000000 --- a/ruby-1.8.6.230-p238.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/class.c ruby-1.8.6-p230/class.c ---- ruby-1.8.6-p230.orig/class.c 2008-06-15 21:06:33.000000000 +0900 -+++ ruby-1.8.6-p230/class.c 2008-06-30 11:21:41.000000000 +0900 -@@ -62,10 +62,7 @@ clone_method(mid, body, data) - NODE *fbody = body->nd_body; - - if (fbody && nd_type(fbody) == NODE_SCOPE) { -- VALUE cref = data->klass ? -- (VALUE)NEW_NODE(NODE_CREF,data->klass,0,fbody->nd_rval) : -- fbody->nd_rval; -- fbody = NEW_NODE(NODE_SCOPE, fbody->nd_tbl, cref, fbody->nd_next); -+ fbody = rb_copy_node_scope(fbody, ruby_cref); - } - st_insert(data->tbl, mid, (st_data_t)NEW_METHOD(fbody, body->nd_noex)); - return ST_CONTINUE; -diff -pruN ruby-1.8.6-p230.orig/eval.c ruby-1.8.6-p230/eval.c ---- ruby-1.8.6-p230.orig/eval.c 2008-06-16 15:43:48.000000000 +0900 -+++ ruby-1.8.6-p230/eval.c 2008-06-30 11:19:15.000000000 +0900 -@@ -2239,8 +2239,8 @@ rb_mod_alias_method(mod, newname, oldnam - return mod; - } - --static NODE* --copy_node_scope(node, rval) -+NODE* -+rb_copy_node_scope(node, rval) - NODE *node; - NODE *rval; - { -@@ -3948,7 +3948,7 @@ rb_eval(self, n) - noex |= NOEX_NOSUPER; - } - -- defn = copy_node_scope(node->nd_defn, ruby_cref); -+ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); - rb_add_method(ruby_class, node->nd_mid, defn, noex); - if (scope_vmode == SCOPE_MODFUNC) { - rb_add_method(rb_singleton_class(ruby_class), -@@ -3984,7 +3984,7 @@ rb_eval(self, n) - rb_warning("redefine %s", rb_id2name(node->nd_mid)); - } - } -- defn = copy_node_scope(node->nd_defn, ruby_cref); -+ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); - rb_add_method(klass, node->nd_mid, defn, - NOEX_PUBLIC|(body?body->nd_noex&NOEX_UNDEF:0)); - result = Qnil; -diff -pruN ruby-1.8.6-p230.orig/node.h ruby-1.8.6-p230/node.h ---- ruby-1.8.6-p230.orig/node.h 2007-05-23 00:01:22.000000000 +0900 -+++ ruby-1.8.6-p230/node.h 2008-06-30 11:20:06.000000000 +0900 -@@ -371,6 +371,7 @@ typedef unsigned int rb_event_t; - #define RUBY_EVENT_ALL 0xff - - typedef void (*rb_event_hook_func_t) _((rb_event_t,NODE*,VALUE,ID,VALUE)); -+NODE *rb_copy_node_scope _((NODE *, NODE *)); - void rb_add_event_hook _((rb_event_hook_func_t,rb_event_t)); - int rb_remove_event_hook _((rb_event_hook_func_t)); - diff --git a/ruby-1.8.6.230-p248.patch b/ruby-1.8.6.230-p248.patch deleted file mode 100644 index 1279c48..0000000 --- a/ruby-1.8.6.230-p248.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c ---- ruby-1.8.6-p230.orig/array.c 2008-06-20 15:53:16.000000000 +0900 -+++ ruby-1.8.6-p230/array.c 2008-06-30 11:33:00.000000000 +0900 -@@ -2272,10 +2272,10 @@ rb_ary_fill(argc, argv, ary) - break; - } - rb_ary_modify(ary); -- end = beg + len; -- if (end < 0) { -+ if (len > ARY_MAX_SIZE - beg) { - rb_raise(rb_eArgError, "argument too big"); - } -+ end = beg + len; - if (end > RARRAY(ary)->len) { - if (end >= RARRAY(ary)->aux.capa) { - REALLOC_N(RARRAY(ary)->ptr, VALUE, end); diff --git a/ruby-1.8.6.230-p257.patch b/ruby-1.8.6.230-p257.patch deleted file mode 100644 index dbae14a..0000000 --- a/ruby-1.8.6.230-p257.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c ---- ruby-1.8.6-p230.orig/array.c 2008-07-01 16:32:12.000000000 +0900 -+++ ruby-1.8.6-p230/array.c 2008-07-01 16:34:01.000000000 +0900 -@@ -2272,7 +2272,7 @@ rb_ary_fill(argc, argv, ary) - break; - } - rb_ary_modify(ary); -- if (len > ARY_MAX_SIZE - beg) { -+ if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) { - rb_raise(rb_eArgError, "argument too big"); - } - end = beg + len; diff --git a/ruby-1.8.6.230-string-str_buf_cat.patch b/ruby-1.8.6.230-string-str_buf_cat.patch deleted file mode 100644 index 287ddc9..0000000 --- a/ruby-1.8.6.230-string-str_buf_cat.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/string.c ruby-1.8.6-p230/string.c ---- ruby-1.8.6-p230.orig/string.c 2008-06-20 18:24:53.000000000 +0900 -+++ ruby-1.8.6-p230/string.c 2008-06-25 16:10:17.000000000 +0900 -@@ -693,9 +693,13 @@ str_buf_cat(str, ptr, len) - const char *ptr; - long len; - { -- long capa, total; -+ long capa, total, off = -1; - - rb_str_modify(str); -+ if (ptr >= RSTRING(str)->ptr && ptr <= RSTRING(str)->ptr + RSTRING(str)->len) { -+ off = ptr - RSTRING(str)->ptr; -+ } -+ if (len == 0) return 0; - if (FL_TEST(str, STR_ASSOC)) { - FL_UNSET(str, STR_ASSOC); - capa = RSTRING(str)->aux.capa = RSTRING(str)->len; -@@ -717,6 +721,9 @@ str_buf_cat(str, ptr, len) - } - RESIZE_CAPA(str, capa); - } -+ if (off != -1) { -+ ptr = RSTRING(str)->ptr + off; -+ } - memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len); - RSTRING(str)->len = total; - RSTRING(str)->ptr[total] = '\0'; /* sentinel */ diff --git a/ruby-fix-autoconf-magic-code.patch b/ruby-fix-autoconf-magic-code.patch deleted file mode 100644 index 58ac75f..0000000 --- a/ruby-fix-autoconf-magic-code.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ruN ruby-1.8.4.orig/mkconfig.rb ruby-1.8.4/mkconfig.rb ---- ruby-1.8.4.orig/mkconfig.rb 2006-07-19 20:39:48.000000000 +0900 -+++ ruby-1.8.4/mkconfig.rb 2006-07-19 20:40:12.000000000 +0900 -@@ -37,6 +37,7 @@ - has_version = false - File.foreach "config.status" do |line| - next if /^#/ =~ line -+ line.gsub!(/\|#_!!_#\|/, '') - if /^s[%,]@program_transform_name@[%,]s,(.*)/ =~ line - next if $install_name - ptn = $1.sub(/\$\$/, '$').split(/,/) #' diff --git a/ruby.spec b/ruby.spec index fd3a95a..942d094 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 230 +%define _patchlevel 287 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define arcver %{rubyver}%{?patchlevel} @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 4%{?dist} +Release: 1%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,10 +36,6 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch -Patch26: ruby-1.8.6.230-string-str_buf_cat.patch -Patch27: ruby-1.8.6.230-p238.patch -Patch28: ruby-1.8.6.230-p248.patch -Patch29: ruby-1.8.6.230-p257.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -160,10 +156,6 @@ pushd %{name}-%{arcver} %patch23 -p1 %endif %patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 popd %build @@ -520,6 +512,17 @@ rm -rf tmp-ruby-docs %endif %changelog +* Sat Aug 23 2008 Akira TAGOH - 1.8.6.287-1 +- New upstream release. +- Security fixes. + - CVE-2008-3655: Ruby does not properly restrict access to critical + variables and methods at various safe levels. + - CVE-2008-3656: DoS vulnerability in WEBrick. + - CVE-2008-3657: Lack of taintness check in dl. + - CVE-2008-1447: DNS spoofing vulnerability in resolv.rb. + - CVE-2008-3443: Memory allocation failure in Ruby regex engine. +- Remove the unnecessary backported patches. + * Tue Jul 1 2008 Akira TAGOH - 1.8.6.230-4 - Backported from upstream SVN to fix a segfault issue with Array#fill. diff --git a/sources b/sources index 33ddadd..6e9470f 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz 4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz -3eceb42d4fc56398676c20a49ac7e044 ruby-1.8.6-p230.tar.bz2 +80b5f3db12531d36e6c81fac6d05dda9 ruby-1.8.6-p287.tar.bz2 From 34dea7491fb3550bf64879bf0525a0bacfa885b3 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Wed, 8 Oct 2008 13:56:55 +0000 Subject: [PATCH 09/11] - CVE-2008-3790: DoS vulnerability in the REXML module. --- ruby-1.8.6-rexml-CVE-2008-3790.patch | 96 ++++++++++++++++++++++++++++ ruby.spec | 7 +- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.6-rexml-CVE-2008-3790.patch diff --git a/ruby-1.8.6-rexml-CVE-2008-3790.patch b/ruby-1.8.6-rexml-CVE-2008-3790.patch new file mode 100644 index 0000000..2ce6e1f --- /dev/null +++ b/ruby-1.8.6-rexml-CVE-2008-3790.patch @@ -0,0 +1,96 @@ +diff -pruN ruby-1.8.6-p287.orig/lib/rexml/document.rb ruby-1.8.6-p287/lib/rexml/document.rb +--- ruby-1.8.6-p287.orig/lib/rexml/document.rb 2007-11-04 13:50:15.000000000 +0900 ++++ ruby-1.8.6-p287/lib/rexml/document.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -32,6 +32,7 @@ module REXML + # @param context if supplied, contains the context of the document; + # this should be a Hash. + def initialize( source = nil, context = {} ) ++ @entity_expansion_count = 0 + super() + @context = context + return if source.nil? +@@ -200,6 +201,27 @@ module REXML + Parsers::StreamParser.new( source, listener ).parse + end + ++ @@entity_expansion_limit = 10_000 ++ ++ # Set the entity expansion limit. By defualt the limit is set to 10000. ++ def Document::entity_expansion_limit=( val ) ++ @@entity_expansion_limit = val ++ end ++ ++ # Get the entity expansion limit. By defualt the limit is set to 10000. ++ def Document::entity_expansion_limit ++ return @@entity_expansion_limit ++ end ++ ++ attr_reader :entity_expansion_count ++ ++ def record_entity_expansion ++ @entity_expansion_count += 1 ++ if @entity_expansion_count > @@entity_expansion_limit ++ raise "number of entity expansions exceeded, processing aborted." ++ end ++ end ++ + private + def build( source ) + Parsers::TreeParser.new( source, self ).parse +diff -pruN ruby-1.8.6-p287.orig/lib/rexml/entity.rb ruby-1.8.6-p287/lib/rexml/entity.rb +--- ruby-1.8.6-p287.orig/lib/rexml/entity.rb 2007-07-28 11:46:08.000000000 +0900 ++++ ruby-1.8.6-p287/lib/rexml/entity.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -73,6 +73,7 @@ module REXML + # all entities -- both %ent; and &ent; entities. This differs from + # +value()+ in that +value+ only replaces %ent; entities. + def unnormalized ++ document.record_entity_expansion + v = value() + return nil if v.nil? + @unnormalized = Text::unnormalize(v, parent) +diff -pruN ruby-1.8.6-p287.orig/test/rexml/test_document.rb ruby-1.8.6-p287/test/rexml/test_document.rb +--- ruby-1.8.6-p287.orig/test/rexml/test_document.rb 1970-01-01 09:00:00.000000000 +0900 ++++ ruby-1.8.6-p287/test/rexml/test_document.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -0,0 +1,42 @@ ++require "rexml/document" ++require "test/unit" ++ ++class REXML::TestDocument < Test::Unit::TestCase ++ def test_new ++ doc = REXML::Document.new(< ++Hello world! ++EOF ++ assert_equal("Hello world!", doc.root.children.first.value) ++ end ++ ++ XML_WITH_NESTED_ENTITY = < ++ ++ ++ ++ ++ ++ ++ ++]> ++ ++&a; ++ ++EOF ++ ++ def test_entity_expansion_limit ++ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ REXML::Document.entity_expansion_limit = 100 ++ assert_equal(100, REXML::Document.entity_expansion_limit) ++ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ assert_equal(101, doc.entity_expansion_count) ++ end ++end diff --git a/ruby.spec b/ruby.spec index 942d094..bb50369 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 1%{?dist} +Release: 2%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,6 +36,7 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch +Patch26: ruby-1.8.6-rexml-CVE-2008-3790.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -156,6 +157,7 @@ pushd %{name}-%{arcver} %patch23 -p1 %endif %patch25 -p1 +%patch26 -p1 popd %build @@ -512,6 +514,9 @@ rm -rf tmp-ruby-docs %endif %changelog +* Wed Oct 8 2008 Akira TAGOH - 1.8.6.287-2 +- CVE-2008-3790: DoS vulnerability in the REXML module. + * Sat Aug 23 2008 Akira TAGOH - 1.8.6.287-1 - New upstream release. - Security fixes. From c22bcde976a09ab43f2551dbcf3741f2bf569a16 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Thu, 26 Nov 2009 01:30:25 +0000 Subject: [PATCH 10/11] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d363f5c..9141959 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: ruby -# $Id: Makefile,v 1.1 2004/09/09 11:54:27 cvsdist Exp $ +# $Id: Makefile,v 1.2 2007/10/15 19:21:20 notting Exp $ NAME := ruby SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 192273743711481c1640913e28e7bf4b551f7b2b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 11:43:43 +0000 Subject: [PATCH 11/11] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- branch | 1 - 3 files changed, 22 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 branch diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 9141959..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: ruby -# $Id: Makefile,v 1.2 2007/10/15 19:21:20 notting Exp $ -NAME := ruby -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attempt a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/branch b/branch deleted file mode 100644 index e9e7ccd..0000000 --- a/branch +++ /dev/null @@ -1 +0,0 @@ -F-8