From 547a26e38a0a931b73296244e7a36e75b6eef8dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Thu, 20 Oct 2016 13:55:21 +0200 Subject: [PATCH 01/15] Add gemspec_add_dep and gemspec_remove_dep macros. --- macros.rubygems | 78 +++++++++++++++++++++++++++++++++++++++++++++++++ ruby.spec | 5 +++- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/macros.rubygems b/macros.rubygems index 6d99ac3..8218ec9 100644 --- a/macros.rubygems +++ b/macros.rubygems @@ -34,3 +34,81 @@ gem install \\\ %rubygems_default_filter %{expand: \ %global __provides_exclude_from %{?__provides_exclude_from:%{__provides_exclude_from}|}^%{gem_extdir_mri}/.*\\\\.so$ \ } + +# The 'read' command in gemspec_add _depand gemspec_remove_dep macros is not +# essential, but it is usefull to make the sript appear in build log. + +# Add dependency named gem with version requirements to .gemspec. It adds +# runtime dependency by default. +# -g Specifies name of the gem dependency. +# -s Overrides the default .gemspec location. +# -d Add development dependecy. +# +# The remaining arguments are expected to be version requirements and should +# be valid Ruby code. +%gemspec_add_dep(g:s:d) \ +read -d '' gemspec_add_dep_script << 'EOR' || : \ + gemspec_file = '%{-s*}%{!?-s:./%{gem_name}.gemspec}' \ + \ + name = '%{-g*}' \ + requirements = %{*}%{!?1:nil} \ + \ + type = :%{!?-d:runtime}%{?-d:development} \ + \ + spec = Gem::Specification.load(gemspec_file) \ + abort("#{gemspec_file} is not accessible.") unless spec \ + \ + dep = spec.dependencies.detect { |d| d.type == type && d.name == name } \ + if dep \ + dep.requirement.concat requirements \ + else \ + spec.public_send "add_#{type}_dependency", name, requirements \ + end \ + File.write gemspec_file, spec.to_ruby \ +EOR\ +echo "$gemspec_add_dep_script" | ruby \ +unset -v gemspec_add_dep_script \ +%{nil} + +# Remove dependency named gem with version requirements to .gemspec. It +# removes runtime dependency by default. +# -g Specifies name of the gem dependency. +# -s Overrides the default .gemspec location. +# -d Remove development dependecy. +# +# The remaining arguments are expected to be version requirements and should +# be valid Ruby code. The macro fails if these specific requirements can't be +# removed. +%gemspec_remove_dep(g:s:d) \ +read -d '' gemspec_remove_dep_script << 'EOR' || : \ + gemspec_file = '%{-s*}%{!?-s:./%{gem_name}.gemspec}' \ + \ + name = '%{-g*}' \ + requirements = %{*}%{!?1:nil} \ + \ + type = :%{!?-d:runtime}%{?-d:development} \ + \ + spec = Gem::Specification.load(gemspec_file) \ + abort("#{gemspec_file} is not accessible.") unless spec \ + \ + dep = spec.dependencies.detect { |d| d.type == type && d.name == name } \ + if dep \ + if requirements \ + requirements = Gem::Requirement.create(requirements).requirements \ + requirements.each do |r| \ + unless dep.requirement.requirements.reject! { |dependency_requirements| dependency_requirements == r } \ + abort("Requirement '#{r.first} #{r.last}' was not possible to remove for dependency '#{dep}'!") \ + end \ + end \ + spec.dependencies.delete dep if dep.requirement.requirements.empty? \ + else \ + spec.dependencies.delete dep \ + end \ + else \ + abort("Dependency '#{name}' was not found!") \ + end \ + File.write gemspec_file, spec.to_ruby \ +EOR\ +echo "$gemspec_remove_dep_script" | ruby \ +unset -v gemspec_remove_dep_script \ +%{nil} diff --git a/ruby.spec b/ruby.spec index 829f506..5cbbffa 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 58 +%global release 60 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -963,6 +963,9 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Fri Oct 21 2016 Vít Ondruch - 2.3.1-60 +- Add gemspec_add_dep and gemspec_remove_dep macros. + * Wed Aug 10 2016 Vít Ondruch - 2.3.1-58 - Workaround "an invalid stdio handle" error on PPC (rhbz#1361037). From 5bf9dfde857c7f679530b81f563a08b5e0c2ba2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Fri, 21 Oct 2016 12:36:39 +0200 Subject: [PATCH 02/15] Improve macro documentation. --- macros.rubygems | 52 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/macros.rubygems b/macros.rubygems index 8218ec9..45c59c4 100644 --- a/macros.rubygems +++ b/macros.rubygems @@ -10,9 +10,14 @@ %gem_spec %{gem_dir}/specifications/%{gem_name}-%{version}.gemspec %gem_docdir %{gem_dir}/doc/%{gem_name}-%{version} -# Install gem into appropriate directory. -# -n Overrides gem file name for installation. -# -d Set installation directory. + +# %gem_install - Install gem into appropriate directory. +# +# Usage: %gem_install [options] +# +# -n Overrides gem file name for installation. +# -d Set installation directory. +# %gem_install(d:n:) \ mkdir -p %{-d*}%{!?-d:.%{gem_dir}} \ \ @@ -26,6 +31,7 @@ gem install \\\ %{-n*}%{!?-n:%{gem_name}-%{version}.gem} \ %{nil} + # For rubygems packages we want to filter out any provides caused by private # libs in %%{gem_archdir}. # @@ -35,17 +41,23 @@ gem install \\\ %global __provides_exclude_from %{?__provides_exclude_from:%{__provides_exclude_from}|}^%{gem_extdir_mri}/.*\\\\.so$ \ } + # The 'read' command in gemspec_add _depand gemspec_remove_dep macros is not # essential, but it is usefull to make the sript appear in build log. -# Add dependency named gem with version requirements to .gemspec. It adds -# runtime dependency by default. -# -g Specifies name of the gem dependency. -# -s Overrides the default .gemspec location. -# -d Add development dependecy. + +# %gemspec_add_dep - Add dependency into .gemspec. +# +# Usage: %gemspec_add_dep -g [options] [requirements] +# +# Add dependency named to .gemspec file. The macro adds runtime +# dependency by default. The [requirements] argument can be used to specify +# the dependency constraints more precisely. It is expected to be valid Ruby +# code. +# +# -s Overrides the default .gemspec location. +# -d Add development dependecy. # -# The remaining arguments are expected to be version requirements and should -# be valid Ruby code. %gemspec_add_dep(g:s:d) \ read -d '' gemspec_add_dep_script << 'EOR' || : \ gemspec_file = '%{-s*}%{!?-s:./%{gem_name}.gemspec}' \ @@ -70,15 +82,19 @@ echo "$gemspec_add_dep_script" | ruby \ unset -v gemspec_add_dep_script \ %{nil} -# Remove dependency named gem with version requirements to .gemspec. It -# removes runtime dependency by default. -# -g Specifies name of the gem dependency. -# -s Overrides the default .gemspec location. -# -d Remove development dependecy. + +# %gemspec_remove_dep - Remove dependency from .gemspec. +# +# Usage: %gemspec_remove_dep -g [options] [requirements] +# +# Remove dependency named from .gemspec file. The macro removes runtime +# dependency by default. The [requirements] argument can be used to specify +# the dependency constraints more precisely. It is expected to be valid Ruby +# code. The macro fails if these specific requirements can't be removed. +# +# -s Overrides the default .gemspec location. +# -d Remove development dependecy. # -# The remaining arguments are expected to be version requirements and should -# be valid Ruby code. The macro fails if these specific requirements can't be -# removed. %gemspec_remove_dep(g:s:d) \ read -d '' gemspec_remove_dep_script << 'EOR' || : \ gemspec_file = '%{-s*}%{!?-s:./%{gem_name}.gemspec}' \ From 327dc4e98f76a80166458978ea58aa7a3336b058 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Fri, 18 Nov 2016 16:58:41 +0100 Subject: [PATCH 03/15] Update to Ruby 2.3.2. --- ruby-2.3.0-ruby_version.patch | 4 ++-- ruby-2.4.0-increase-timeout-for-ARMv7.patch | 25 --------------------- ruby.spec | 20 ++++++++--------- sources | 2 +- 4 files changed, 12 insertions(+), 39 deletions(-) delete mode 100644 ruby-2.4.0-increase-timeout-for-ARMv7.patch diff --git a/ruby-2.3.0-ruby_version.patch b/ruby-2.3.0-ruby_version.patch index cdd016c..96d7249 100644 --- a/ruby-2.3.0-ruby_version.patch +++ b/ruby-2.3.0-ruby_version.patch @@ -249,7 +249,7 @@ diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb index 0428bea..b6e090e 100644 --- a/test/rubygems/test_gem.rb +++ b/test/rubygems/test_gem.rb -@@ -963,7 +963,8 @@ def test_self_use_paths +@@ -962,7 +962,8 @@ def test_self_use_paths def test_self_user_dir parts = [@userhome, '.gem', Gem.ruby_engine] @@ -259,7 +259,7 @@ index 0428bea..b6e090e 100644 assert_equal File.join(parts), Gem.user_dir end -@@ -1090,7 +1091,7 @@ def test_self_user_home_user_drive_and_path +@@ -1089,7 +1090,7 @@ def test_self_user_home_user_drive_and_path def test_self_vendor_dir expected = File.join RbConfig::CONFIG['vendordir'], 'gems', diff --git a/ruby-2.4.0-increase-timeout-for-ARMv7.patch b/ruby-2.4.0-increase-timeout-for-ARMv7.patch deleted file mode 100644 index d0dfcb2..0000000 --- a/ruby-2.4.0-increase-timeout-for-ARMv7.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 35568b41699ca1cd466fc8d23a84139b73ad0f1b Mon Sep 17 00:00:00 2001 -From: naruse -Date: Tue, 19 Jan 2016 02:52:37 +0000 -Subject: [PATCH] increase timeout for ARMv7 - -http://rubyci.s3.amazonaws.com/scw-9d6766/ruby-trunk/log/20160113T091704Z.diff.html.gz - -git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53586 b2dd03c8-39d4-4d8f-98ff-823fe69b080e ---- - test/ruby/test_iseq.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/test/ruby/test_iseq.rb b/test/ruby/test_iseq.rb -index 7af8c1b..4561eeb 100644 ---- a/test/ruby/test_iseq.rb -+++ b/test/ruby/test_iseq.rb -@@ -187,7 +187,7 @@ def test_safe_call_chain - end - - def test_parent_iseq_mark -- assert_separately([], <<-'end;') -+ assert_separately([], <<-'end;', timeout: 20) - ->{ - ->{ - ->{ diff --git a/ruby.spec b/ruby.spec index 5cbbffa..be5feac 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global major_version 2 %global minor_version 3 -%global teeny_version 1 +%global teeny_version 2 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -29,8 +29,8 @@ %global rubygems_dir %{_datadir}/rubygems # Bundled libraries versions -%global rubygems_version 2.5.1 -%global molinillo_version 0.4.0 +%global rubygems_version 2.5.2 +%global molinillo_version 0.4.1 # TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM. # http://redmine.ruby-lang.org/issues/5313 @@ -40,9 +40,9 @@ %global did_you_mean_version 1.0.0 %global io_console_version 0.4.5 %global json_version 1.8.3 -%global minitest_version 5.8.3 +%global minitest_version 5.8.5 %global power_assert_version 0.2.6 -%global psych_version 2.0.17 +%global psych_version 2.1.0 %global rake_version 10.4.2 %global rdoc_version 4.2.1 %global net_telnet_version 0.1.1 @@ -122,9 +122,6 @@ Patch6: ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch # Use miniruby to regenerate prelude.c. # https://bugs.ruby-lang.org/issues/10554 Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch -# Prevent test failures on ARM. -# https://bugs.ruby-lang.org/issues/12331 -Patch8: ruby-2.4.0-increase-timeout-for-ARMv7.patch # Workaround "an invalid stdio handle" error on PPC, due to recently introduced # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 @@ -476,7 +473,6 @@ rm -rf ext/fiddle/libffi* %patch5 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 %patch9 -p1 # Provide an example of usage of the tapset: @@ -537,7 +533,8 @@ for cert in \ EntrustnetSecureServerCertificationAuthority.pem \ GeoTrustGlobalCA.pem \ AddTrustExternalCARoot.pem \ - AddTrustExternalCARoot-2048.pem + AddTrustExternalCARoot-2048.pem \ + GlobalSignRootCA.pem do rm %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/$cert done @@ -963,7 +960,8 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog -* Fri Oct 21 2016 Vít Ondruch - 2.3.1-60 +* Fri Nov 18 2016 Vít Ondruch - 2.3.2-60 +- Update to Ruby 2.3.2. - Add gemspec_add_dep and gemspec_remove_dep macros. * Wed Aug 10 2016 Vít Ondruch - 2.3.1-58 diff --git a/sources b/sources index 6eb7405..9f89eaf 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -01e9d172a5c33b385e92fc0cc2899766 ruby-2.3.1.tar.xz +37bae2bf9cf6deda3b7d8b0ad61fc0af ruby-2.3.2.tar.xz From 00fb25d2c06ab58d2d1df3231a1a294850b11328 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Fri, 18 Nov 2016 17:22:30 +0100 Subject: [PATCH 04/15] Ensure there is not forgotten any certificate. --- ruby.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ruby.spec b/ruby.spec index be5feac..7d8e37b 100644 --- a/ruby.spec +++ b/ruby.spec @@ -538,6 +538,8 @@ for cert in \ do rm %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/$cert done +# Ensure there is not forgotten any certificate. +test ! "$(ls -A %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/ 2>/dev/null)" # Move macros file into proper place and replace the %%{name} macro, since it # would be wrongly evaluated during build of other packages. From 18725ecc49b735d21b2290f6d49dfaa5536aac53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Tue, 22 Nov 2016 13:25:46 +0100 Subject: [PATCH 05/15] Exclude json.rb from ruby-libs (rhbz#1397370). --- ruby.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ruby.spec b/ruby.spec index 7d8e37b..e2b8bdb 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 60 +%global release 61 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -712,6 +712,7 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/*.rb %exclude %{ruby_libdir}/*-tk.rb %exclude %{ruby_libdir}/irb.rb +%exclude %{ruby_libdir}/json.rb %exclude %{ruby_libdir}/tcltk.rb %exclude %{ruby_libdir}/tk*.rb %exclude %{ruby_libdir}/psych.rb @@ -962,6 +963,9 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Tue Nov 22 2016 Vít Ondruch - 2.3.2-61 +- Exclude json.rb from ruby-libs (rhbz#1397370). + * Fri Nov 18 2016 Vít Ondruch - 2.3.2-60 - Update to Ruby 2.3.2. - Add gemspec_add_dep and gemspec_remove_dep macros. From d3ee6d38d82d5b53479a1a3f9d65ddb3572d86a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Tue, 22 Nov 2016 13:27:42 +0100 Subject: [PATCH 06/15] Update to Ruby 2.3.3. --- ruby.spec | 5 +++-- sources | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ruby.spec b/ruby.spec index e2b8bdb..59ece0e 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global major_version 2 %global minor_version 3 -%global teeny_version 2 +%global teeny_version 3 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -963,7 +963,8 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog -* Tue Nov 22 2016 Vít Ondruch - 2.3.2-61 +* Tue Nov 22 2016 Vít Ondruch - 2.3.3-61 +- Update to Ruby 2.3.3. - Exclude json.rb from ruby-libs (rhbz#1397370). * Fri Nov 18 2016 Vít Ondruch - 2.3.2-60 diff --git a/sources b/sources index 9f89eaf..26c008e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -37bae2bf9cf6deda3b7d8b0ad61fc0af ruby-2.3.2.tar.xz +0cba3d1b677d2695236ace62ca6d2255 ruby-2.3.3.tar.xz From eb774bc6ed1f929d6ce11b79446bc1ac522ec483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Thu, 1 Dec 2016 12:50:07 +0100 Subject: [PATCH 07/15] Do not freeze strings in generated .gemspec. --- ...e-frozen-strings-in-serialized-specs.patch | 245 ++++++++++++++++++ ruby.spec | 11 +- 2 files changed, 255 insertions(+), 1 deletion(-) create mode 100644 ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch diff --git a/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch b/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch new file mode 100644 index 0000000..5647460 --- /dev/null +++ b/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch @@ -0,0 +1,245 @@ +From b073f9af733254ea14111f6a9a6785acdbba8fd7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?V=C3=ADt=20Ondruch?= +Date: Thu, 1 Dec 2016 12:10:00 +0100 +Subject: [PATCH] Revert "use frozen strings in serialized specs" + +This reverts commit 8eda3272d28010c768a05620de776e5a8195c1ae. +--- + lib/rubygems/specification.rb | 8 +-- + test/rubygems/test_gem_specification.rb | 120 ++++++++++++++++---------------- + 2 files changed, 64 insertions(+), 64 deletions(-) + +diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb +index 7128532..654996a 100644 +--- a/lib/rubygems/specification.rb ++++ b/lib/rubygems/specification.rb +@@ -2335,7 +2335,7 @@ class Gem::Specification < Gem::BasicSpecification + + def ruby_code(obj) + case obj +- when String then obj.dump + ".freeze" ++ when String then obj.dump + when Array then '[' + obj.map { |x| ruby_code x }.join(", ") + ']' + when Hash then + seg = obj.keys.sort.map { |k| "#{k.to_s.dump} => #{obj[k].to_s.dump}" } +@@ -2525,14 +2525,14 @@ class Gem::Specification < Gem::BasicSpecification + dependencies.each do |dep| + req = dep.requirements_list.inspect + dep.instance_variable_set :@type, :runtime if dep.type.nil? # HACK +- result << " s.add_#{dep.type}_dependency(%q<#{dep.name}>.freeze, #{req})" ++ result << " s.add_#{dep.type}_dependency(%q<#{dep.name}>, #{req})" + end + + result << " else" + + dependencies.each do |dep| + version_reqs_param = dep.requirements_list.inspect +- result << " s.add_dependency(%q<#{dep.name}>.freeze, #{version_reqs_param})" ++ result << " s.add_dependency(%q<#{dep.name}>, #{version_reqs_param})" + end + + result << ' end' +@@ -2540,7 +2540,7 @@ class Gem::Specification < Gem::BasicSpecification + result << " else" + dependencies.each do |dep| + version_reqs_param = dep.requirements_list.inspect +- result << " s.add_dependency(%q<#{dep.name}>.freeze, #{version_reqs_param})" ++ result << " s.add_dependency(%q<#{dep.name}>, #{version_reqs_param})" + end + result << " end" + end +diff --git a/test/rubygems/test_gem_specification.rb b/test/rubygems/test_gem_specification.rb +index dc7b134..204e100 100644 +--- a/test/rubygems/test_gem_specification.rb ++++ b/test/rubygems/test_gem_specification.rb +@@ -2284,30 +2284,30 @@ dependencies: [] + # stub: a 2 ruby lib\0other + + Gem::Specification.new do |s| +- s.name = "a".freeze ++ s.name = "a" + s.version = "2" + +- s.required_rubygems_version = Gem::Requirement.new(\"> 0\".freeze) if s.respond_to? :required_rubygems_version= +- s.require_paths = ["lib".freeze, "other".freeze] +- s.authors = ["A User".freeze] ++ s.required_rubygems_version = Gem::Requirement.new(\"> 0\") if s.respond_to? :required_rubygems_version= ++ s.require_paths = ["lib", "other"] ++ s.authors = ["A User"] + s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}" +- s.description = "This is a test description".freeze +- s.email = "example@example.com".freeze +- s.files = ["lib/code.rb".freeze] +- s.homepage = "http://example.com".freeze +- s.rubygems_version = "#{Gem::VERSION}".freeze +- s.summary = "this is a summary".freeze ++ s.description = "This is a test description" ++ s.email = "example@example.com" ++ s.files = ["lib/code.rb"] ++ s.homepage = "http://example.com" ++ s.rubygems_version = "#{Gem::VERSION}" ++ s.summary = "this is a summary" + + if s.respond_to? :specification_version then + s.specification_version = #{Gem::Specification::CURRENT_SPECIFICATION_VERSION} + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then +- s.add_runtime_dependency(%q.freeze, [\"= 1\"]) ++ s.add_runtime_dependency(%q, [\"= 1\"]) + else +- s.add_dependency(%q.freeze, [\"= 1\"]) ++ s.add_dependency(%q, [\"= 1\"]) + end + else +- s.add_dependency(%q.freeze, [\"= 1\"]) ++ s.add_dependency(%q, [\"= 1\"]) + end + end + SPEC +@@ -2333,18 +2333,18 @@ end + # stub: a 2 ruby lib + + Gem::Specification.new do |s| +- s.name = "a".freeze ++ s.name = "a" + s.version = "2" + +- s.required_rubygems_version = Gem::Requirement.new(\"> 0\".freeze) if s.respond_to? :required_rubygems_version= +- s.require_paths = ["lib".freeze] +- s.authors = ["A User".freeze] ++ s.required_rubygems_version = Gem::Requirement.new(\"> 0\") if s.respond_to? :required_rubygems_version= ++ s.require_paths = ["lib"] ++ s.authors = ["A User"] + s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}" +- s.description = "This is a test description".freeze +- s.email = "example@example.com".freeze +- s.homepage = "http://example.com".freeze +- s.rubygems_version = "#{Gem::VERSION}".freeze +- s.summary = "this is a summary".freeze ++ s.description = "This is a test description" ++ s.email = "example@example.com" ++ s.homepage = "http://example.com" ++ s.rubygems_version = "#{Gem::VERSION}" ++ s.summary = "this is a summary" + + s.installed_by_version = "#{Gem::VERSION}" if s.respond_to? :installed_by_version + +@@ -2352,12 +2352,12 @@ Gem::Specification.new do |s| + s.specification_version = #{Gem::Specification::CURRENT_SPECIFICATION_VERSION} + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then +- s.add_runtime_dependency(%q.freeze, [\"= 1\"]) ++ s.add_runtime_dependency(%q, [\"= 1\"]) + else +- s.add_dependency(%q.freeze, [\"= 1\"]) ++ s.add_dependency(%q, [\"= 1\"]) + end + else +- s.add_dependency(%q.freeze, [\"= 1\"]) ++ s.add_dependency(%q, [\"= 1\"]) + end + end + SPEC +@@ -2389,43 +2389,43 @@ end + # stub: #{extensions} + + Gem::Specification.new do |s| +- s.name = "a".freeze ++ s.name = "a" + s.version = "1" + s.platform = Gem::Platform.new(#{expected_platform}) + +- s.required_rubygems_version = Gem::Requirement.new(\">= 0\".freeze) if s.respond_to? :required_rubygems_version= +- s.require_paths = ["lib".freeze] +- s.authors = ["A User".freeze] ++ s.required_rubygems_version = Gem::Requirement.new(\">= 0\") if s.respond_to? :required_rubygems_version= ++ s.require_paths = ["lib"] ++ s.authors = ["A User"] + s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}" +- s.description = "This is a test description".freeze +- s.email = "example@example.com".freeze +- s.executables = ["exec".freeze] +- s.extensions = ["ext/a/extconf.rb".freeze] +- s.files = ["bin/exec".freeze, "ext/a/extconf.rb".freeze, "lib/code.rb".freeze, "test/suite.rb".freeze] +- s.homepage = "http://example.com".freeze +- s.licenses = ["MIT".freeze] +- s.requirements = ["A working computer".freeze] +- s.rubyforge_project = "example".freeze +- s.rubygems_version = "#{Gem::VERSION}".freeze +- s.summary = "this is a summary".freeze +- s.test_files = ["test/suite.rb".freeze] ++ s.description = "This is a test description" ++ s.email = "example@example.com" ++ s.executables = ["exec"] ++ s.extensions = ["ext/a/extconf.rb"] ++ s.files = ["bin/exec", "ext/a/extconf.rb", "lib/code.rb", "test/suite.rb"] ++ s.homepage = "http://example.com" ++ s.licenses = ["MIT"] ++ s.requirements = ["A working computer"] ++ s.rubyforge_project = "example" ++ s.rubygems_version = "#{Gem::VERSION}" ++ s.summary = "this is a summary" ++ s.test_files = ["test/suite.rb"] + + if s.respond_to? :specification_version then + s.specification_version = 4 + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then +- s.add_runtime_dependency(%q.freeze, [\"> 0.4\"]) +- s.add_runtime_dependency(%q.freeze, [\"> 0.0.0\"]) +- s.add_runtime_dependency(%q.freeze, [\"<= 0.6\", \"> 0.4\"]) ++ s.add_runtime_dependency(%q, [\"> 0.4\"]) ++ s.add_runtime_dependency(%q, [\"> 0.0.0\"]) ++ s.add_runtime_dependency(%q, [\"<= 0.6\", \"> 0.4\"]) + else +- s.add_dependency(%q.freeze, [\"> 0.4\"]) +- s.add_dependency(%q.freeze, [\"> 0.0.0\"]) +- s.add_dependency(%q.freeze, [\"<= 0.6\", \"> 0.4\"]) ++ s.add_dependency(%q, [\"> 0.4\"]) ++ s.add_dependency(%q, [\"> 0.0.0\"]) ++ s.add_dependency(%q, [\"<= 0.6\", \"> 0.4\"]) + end + else +- s.add_dependency(%q.freeze, [\"> 0.4\"]) +- s.add_dependency(%q.freeze, [\"> 0.0.0\"]) +- s.add_dependency(%q.freeze, [\"<= 0.6\", \"> 0.4\"]) ++ s.add_dependency(%q, [\"> 0.4\"]) ++ s.add_dependency(%q, [\"> 0.0.0\"]) ++ s.add_dependency(%q, [\"<= 0.6\", \"> 0.4\"]) + end + end + SPEC +@@ -3294,20 +3294,20 @@ Did you mean 'Ruby'? + # stub: m 1 ruby lib + + Gem::Specification.new do |s| +- s.name = "m".freeze ++ s.name = "m" + s.version = "1" + +- s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version= ++ s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= + s.metadata = { "one" => "two", "two" => "three" } if s.respond_to? :metadata= +- s.require_paths = ["lib".freeze] +- s.authors = ["A User".freeze] ++ s.require_paths = ["lib"] ++ s.authors = ["A User"] + s.date = "#{Gem::Specification::TODAY.strftime("%Y-%m-%d")}" +- s.description = "This is a test description".freeze +- s.email = "example@example.com".freeze +- s.files = ["lib/code.rb".freeze] +- s.homepage = "http://example.com".freeze +- s.rubygems_version = "#{Gem::VERSION}".freeze +- s.summary = "this is a summary".freeze ++ s.description = "This is a test description" ++ s.email = "example@example.com" ++ s.files = ["lib/code.rb"] ++ s.homepage = "http://example.com" ++ s.rubygems_version = "#{Gem::VERSION}" ++ s.summary = "this is a summary" + end + EOF + +-- +2.10.2 + diff --git a/ruby.spec b/ruby.spec index 59ece0e..899bc01 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 61 +%global release 61.1 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -126,6 +126,11 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch +# Do not freeze strings in generated .gemspec. This causes regressions +# and FTBFS in Fedora packages. This is revert of: +# https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae +# https://lists.fedoraproject.org/archives/list/ruby-sig@lists.fedoraproject.org/message/NLZRTNIMG7NB5V3D4PAQKQLYEKC2TQSY/ +Patch100: ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -474,6 +479,7 @@ rm -rf ext/fiddle/libffi* %patch6 -p1 %patch7 -p1 %patch9 -p1 +%patch100 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -963,6 +969,9 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Thu Dec 01 2016 Vít Ondruch - 2.3.3-61.1 +- Do not freeze strings in generated .gemspec. + * Tue Nov 22 2016 Vít Ondruch - 2.3.3-61 - Update to Ruby 2.3.3. - Exclude json.rb from ruby-libs (rhbz#1397370). From b325f28a94578f420a9c71bd7119c962151c8648 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Thu, 27 Jul 2017 09:43:06 +0200 Subject: [PATCH 08/15] Fix IV Reuse in GCM Mode (rhbz#1381527). --- ...ve-the-encryption-key-initialization.patch | 170 ++++++++++++++++++ ruby.spec | 10 +- sources | 2 +- 3 files changed, 180 insertions(+), 2 deletions(-) create mode 100644 ruby-2.3.4-remove-the-encryption-key-initialization.patch diff --git a/ruby-2.3.4-remove-the-encryption-key-initialization.patch b/ruby-2.3.4-remove-the-encryption-key-initialization.patch new file mode 100644 index 0000000..d375f5c --- /dev/null +++ b/ruby-2.3.4-remove-the-encryption-key-initialization.patch @@ -0,0 +1,170 @@ +From 739782e37a6662fea379e7ef3ec89e851b04b46c Mon Sep 17 00:00:00 2001 +From: usa +Date: Wed, 5 Jul 2017 07:06:45 +0000 +Subject: [PATCH] * ext/openssl/ossl_cipher.c: remove the encryption key + initialization from Cipher#initialize. This is effectively a revert of + r32723 ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28). + the patch is derived from + https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062, + written by Kazuki Yamaguchi. [Backport #8221] + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59267 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + ChangeLog | 9 +++++++++ + ext/openssl/ossl_cipher.c | 23 ++++++++++++++--------- + test/openssl/test_cipher.rb | 29 +++++++++++++++++++++++------ + version.h | 6 +++--- + 3 files changed, 46 insertions(+), 15 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 33b9dbe79fef..ad89c9c4bd52 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++Wed Jul 5 15:55:35 2017 NAKAMURA Usaku ++ ++ * ext/openssl/ossl_cipher.c: remove the encryption key initialization ++ from Cipher#initialize. This is effectively a revert of r32723 ++ ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28). ++ the patch is derived from https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062, ++ written by Kazuki Yamaguchi. ++ [Backport #8221] ++ + Mon Nov 21 16:55:15 2016 boshan + + * lib/tempfile.rb (Tempfile#initialize): [DOC] the first parameter +diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c +index 09b021d9873a..24caba6e3721 100644 +--- a/ext/openssl/ossl_cipher.c ++++ b/ext/openssl/ossl_cipher.c +@@ -34,6 +34,7 @@ + */ + VALUE cCipher; + VALUE eCipherError; ++static ID id_key_set; + + static VALUE ossl_cipher_alloc(VALUE klass); + static void ossl_cipher_free(void *ptr); +@@ -114,7 +115,6 @@ ossl_cipher_initialize(VALUE self, VALUE str) + EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher; + char *name; +- unsigned char key[EVP_MAX_KEY_LENGTH]; + + name = StringValuePtr(str); + GetCipherInit(self, ctx); +@@ -126,14 +126,7 @@ ossl_cipher_initialize(VALUE self, VALUE str) + if (!(cipher = EVP_get_cipherbyname(name))) { + ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%s)", name); + } +- /* +- * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows +- * uninitialized key, but other EVPs (such as AES) does not allow it. +- * Calling EVP_CipherUpdate() without initializing key causes SEGV so we +- * set the data filled with "\0" as the key by default. +- */ +- memset(key, 0, EVP_MAX_KEY_LENGTH); +- if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1) ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1) + ossl_raise(eCipherError, NULL); + + return self; +@@ -252,6 +245,9 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode) + ossl_raise(eCipherError, NULL); + } + ++ if (p_key) ++ rb_ivar_set(self, id_key_set, Qtrue); ++ + return self; + } + +@@ -338,6 +334,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self) + OPENSSL_cleanse(key, sizeof key); + OPENSSL_cleanse(iv, sizeof iv); + ++ rb_ivar_set(self, id_key_set, Qtrue); ++ + return Qnil; + } + +@@ -391,6 +389,9 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self) + + rb_scan_args(argc, argv, "11", &data, &str); + ++ if (!RTEST(rb_attr_get(self, id_key_set))) ++ ossl_raise(eCipherError, "key not set"); ++ + StringValue(data); + in = (unsigned char *)RSTRING_PTR(data); + if ((in_len = RSTRING_LEN(data)) == 0) +@@ -490,6 +491,8 @@ ossl_cipher_set_key(VALUE self, VALUE key) + if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1) + ossl_raise(eCipherError, NULL); + ++ rb_ivar_set(self, id_key_set, Qtrue); ++ + return key; + } + +@@ -1008,4 +1011,6 @@ Init_ossl_cipher(void) + rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0); + rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0); + rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1); ++ ++ id_key_set = rb_intern_const("key_set"); + } +diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb +index 89c176f4de41..95058b5f196b 100644 +--- a/test/openssl/test_cipher.rb ++++ b/test/openssl/test_cipher.rb +@@ -81,6 +81,7 @@ def test_reset + + def test_empty_data + @c1.encrypt ++ @c1.random_key + assert_raise(ArgumentError){ @c1.update("") } + end + +@@ -129,12 +130,10 @@ def test_AES + } + end + +- def test_AES_crush +- 500.times do +- assert_nothing_raised("[Bug #2768]") do +- # it caused OpenSSL SEGV by uninitialized key +- OpenSSL::Cipher::AES128.new("ECB").update "." * 17 +- end ++ def test_update_raise_if_key_not_set ++ assert_raise(OpenSSL::Cipher::CipherError) do ++ # it caused OpenSSL SEGV by uninitialized key [Bug #2768] ++ OpenSSL::Cipher::AES128.new("ECB").update "." * 17 + end + end + end +@@ -236,6 +235,24 @@ def test_aes_gcm_wrong_ciphertext + end + end + ++ def test_aes_gcm_key_iv_order_issue ++ pt = "[ruby/openssl#49]" ++ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt ++ cipher.key = "x" * 16 ++ cipher.iv = "a" * 12 ++ ct1 = cipher.update(pt) << cipher.final ++ tag1 = cipher.auth_tag ++ ++ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt ++ cipher.iv = "a" * 12 ++ cipher.key = "x" * 16 ++ ct2 = cipher.update(pt) << cipher.final ++ tag2 = cipher.auth_tag ++ ++ assert_equal ct1, ct2 ++ assert_equal tag1, tag2 ++ end if has_cipher?("aes-128-gcm") ++ + end + + private diff --git a/ruby.spec b/ruby.spec index 899bc01..b90f606 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 61.1 +%global release 62 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -126,6 +126,10 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch +# Fix IV Reuse in GCM Mode (CVE-2016-7798). +# https://bugzilla.redhat.com/show_bug.cgi?id=1381527 +# https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c +Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -479,6 +483,7 @@ rm -rf ext/fiddle/libffi* %patch6 -p1 %patch7 -p1 %patch9 -p1 +%patch10 -p1 %patch100 -p1 # Provide an example of usage of the tapset: @@ -969,6 +974,9 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Thu Jul 27 2017 Vít Ondruch - 2.3.3-62 +- Fix IV Reuse in GCM Mode (rhbz#1381527). + * Thu Dec 01 2016 Vít Ondruch - 2.3.3-61.1 - Do not freeze strings in generated .gemspec. diff --git a/sources b/sources index 26c008e..ef0a324 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0cba3d1b677d2695236ace62ca6d2255 ruby-2.3.3.tar.xz +SHA512 (ruby-2.3.3.tar.xz) = 73dd6ed896ff52d953b153b2cab359c87953ea77521878f1ee16c1e217cc46bcb253100debe61ba631e6ffa0bc773e592d603a374508ed5189a311136ccd8d20 From d922de7541f17fd9f49d7d95088fd6c22db5a364 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Tue, 8 Aug 2017 11:56:42 +0200 Subject: [PATCH 09/15] Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP (rhbz#1461848). --- ruby-2.4.0-SMTP-injection-fix.patch | 122 ++++++++++++++++++++++++++++ ruby.spec | 12 ++- 2 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 ruby-2.4.0-SMTP-injection-fix.patch diff --git a/ruby-2.4.0-SMTP-injection-fix.patch b/ruby-2.4.0-SMTP-injection-fix.patch new file mode 100644 index 0000000..569c69b --- /dev/null +++ b/ruby-2.4.0-SMTP-injection-fix.patch @@ -0,0 +1,122 @@ +From ea7b67981156f3eaee8420bb34c49605573387a5 Mon Sep 17 00:00:00 2001 +From: shugo +Date: Wed, 8 Jun 2016 07:06:57 +0000 +Subject: [PATCH] Security: backport SMTP injection fix + +* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when +CR or LF is included in a line, because they are not allowed in +RFC5321. + +https://hackerone.com/reports/137631 +--- + ChangeLog | 6 ++++++ + lib/net/smtp.rb | 9 +++++++++ + test/net/smtp/test_smtp.rb | 47 ++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 62 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index ab9a6bf18281..5176d362881b 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,9 @@ ++Sun Jun 11 21:25:09 2017 Shugo Maeda ++ ++ * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when ++ CR or LF is included in a line, because they are not allowed in ++ RFC5321. https://hackerone.com/reports/137631 [Backport 0827a7e] ++ + Wed Jul 5 15:55:35 2017 NAKAMURA Usaku + + * ext/openssl/ossl_cipher.c: remove the encryption key initialization +diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb +index d634274c3ee8..78f2181d2a8b 100644 +--- a/lib/net/smtp.rb ++++ b/lib/net/smtp.rb +@@ -926,7 +926,15 @@ def quit + + private + ++ def validate_line(line) ++ # A bare CR or LF is not allowed in RFC5321. ++ if /[\r\n]/ =~ line ++ raise ArgumentError, "A line must not contain CR or LF" ++ end ++ end ++ + def getok(reqline) ++ validate_line reqline + res = critical { + @socket.writeline reqline + recv_response() +@@ -936,6 +944,7 @@ def getok(reqline) + end + + def get_response(reqline) ++ validate_line reqline + @socket.writeline reqline + recv_response() + end +diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb +index 0edb3419d56e..3bcceb6fc5bb 100644 +--- a/test/net/smtp/test_smtp.rb ++++ b/test/net/smtp/test_smtp.rb +@@ -6,6 +6,8 @@ + module Net + class TestSMTP < Test::Unit::TestCase + class FakeSocket ++ attr_reader :write_io ++ + def initialize out = "250 OK\n" + @write_io = StringIO.new + @read_io = StringIO.new out +@@ -51,5 +53,50 @@ def test_rset + + assert smtp.rset + end ++ ++ def test_mailfrom ++ sock = FakeSocket.new ++ smtp = Net::SMTP.new 'localhost', 25 ++ smtp.instance_variable_set :@socket, sock ++ assert smtp.mailfrom("foo@example.com").success? ++ assert_equal "MAIL FROM:\r\n", sock.write_io.string ++ end ++ ++ def test_rcptto ++ sock = FakeSocket.new ++ smtp = Net::SMTP.new 'localhost', 25 ++ smtp.instance_variable_set :@socket, sock ++ assert smtp.rcptto("foo@example.com").success? ++ assert_equal "RCPT TO:\r\n", sock.write_io.string ++ end ++ ++ def test_auth_plain ++ sock = FakeSocket.new ++ smtp = Net::SMTP.new 'localhost', 25 ++ smtp.instance_variable_set :@socket, sock ++ assert smtp.auth_plain("foo", "bar").success? ++ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string ++ end ++ ++ def test_crlf_injection ++ smtp = Net::SMTP.new 'localhost', 25 ++ smtp.instance_variable_set :@socket, FakeSocket.new ++ ++ assert_raise(ArgumentError) do ++ smtp.mailfrom("foo\r\nbar") ++ end ++ ++ assert_raise(ArgumentError) do ++ smtp.mailfrom("foo\rbar") ++ end ++ ++ assert_raise(ArgumentError) do ++ smtp.mailfrom("foo\nbar") ++ end ++ ++ assert_raise(ArgumentError) do ++ smtp.rcptto("foo\r\nbar") ++ end ++ end + end + end diff --git a/ruby.spec b/ruby.spec index b90f606..802a175 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 62 +%global release 63 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -130,6 +130,11 @@ Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1381527 # https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch +# Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM +# commands in Net::SMTP (CVE-2015-9096). +# https://bugzilla.redhat.com/show_bug.cgi?id=1461848 +# https://github.com/ruby/ruby/pull/1647 +Patch11: ruby-2.4.0-SMTP-injection-fix.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -484,6 +489,7 @@ rm -rf ext/fiddle/libffi* %patch7 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %patch100 -p1 # Provide an example of usage of the tapset: @@ -974,6 +980,10 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Tue Aug 08 2017 Vít Ondruch - 2.3.3-63 +- Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM + commands in Net::SMTP (rhbz#1461848). + * Thu Jul 27 2017 Vít Ondruch - 2.3.3-62 - Fix IV Reuse in GCM Mode (rhbz#1381527). From 01b4b3844459b110f76f3631eb686f82f567ebfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Tue, 8 Aug 2017 12:56:03 +0200 Subject: [PATCH 10/15] Update to Ruby 2.3.4. --- ...low-to-specify-additional-preludes-by-configuratio.patch | 2 +- ruby-2.1.0-Enable-configuration-of-archlibdir.patch | 2 +- ...event-duplicated-paths-when-empty-version-string-i.patch | 2 +- ruby-2.1.0-always-use-i386.patch | 2 +- ruby-2.1.0-custom-rubygems-location.patch | 4 ++-- ruby-2.3.0-ruby_version.patch | 6 +++--- ruby-2.3.4-remove-the-encryption-key-initialization.patch | 4 ++-- ruby.spec | 5 +++-- 8 files changed, 14 insertions(+), 13 deletions(-) diff --git a/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch b/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch index 75eb363..fcd4767 100644 --- a/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch +++ b/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch @@ -39,7 +39,7 @@ diff --git a/configure.in b/configure.in index 0e371e2..d4f1dcb 100644 --- a/configure.in +++ b/configure.in -@@ -4374,6 +4374,13 @@ AC_SUBST(rubyarchhdrdir)dnl +@@ -4407,6 +4407,13 @@ AC_SUBST(rubyarchhdrdir)dnl AC_SUBST(sitearchhdrdir)dnl AC_SUBST(vendorarchhdrdir)dnl diff --git a/ruby-2.1.0-Enable-configuration-of-archlibdir.patch b/ruby-2.1.0-Enable-configuration-of-archlibdir.patch index 43fa7f6..e9b6536 100644 --- a/ruby-2.1.0-Enable-configuration-of-archlibdir.patch +++ b/ruby-2.1.0-Enable-configuration-of-archlibdir.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 37d9a62..553d4d0 100644 --- a/configure.in +++ b/configure.in -@@ -3632,6 +3632,11 @@ if test ${multiarch+set}; then +@@ -3665,6 +3665,11 @@ if test ${multiarch+set}; then fi archlibdir='${libdir}/${arch}' diff --git a/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index eb34107..06370d1 100644 --- a/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.in b/configure.in index db37cd6..ce8d149 100644 --- a/configure.in +++ b/configure.in -@@ -4228,7 +4228,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -4261,7 +4261,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/ruby-2.1.0-always-use-i386.patch b/ruby-2.1.0-always-use-i386.patch index 9d78b05..b19da44 100644 --- a/ruby-2.1.0-always-use-i386.patch +++ b/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 553d4d0..03a4152 100644 --- a/configure.in +++ b/configure.in -@@ -4292,6 +4292,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -4325,6 +4325,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/ruby-2.1.0-custom-rubygems-location.patch b/ruby-2.1.0-custom-rubygems-location.patch index e82f172..849bc19 100644 --- a/ruby-2.1.0-custom-rubygems-location.patch +++ b/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.in b/configure.in index 03a4152..0e371e2 100644 --- a/configure.in +++ b/configure.in -@@ -4264,6 +4264,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -4297,6 +4297,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 03a4152..0e371e2 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -4288,6 +4292,7 @@ AC_SUBST(sitearchdir)dnl +@@ -4321,6 +4325,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/ruby-2.3.0-ruby_version.patch b/ruby-2.3.0-ruby_version.patch index 96d7249..8d79c50 100644 --- a/ruby-2.3.0-ruby_version.patch +++ b/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.in b/configure.in index db37cd6..6e73fae 100644 --- a/configure.in +++ b/configure.in -@@ -4177,9 +4177,6 @@ AS_CASE(["$target_os"], +@@ -4210,9 +4210,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index db37cd6..6e73fae 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -4202,58 +4199,64 @@ AC_ARG_WITH(ridir, +@@ -4235,58 +4232,64 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -124,7 +124,7 @@ index db37cd6..6e73fae 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -4270,6 +4273,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -4303,6 +4306,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl diff --git a/ruby-2.3.4-remove-the-encryption-key-initialization.patch b/ruby-2.3.4-remove-the-encryption-key-initialization.patch index d375f5c..99931e8 100644 --- a/ruby-2.3.4-remove-the-encryption-key-initialization.patch +++ b/ruby-2.3.4-remove-the-encryption-key-initialization.patch @@ -30,9 +30,9 @@ index 33b9dbe79fef..ad89c9c4bd52 100644 + written by Kazuki Yamaguchi. + [Backport #8221] + - Mon Nov 21 16:55:15 2016 boshan + Wed Mar 29 23:47:31 2017 CHIKANAGA Tomoyuki - * lib/tempfile.rb (Tempfile#initialize): [DOC] the first parameter + * hash.c (any_hash): fix CI failure on L32LLP64 architecture. diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 09b021d9873a..24caba6e3721 100644 --- a/ext/openssl/ossl_cipher.c diff --git a/ruby.spec b/ruby.spec index 802a175..fa605ff 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global major_version 2 %global minor_version 3 -%global teeny_version 3 +%global teeny_version 4 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -980,7 +980,8 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog -* Tue Aug 08 2017 Vít Ondruch - 2.3.3-63 +* Tue Aug 08 2017 Vít Ondruch - 2.3.4-63 +- Update to Ruby 2.3.4. - Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP (rhbz#1461848). From bffa7b8c646dee4a87d86ae75e7d2c0ac36600fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Tue, 8 Aug 2017 12:59:21 +0200 Subject: [PATCH 11/15] Upload sources. --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index ef0a324..976cfeb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (ruby-2.3.3.tar.xz) = 73dd6ed896ff52d953b153b2cab359c87953ea77521878f1ee16c1e217cc46bcb253100debe61ba631e6ffa0bc773e592d603a374508ed5189a311136ccd8d20 +SHA512 (ruby-2.3.4.tar.xz) = 9e3adc2de6703e50e75db37db2981006d4c69759929d61db6a0d63627cfe5977d0ad66d2c69d7161cfc0c0d1c2cb38e5181a06ccd2790df2f72ec25c2ad01e02 From 5c005b98ca610c2931d996188939ba1f4a0c3ce1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Wed, 6 Sep 2017 13:57:09 +0200 Subject: [PATCH 12/15] Fix CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902. Fix ANSI escape sequence vulnerability (rhbz#1487590). Fix DoS vulnerability in the query command (rhbz#1487588). Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files (rhbz#1487587). Fix DNS request hijacking vulnerability (rhbz#1487589). --- ruby-2.3.4-Fix-RubyGems-CVEs.patch | 355 +++++++++++++++++++++++++++++ ruby.spec | 21 +- 2 files changed, 374 insertions(+), 2 deletions(-) create mode 100644 ruby-2.3.4-Fix-RubyGems-CVEs.patch diff --git a/ruby-2.3.4-Fix-RubyGems-CVEs.patch b/ruby-2.3.4-Fix-RubyGems-CVEs.patch new file mode 100644 index 0000000..99f86de --- /dev/null +++ b/ruby-2.3.4-Fix-RubyGems-CVEs.patch @@ -0,0 +1,355 @@ +diff --git lib/rubygems.rb lib/rubygems.rb +index 04031c765c..9c0219ce06 100644 +--- lib/rubygems.rb ++++ lib/rubygems.rb +@@ -10,7 +10,7 @@ + require 'thread' + + module Gem +- VERSION = '2.5.2' ++ VERSION = '2.5.2.1' + end + + # Must be first since it unloads the prelude from 1.9.2 +diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb +index d6196b44ed..61e9808860 100644 +--- lib/rubygems/commands/query_command.rb ++++ lib/rubygems/commands/query_command.rb +@@ -226,7 +226,7 @@ def output_versions output, versions + end + end + +- output << make_entry(matching_tuples, platforms) ++ output << clean_text(make_entry(matching_tuples, platforms)) + end + end + +@@ -344,7 +344,8 @@ def spec_platforms entry, platforms + end + + def spec_summary entry, spec +- entry << "\n\n" << format_text(spec.summary, 68, 4) ++ summary = truncate_text(spec.summary, "the summary for #{spec.full_name}") ++ entry << "\n\n" << format_text(summary, 68, 4) + end + + end +diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb +index 85358e0d1a..709b77d126 100644 +--- lib/rubygems/installer.rb ++++ lib/rubygems/installer.rb +@@ -693,6 +693,11 @@ def verify_gem_home(unpack = false) # :nodoc: + unpack or File.writable?(gem_home) + end + ++ def verify_spec_name ++ return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN ++ raise Gem::InstallError, "#{spec} has an invalid name" ++ end ++ + ## + # Return the text for an application file. + +@@ -812,6 +817,8 @@ def pre_install_checks + + ensure_loadable_spec + ++ verify_spec_name ++ + if options[:install_as_default] + Gem.ensure_default_gem_subdirectories gem_home + else +diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb +index fda1e067ef..254bebfadf 100644 +--- lib/rubygems/remote_fetcher.rb ++++ lib/rubygems/remote_fetcher.rb +@@ -104,7 +104,7 @@ def api_endpoint(uri) + else + target = res.target.to_s.strip + +- if /\.#{Regexp.quote(host)}\z/ =~ target ++ if URI("http://" + target).host.end_with?(".#{host}") + return URI.parse "#{uri.scheme}://#{target}#{uri.path}" + end + +diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb +index 8e2557cdb2..dd4fde1776 100644 +--- lib/rubygems/specification.rb ++++ lib/rubygems/specification.rb +@@ -108,6 +108,8 @@ class Gem::Specification < Gem::BasicSpecification + + private_constant :LOAD_CACHE if defined? private_constant + ++ VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc: ++ + # :startdoc: + + ## +@@ -2665,9 +2667,15 @@ def validate packaging = true + end + end + +- unless String === name then ++ if !name.is_a?(String) then + raise Gem::InvalidSpecificationException, +- "invalid value for attribute name: \"#{name.inspect}\"" ++ "invalid value for attribute name: \"#{name.inspect}\" must be a string" ++ elsif name !~ /[a-zA-Z]/ then ++ raise Gem::InvalidSpecificationException, ++ "invalid value for attribute name: #{name.dump} must include at least one letter" ++ elsif name !~ VALID_NAME_PATTERN then ++ raise Gem::InvalidSpecificationException, ++ "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores" + end + + if raw_require_paths.empty? then +diff --git lib/rubygems/text.rb lib/rubygems/text.rb +index 732f1b99f2..b944b62c27 100644 +--- lib/rubygems/text.rb ++++ lib/rubygems/text.rb +@@ -6,13 +6,26 @@ + + module Gem::Text + ++ ## ++ # Remove any non-printable characters and make the text suitable for ++ # printing. ++ def clean_text(text) ++ text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze) ++ end ++ ++ def truncate_text(text, description, max_length = 100_000) ++ raise ArgumentError, "max_length must be positive" unless max_length > 0 ++ return text if text.size <= max_length ++ "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length] ++ end ++ + ## + # Wraps +text+ to +wrap+ characters and optionally indents by +indent+ + # characters + + def format_text(text, wrap, indent=0) + result = [] +- work = text.dup ++ work = clean_text(text) + + while work.length > wrap do + if work =~ /^(.{0,#{wrap}})[ \n]/ then +diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb +index 78c15a1770..9ec715492f 100644 +--- test/rubygems/test_gem_commands_query_command.rb ++++ test/rubygems/test_gem_commands_query_command.rb +@@ -116,6 +116,86 @@ def test_execute_details + This is a lot of text. This is a lot of text. This is a lot of text. + This is a lot of text. + ++pl (1) ++ Platform: i386-linux ++ Author: A User ++ Homepage: http://example.com ++ ++ this is a summary ++ EOF ++ ++ assert_equal expected, @ui.output ++ assert_equal '', @ui.error ++ end ++ ++ def test_execute_details_cleans_text ++ spec_fetcher do |fetcher| ++ fetcher.spec 'a', 2 do |s| ++ s.summary = 'This is a lot of text. ' * 4 ++ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] ++ s.homepage = "http://a.example.com/\x03" ++ end ++ ++ fetcher.legacy_platform ++ end ++ ++ @cmd.handle_options %w[-r -d] ++ ++ use_ui @ui do ++ @cmd.execute ++ end ++ ++ expected = <<-EOF ++ ++*** REMOTE GEMS *** ++ ++a (2) ++ Authors: Abraham Lincoln ., . Hirohito ++ Homepage: http://a.example.com/. ++ ++ This is a lot of text. This is a lot of text. This is a lot of text. ++ This is a lot of text. ++ ++pl (1) ++ Platform: i386-linux ++ Author: A User ++ Homepage: http://example.com ++ ++ this is a summary ++ EOF ++ ++ assert_equal expected, @ui.output ++ assert_equal '', @ui.error ++ end ++ ++ def test_execute_details_truncates_summary ++ spec_fetcher do |fetcher| ++ fetcher.spec 'a', 2 do |s| ++ s.summary = 'This is a lot of text. ' * 10_000 ++ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] ++ s.homepage = "http://a.example.com/\x03" ++ end ++ ++ fetcher.legacy_platform ++ end ++ ++ @cmd.handle_options %w[-r -d] ++ ++ use_ui @ui do ++ @cmd.execute ++ end ++ ++ expected = <<-EOF ++ ++*** REMOTE GEMS *** ++ ++a (2) ++ Authors: Abraham Lincoln ., . Hirohito ++ Homepage: http://a.example.com/. ++ ++ Truncating the summary for a-2 to 100,000 characters: ++#{" This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449} This is a lot of te ++ + pl (1) + Platform: i386-linux + Author: A User +diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb +index 5ec71d0a01..1092a0c68f 100644 +--- test/rubygems/test_gem_installer.rb ++++ test/rubygems/test_gem_installer.rb +@@ -1227,6 +1227,26 @@ def test_pre_install_checks_wrong_rubygems_version + end + end + ++ def test_pre_install_checks_malicious_name ++ spec = util_spec '../malicious', '1' ++ def spec.full_name # so the spec is buildable ++ "malicious-1" ++ end ++ def spec.validate; end ++ ++ util_build_gem spec ++ ++ gem = File.join(@gemhome, 'cache', spec.file_name) ++ ++ use_ui @ui do ++ @installer = Gem::Installer.at gem ++ e = assert_raises Gem::InstallError do ++ @installer.pre_install_checks ++ end ++ assert_equal '# has an invalid name', e.message ++ end ++ end ++ + def test_shebang + util_make_exec @spec, "#!/usr/bin/ruby" + +diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb +index 49b6b6656c..a3919c8ef2 100644 +--- test/rubygems/test_gem_remote_fetcher.rb ++++ test/rubygems/test_gem_remote_fetcher.rb +@@ -253,6 +253,21 @@ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original + dns.verify + end + ++ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path ++ uri = URI.parse "http://example.com/foo" ++ target = MiniTest::Mock.new ++ target.expect :target, "evil.com/a.example.com" ++ ++ dns = MiniTest::Mock.new ++ dns.expect :getresource, target, [String, Object] ++ ++ fetch = Gem::RemoteFetcher.new nil, dns ++ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) ++ ++ target.verify ++ dns.verify ++ end ++ + def test_api_endpoint_timeout_warning + uri = URI.parse "http://gems.example.com/foo" + +diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb +index bc1c8d2ca7..9a49bbbf59 100644 +--- test/rubygems/test_gem_specification.rb ++++ test/rubygems/test_gem_specification.rb +@@ -2974,7 +2974,37 @@ def test_validate_name + @a1.validate + end + +- assert_equal 'invalid value for attribute name: ":json"', e.message ++ assert_equal 'invalid value for attribute name: ":json" must be a string', e.message ++ ++ @a1.name = [] ++ e = assert_raises Gem::InvalidSpecificationException do ++ @a1.validate ++ end ++ assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message ++ ++ @a1.name = "" ++ e = assert_raises Gem::InvalidSpecificationException do ++ @a1.validate ++ end ++ assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message ++ ++ @a1.name = "12345" ++ e = assert_raises Gem::InvalidSpecificationException do ++ @a1.validate ++ end ++ assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message ++ ++ @a1.name = "../malicious" ++ e = assert_raises Gem::InvalidSpecificationException do ++ @a1.validate ++ end ++ assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message ++ ++ @a1.name = "\ba\t" ++ e = assert_raises Gem::InvalidSpecificationException do ++ @a1.validate ++ end ++ assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message + end + + def test_validate_non_nil +diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb +index a6e22e04da..04f3f605e8 100644 +--- test/rubygems/test_gem_text.rb ++++ test/rubygems/test_gem_text.rb +@@ -36,6 +36,10 @@ def test_format_text_trailing # for two spaces after . + assert_equal expected, format_text(text, 78) + end + ++ def test_format_removes_nonprintable_characters ++ assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40) ++ end ++ + def test_min3 + assert_equal 1, min3(1, 1, 1) + assert_equal 1, min3(1, 1, 2) +@@ -74,4 +78,11 @@ def test_levenshtein_distance_replace + assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest") + assert_equal 7, levenshtein_distance("zentest", "xxxxxxx") + end ++ ++ def test_truncate_text ++ assert_equal "abc", truncate_text("abc", "desc") ++ assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2) ++ s = "ab" * 500_001 ++ assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000) ++ end + end diff --git a/ruby.spec b/ruby.spec index fa605ff..28780ed 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 63 +%global release 64 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -29,7 +29,7 @@ %global rubygems_dir %{_datadir}/rubygems # Bundled libraries versions -%global rubygems_version 2.5.2 +%global rubygems_version 2.5.2.1 %global molinillo_version 0.4.1 # TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM. @@ -135,6 +135,15 @@ Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1461848 # https://github.com/ruby/ruby/pull/1647 Patch11: ruby-2.4.0-SMTP-injection-fix.patch +# Fix various RubyGems CVEs: +# an ANSI escape sequence vulnerability (CVE-2017-0899). +# a DoS vulnerability in the query command (CVE-2017-0900). +# a vulnerability in the gem installer that allowed a malicious gem +# to overwrite arbitrary files (CVE-2017-0901). +# a DNS request hijacking vulnerability (CVE-2017-0902). +# https://bugzilla.redhat.com/show_bug.cgi?id=1487591 +# https://bugs.ruby-lang.org/issues/13842 +Patch12: ruby-2.3.4-Fix-RubyGems-CVEs.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -490,6 +499,7 @@ rm -rf ext/fiddle/libffi* %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 %patch100 -p1 # Provide an example of usage of the tapset: @@ -980,6 +990,13 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Wed Sep 06 2017 Vít Ondruch - 2.3.4-64 +- Fix ANSI escape sequence vulnerability (rhbz#1487590). +- Fix DoS vulnerability in the query command (rhbz#1487588). +- Fix a vulnerability in the gem installer that allowed a malicious gem + to overwrite arbitrary files (rhbz#1487587). +- Fix DNS request hijacking vulnerability (rhbz#1487589). + * Tue Aug 08 2017 Vít Ondruch - 2.3.4-63 - Update to Ruby 2.3.4. - Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM From 0cea76d0f1085bf06770b50bd1405f839520dcfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Wed, 6 Sep 2017 14:29:40 +0200 Subject: [PATCH 13/15] Fix arbitrary heap exposure during a JSON.generate call (rhbz#1487552). --- ...exposure-during-a-JSON.generate-call.patch | 93 +++++++++++++++++++ ruby.spec | 8 +- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch diff --git a/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch b/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch new file mode 100644 index 0000000..7c9034d --- /dev/null +++ b/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch @@ -0,0 +1,93 @@ +diff --git ext/json/generator/generator.c ext/json/generator/generator.c +index a135e28348..2cdca5685f 100644 +--- ext/json/generator/generator.c ++++ ext/json/generator/generator.c +@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) { + char *result; + if (len <= 0) return NULL; + result = ALLOC_N(char, len); +- memccpy(result, ptr, 0, len); ++ memcpy(result, ptr, len); + return result; + } + +@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent) + } + } else { + if (state->indent) ruby_xfree(state->indent); +- state->indent = strdup(RSTRING_PTR(indent)); ++ state->indent = fstrndup(RSTRING_PTR(indent), len); + state->indent_len = len; + } + return Qnil; +@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space) + } + } else { + if (state->space) ruby_xfree(state->space); +- state->space = strdup(RSTRING_PTR(space)); ++ state->space = fstrndup(RSTRING_PTR(space), len); + state->space_len = len; + } + return Qnil; +@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before) + } + } else { + if (state->space_before) ruby_xfree(state->space_before); +- state->space_before = strdup(RSTRING_PTR(space_before)); ++ state->space_before = fstrndup(RSTRING_PTR(space_before), len); + state->space_before_len = len; + } + return Qnil; +@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl) + } + } else { + if (state->object_nl) ruby_xfree(state->object_nl); +- state->object_nl = strdup(RSTRING_PTR(object_nl)); ++ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len); + state->object_nl_len = len; + } + return Qnil; +@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl) + } + } else { + if (state->array_nl) ruby_xfree(state->array_nl); +- state->array_nl = strdup(RSTRING_PTR(array_nl)); ++ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); + state->array_nl_len = len; + } + return Qnil; +diff --git ext/json/generator/generator.h ext/json/generator/generator.h +index 298c0a4965..6bbf817b7d 100644 +--- ext/json/generator/generator.h ++++ ext/json/generator/generator.h +@@ -1,7 +1,6 @@ + #ifndef _GENERATOR_H_ + #define _GENERATOR_H_ + +-#include + #include + #include + +diff --git ext/json/lib/json/version.rb ext/json/lib/json/version.rb +index b5748334b9..cd7ddf8777 100644 +--- ext/json/lib/json/version.rb ++++ ext/json/lib/json/version.rb +@@ -1,7 +1,7 @@ + # frozen_string_literal: false + module JSON + # JSON version +- VERSION = '1.8.3' ++ VERSION = '1.8.3.1' + VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc: + VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc: + VERSION_MINOR = VERSION_ARRAY[1] # :nodoc: +--- ext/json/json.gemspec ++++ ext/json/json.gemspec +@@ -1,6 +1,6 @@ + Gem::Specification.new do |s| + s.name = "json" +- s.version = "1.8.3" ++ s.version = "1.8.3.1" + s.summary = "This json is bundled with Ruby" + s.executables = [] + s.files = ["json.rb", "json/add/bigdecimal.rb", "json/add/complex.rb", "json/add/core.rb", "json/add/date.rb", "json/add/date_time.rb", "json/add/exception.rb", "json/add/ostruct.rb", "json/add/range.rb", "json/add/rational.rb", "json/add/regexp.rb", "json/add/struct.rb", "json/add/symbol.rb", "json/add/time.rb", "json/common.rb", "json/ext.rb", "json/ext/generator.bundle", "json/ext/parser.bundle", "json/generic_object.rb", "json/version.rb"] diff --git a/ruby.spec b/ruby.spec index 28780ed..d3725f6 100644 --- a/ruby.spec +++ b/ruby.spec @@ -39,7 +39,7 @@ %global bigdecimal_version 1.2.8 %global did_you_mean_version 1.0.0 %global io_console_version 0.4.5 -%global json_version 1.8.3 +%global json_version 1.8.3.1 %global minitest_version 5.8.5 %global power_assert_version 0.2.6 %global psych_version 2.1.0 @@ -144,6 +144,10 @@ Patch11: ruby-2.4.0-SMTP-injection-fix.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1487591 # https://bugs.ruby-lang.org/issues/13842 Patch12: ruby-2.3.4-Fix-RubyGems-CVEs.patch +# Fix arbitrary heap exposure during a JSON.generate call (CVE-2017-14064). +# https://bugzilla.redhat.com/show_bug.cgi?id=1487553 +# https://bugs.ruby-lang.org/issues/13853 +Patch13: ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -500,6 +504,7 @@ rm -rf ext/fiddle/libffi* %patch10 -p1 %patch11 -p1 %patch12 +%patch13 %patch100 -p1 # Provide an example of usage of the tapset: @@ -996,6 +1001,7 @@ make check TESTS="-v $DISABLE_TESTS" - Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files (rhbz#1487587). - Fix DNS request hijacking vulnerability (rhbz#1487589). +- Fix arbitrary heap exposure during a JSON.generate call (rhbz#1487552). * Tue Aug 08 2017 Vít Ondruch - 2.3.4-63 - Update to Ruby 2.3.4. From 76119c738a16db4b0c4e3642f47f781b5649f0b5 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Mon, 2 Oct 2017 13:54:11 +0200 Subject: [PATCH 14/15] Update to Ruby 2.3.5. Patch10, Patch11, Patch12 and Patch13 subsumed. --- ...-additional-preludes-by-configuratio.patch | 2 +- ...0-Enable-configuration-of-archlibdir.patch | 2 +- ...ed-paths-when-empty-version-string-i.patch | 2 +- ruby-2.1.0-always-use-i386.patch | 2 +- ruby-2.1.0-custom-rubygems-location.patch | 4 +- ruby-2.3.0-ruby_version.patch | 6 +- ...e-frozen-strings-in-serialized-specs.patch | 8 +- ruby-2.3.4-Fix-RubyGems-CVEs.patch | 355 ------------------ ...exposure-during-a-JSON.generate-call.patch | 93 ----- ...ve-the-encryption-key-initialization.patch | 170 --------- ruby-2.4.0-SMTP-injection-fix.patch | 122 ------ ruby.spec | 35 +- sources | 2 +- 13 files changed, 20 insertions(+), 783 deletions(-) delete mode 100644 ruby-2.3.4-Fix-RubyGems-CVEs.patch delete mode 100644 ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch delete mode 100644 ruby-2.3.4-remove-the-encryption-key-initialization.patch delete mode 100644 ruby-2.4.0-SMTP-injection-fix.patch diff --git a/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch b/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch index fcd4767..6dd21d3 100644 --- a/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch +++ b/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch @@ -39,7 +39,7 @@ diff --git a/configure.in b/configure.in index 0e371e2..d4f1dcb 100644 --- a/configure.in +++ b/configure.in -@@ -4407,6 +4407,13 @@ AC_SUBST(rubyarchhdrdir)dnl +@@ -4402,6 +4402,13 @@ AC_SUBST(rubyarchhdrdir)dnl AC_SUBST(sitearchhdrdir)dnl AC_SUBST(vendorarchhdrdir)dnl diff --git a/ruby-2.1.0-Enable-configuration-of-archlibdir.patch b/ruby-2.1.0-Enable-configuration-of-archlibdir.patch index e9b6536..3d3b4fc 100644 --- a/ruby-2.1.0-Enable-configuration-of-archlibdir.patch +++ b/ruby-2.1.0-Enable-configuration-of-archlibdir.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 37d9a62..553d4d0 100644 --- a/configure.in +++ b/configure.in -@@ -3665,6 +3665,11 @@ if test ${multiarch+set}; then +@@ -3666,6 +3666,11 @@ if test ${multiarch+set}; then fi archlibdir='${libdir}/${arch}' diff --git a/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index 06370d1..dd588ab 100644 --- a/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.in b/configure.in index db37cd6..ce8d149 100644 --- a/configure.in +++ b/configure.in -@@ -4261,7 +4261,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -4256,7 +4256,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/ruby-2.1.0-always-use-i386.patch b/ruby-2.1.0-always-use-i386.patch index b19da44..58689fd 100644 --- a/ruby-2.1.0-always-use-i386.patch +++ b/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 553d4d0..03a4152 100644 --- a/configure.in +++ b/configure.in -@@ -4325,6 +4325,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -4320,6 +4320,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/ruby-2.1.0-custom-rubygems-location.patch b/ruby-2.1.0-custom-rubygems-location.patch index 849bc19..5134e3e 100644 --- a/ruby-2.1.0-custom-rubygems-location.patch +++ b/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.in b/configure.in index 03a4152..0e371e2 100644 --- a/configure.in +++ b/configure.in -@@ -4297,6 +4297,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -4292,6 +4292,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 03a4152..0e371e2 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -4321,6 +4325,7 @@ AC_SUBST(sitearchdir)dnl +@@ -4316,6 +4320,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/ruby-2.3.0-ruby_version.patch b/ruby-2.3.0-ruby_version.patch index 8d79c50..019b542 100644 --- a/ruby-2.3.0-ruby_version.patch +++ b/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.in b/configure.in index db37cd6..6e73fae 100644 --- a/configure.in +++ b/configure.in -@@ -4210,9 +4210,6 @@ AS_CASE(["$target_os"], +@@ -4205,9 +4205,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index db37cd6..6e73fae 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -4235,58 +4232,64 @@ AC_ARG_WITH(ridir, +@@ -4230,58 +4227,64 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -124,7 +124,7 @@ index db37cd6..6e73fae 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -4303,6 +4306,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -4298,6 +4301,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl diff --git a/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch b/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch index 5647460..e9e5819 100644 --- a/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch +++ b/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch @@ -13,7 +13,7 @@ diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb index 7128532..654996a 100644 --- a/lib/rubygems/specification.rb +++ b/lib/rubygems/specification.rb -@@ -2335,7 +2335,7 @@ class Gem::Specification < Gem::BasicSpecification +@@ -2337,7 +2337,7 @@ class Gem::Specification < Gem::BasicSpecification def ruby_code(obj) case obj @@ -22,7 +22,7 @@ index 7128532..654996a 100644 when Array then '[' + obj.map { |x| ruby_code x }.join(", ") + ']' when Hash then seg = obj.keys.sort.map { |k| "#{k.to_s.dump} => #{obj[k].to_s.dump}" } -@@ -2525,14 +2525,14 @@ class Gem::Specification < Gem::BasicSpecification +@@ -2527,14 +2527,14 @@ class Gem::Specification < Gem::BasicSpecification dependencies.each do |dep| req = dep.requirements_list.inspect dep.instance_variable_set :@type, :runtime if dep.type.nil? # HACK @@ -39,7 +39,7 @@ index 7128532..654996a 100644 end result << ' end' -@@ -2540,7 +2540,7 @@ class Gem::Specification < Gem::BasicSpecification +@@ -2542,7 +2542,7 @@ class Gem::Specification < Gem::BasicSpecification result << " else" dependencies.each do |dep| version_reqs_param = dep.requirements_list.inspect @@ -209,7 +209,7 @@ index dc7b134..204e100 100644 end end SPEC -@@ -3294,20 +3294,20 @@ Did you mean 'Ruby'? +@@ -3324,20 +3324,20 @@ Did you mean 'Ruby'? # stub: m 1 ruby lib Gem::Specification.new do |s| diff --git a/ruby-2.3.4-Fix-RubyGems-CVEs.patch b/ruby-2.3.4-Fix-RubyGems-CVEs.patch deleted file mode 100644 index 99f86de..0000000 --- a/ruby-2.3.4-Fix-RubyGems-CVEs.patch +++ /dev/null @@ -1,355 +0,0 @@ -diff --git lib/rubygems.rb lib/rubygems.rb -index 04031c765c..9c0219ce06 100644 ---- lib/rubygems.rb -+++ lib/rubygems.rb -@@ -10,7 +10,7 @@ - require 'thread' - - module Gem -- VERSION = '2.5.2' -+ VERSION = '2.5.2.1' - end - - # Must be first since it unloads the prelude from 1.9.2 -diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb -index d6196b44ed..61e9808860 100644 ---- lib/rubygems/commands/query_command.rb -+++ lib/rubygems/commands/query_command.rb -@@ -226,7 +226,7 @@ def output_versions output, versions - end - end - -- output << make_entry(matching_tuples, platforms) -+ output << clean_text(make_entry(matching_tuples, platforms)) - end - end - -@@ -344,7 +344,8 @@ def spec_platforms entry, platforms - end - - def spec_summary entry, spec -- entry << "\n\n" << format_text(spec.summary, 68, 4) -+ summary = truncate_text(spec.summary, "the summary for #{spec.full_name}") -+ entry << "\n\n" << format_text(summary, 68, 4) - end - - end -diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb -index 85358e0d1a..709b77d126 100644 ---- lib/rubygems/installer.rb -+++ lib/rubygems/installer.rb -@@ -693,6 +693,11 @@ def verify_gem_home(unpack = false) # :nodoc: - unpack or File.writable?(gem_home) - end - -+ def verify_spec_name -+ return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN -+ raise Gem::InstallError, "#{spec} has an invalid name" -+ end -+ - ## - # Return the text for an application file. - -@@ -812,6 +817,8 @@ def pre_install_checks - - ensure_loadable_spec - -+ verify_spec_name -+ - if options[:install_as_default] - Gem.ensure_default_gem_subdirectories gem_home - else -diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb -index fda1e067ef..254bebfadf 100644 ---- lib/rubygems/remote_fetcher.rb -+++ lib/rubygems/remote_fetcher.rb -@@ -104,7 +104,7 @@ def api_endpoint(uri) - else - target = res.target.to_s.strip - -- if /\.#{Regexp.quote(host)}\z/ =~ target -+ if URI("http://" + target).host.end_with?(".#{host}") - return URI.parse "#{uri.scheme}://#{target}#{uri.path}" - end - -diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb -index 8e2557cdb2..dd4fde1776 100644 ---- lib/rubygems/specification.rb -+++ lib/rubygems/specification.rb -@@ -108,6 +108,8 @@ class Gem::Specification < Gem::BasicSpecification - - private_constant :LOAD_CACHE if defined? private_constant - -+ VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc: -+ - # :startdoc: - - ## -@@ -2665,9 +2667,15 @@ def validate packaging = true - end - end - -- unless String === name then -+ if !name.is_a?(String) then - raise Gem::InvalidSpecificationException, -- "invalid value for attribute name: \"#{name.inspect}\"" -+ "invalid value for attribute name: \"#{name.inspect}\" must be a string" -+ elsif name !~ /[a-zA-Z]/ then -+ raise Gem::InvalidSpecificationException, -+ "invalid value for attribute name: #{name.dump} must include at least one letter" -+ elsif name !~ VALID_NAME_PATTERN then -+ raise Gem::InvalidSpecificationException, -+ "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores" - end - - if raw_require_paths.empty? then -diff --git lib/rubygems/text.rb lib/rubygems/text.rb -index 732f1b99f2..b944b62c27 100644 ---- lib/rubygems/text.rb -+++ lib/rubygems/text.rb -@@ -6,13 +6,26 @@ - - module Gem::Text - -+ ## -+ # Remove any non-printable characters and make the text suitable for -+ # printing. -+ def clean_text(text) -+ text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze) -+ end -+ -+ def truncate_text(text, description, max_length = 100_000) -+ raise ArgumentError, "max_length must be positive" unless max_length > 0 -+ return text if text.size <= max_length -+ "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length] -+ end -+ - ## - # Wraps +text+ to +wrap+ characters and optionally indents by +indent+ - # characters - - def format_text(text, wrap, indent=0) - result = [] -- work = text.dup -+ work = clean_text(text) - - while work.length > wrap do - if work =~ /^(.{0,#{wrap}})[ \n]/ then -diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb -index 78c15a1770..9ec715492f 100644 ---- test/rubygems/test_gem_commands_query_command.rb -+++ test/rubygems/test_gem_commands_query_command.rb -@@ -116,6 +116,86 @@ def test_execute_details - This is a lot of text. This is a lot of text. This is a lot of text. - This is a lot of text. - -+pl (1) -+ Platform: i386-linux -+ Author: A User -+ Homepage: http://example.com -+ -+ this is a summary -+ EOF -+ -+ assert_equal expected, @ui.output -+ assert_equal '', @ui.error -+ end -+ -+ def test_execute_details_cleans_text -+ spec_fetcher do |fetcher| -+ fetcher.spec 'a', 2 do |s| -+ s.summary = 'This is a lot of text. ' * 4 -+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] -+ s.homepage = "http://a.example.com/\x03" -+ end -+ -+ fetcher.legacy_platform -+ end -+ -+ @cmd.handle_options %w[-r -d] -+ -+ use_ui @ui do -+ @cmd.execute -+ end -+ -+ expected = <<-EOF -+ -+*** REMOTE GEMS *** -+ -+a (2) -+ Authors: Abraham Lincoln ., . Hirohito -+ Homepage: http://a.example.com/. -+ -+ This is a lot of text. This is a lot of text. This is a lot of text. -+ This is a lot of text. -+ -+pl (1) -+ Platform: i386-linux -+ Author: A User -+ Homepage: http://example.com -+ -+ this is a summary -+ EOF -+ -+ assert_equal expected, @ui.output -+ assert_equal '', @ui.error -+ end -+ -+ def test_execute_details_truncates_summary -+ spec_fetcher do |fetcher| -+ fetcher.spec 'a', 2 do |s| -+ s.summary = 'This is a lot of text. ' * 10_000 -+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] -+ s.homepage = "http://a.example.com/\x03" -+ end -+ -+ fetcher.legacy_platform -+ end -+ -+ @cmd.handle_options %w[-r -d] -+ -+ use_ui @ui do -+ @cmd.execute -+ end -+ -+ expected = <<-EOF -+ -+*** REMOTE GEMS *** -+ -+a (2) -+ Authors: Abraham Lincoln ., . Hirohito -+ Homepage: http://a.example.com/. -+ -+ Truncating the summary for a-2 to 100,000 characters: -+#{" This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449} This is a lot of te -+ - pl (1) - Platform: i386-linux - Author: A User -diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb -index 5ec71d0a01..1092a0c68f 100644 ---- test/rubygems/test_gem_installer.rb -+++ test/rubygems/test_gem_installer.rb -@@ -1227,6 +1227,26 @@ def test_pre_install_checks_wrong_rubygems_version - end - end - -+ def test_pre_install_checks_malicious_name -+ spec = util_spec '../malicious', '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate; end -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal '# has an invalid name', e.message -+ end -+ end -+ - def test_shebang - util_make_exec @spec, "#!/usr/bin/ruby" - -diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb -index 49b6b6656c..a3919c8ef2 100644 ---- test/rubygems/test_gem_remote_fetcher.rb -+++ test/rubygems/test_gem_remote_fetcher.rb -@@ -253,6 +253,21 @@ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original - dns.verify - end - -+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path -+ uri = URI.parse "http://example.com/foo" -+ target = MiniTest::Mock.new -+ target.expect :target, "evil.com/a.example.com" -+ -+ dns = MiniTest::Mock.new -+ dns.expect :getresource, target, [String, Object] -+ -+ fetch = Gem::RemoteFetcher.new nil, dns -+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) -+ -+ target.verify -+ dns.verify -+ end -+ - def test_api_endpoint_timeout_warning - uri = URI.parse "http://gems.example.com/foo" - -diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb -index bc1c8d2ca7..9a49bbbf59 100644 ---- test/rubygems/test_gem_specification.rb -+++ test/rubygems/test_gem_specification.rb -@@ -2974,7 +2974,37 @@ def test_validate_name - @a1.validate - end - -- assert_equal 'invalid value for attribute name: ":json"', e.message -+ assert_equal 'invalid value for attribute name: ":json" must be a string', e.message -+ -+ @a1.name = [] -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message -+ -+ @a1.name = "" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message -+ -+ @a1.name = "12345" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message -+ -+ @a1.name = "../malicious" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message -+ -+ @a1.name = "\ba\t" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message - end - - def test_validate_non_nil -diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb -index a6e22e04da..04f3f605e8 100644 ---- test/rubygems/test_gem_text.rb -+++ test/rubygems/test_gem_text.rb -@@ -36,6 +36,10 @@ def test_format_text_trailing # for two spaces after . - assert_equal expected, format_text(text, 78) - end - -+ def test_format_removes_nonprintable_characters -+ assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40) -+ end -+ - def test_min3 - assert_equal 1, min3(1, 1, 1) - assert_equal 1, min3(1, 1, 2) -@@ -74,4 +78,11 @@ def test_levenshtein_distance_replace - assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest") - assert_equal 7, levenshtein_distance("zentest", "xxxxxxx") - end -+ -+ def test_truncate_text -+ assert_equal "abc", truncate_text("abc", "desc") -+ assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2) -+ s = "ab" * 500_001 -+ assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000) -+ end - end diff --git a/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch b/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch deleted file mode 100644 index 7c9034d..0000000 --- a/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff --git ext/json/generator/generator.c ext/json/generator/generator.c -index a135e28348..2cdca5685f 100644 ---- ext/json/generator/generator.c -+++ ext/json/generator/generator.c -@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) { - char *result; - if (len <= 0) return NULL; - result = ALLOC_N(char, len); -- memccpy(result, ptr, 0, len); -+ memcpy(result, ptr, len); - return result; - } - -@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent) - } - } else { - if (state->indent) ruby_xfree(state->indent); -- state->indent = strdup(RSTRING_PTR(indent)); -+ state->indent = fstrndup(RSTRING_PTR(indent), len); - state->indent_len = len; - } - return Qnil; -@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space) - } - } else { - if (state->space) ruby_xfree(state->space); -- state->space = strdup(RSTRING_PTR(space)); -+ state->space = fstrndup(RSTRING_PTR(space), len); - state->space_len = len; - } - return Qnil; -@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before) - } - } else { - if (state->space_before) ruby_xfree(state->space_before); -- state->space_before = strdup(RSTRING_PTR(space_before)); -+ state->space_before = fstrndup(RSTRING_PTR(space_before), len); - state->space_before_len = len; - } - return Qnil; -@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl) - } - } else { - if (state->object_nl) ruby_xfree(state->object_nl); -- state->object_nl = strdup(RSTRING_PTR(object_nl)); -+ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len); - state->object_nl_len = len; - } - return Qnil; -@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl) - } - } else { - if (state->array_nl) ruby_xfree(state->array_nl); -- state->array_nl = strdup(RSTRING_PTR(array_nl)); -+ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); - state->array_nl_len = len; - } - return Qnil; -diff --git ext/json/generator/generator.h ext/json/generator/generator.h -index 298c0a4965..6bbf817b7d 100644 ---- ext/json/generator/generator.h -+++ ext/json/generator/generator.h -@@ -1,7 +1,6 @@ - #ifndef _GENERATOR_H_ - #define _GENERATOR_H_ - --#include - #include - #include - -diff --git ext/json/lib/json/version.rb ext/json/lib/json/version.rb -index b5748334b9..cd7ddf8777 100644 ---- ext/json/lib/json/version.rb -+++ ext/json/lib/json/version.rb -@@ -1,7 +1,7 @@ - # frozen_string_literal: false - module JSON - # JSON version -- VERSION = '1.8.3' -+ VERSION = '1.8.3.1' - VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc: - VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc: - VERSION_MINOR = VERSION_ARRAY[1] # :nodoc: ---- ext/json/json.gemspec -+++ ext/json/json.gemspec -@@ -1,6 +1,6 @@ - Gem::Specification.new do |s| - s.name = "json" -- s.version = "1.8.3" -+ s.version = "1.8.3.1" - s.summary = "This json is bundled with Ruby" - s.executables = [] - s.files = ["json.rb", "json/add/bigdecimal.rb", "json/add/complex.rb", "json/add/core.rb", "json/add/date.rb", "json/add/date_time.rb", "json/add/exception.rb", "json/add/ostruct.rb", "json/add/range.rb", "json/add/rational.rb", "json/add/regexp.rb", "json/add/struct.rb", "json/add/symbol.rb", "json/add/time.rb", "json/common.rb", "json/ext.rb", "json/ext/generator.bundle", "json/ext/parser.bundle", "json/generic_object.rb", "json/version.rb"] diff --git a/ruby-2.3.4-remove-the-encryption-key-initialization.patch b/ruby-2.3.4-remove-the-encryption-key-initialization.patch deleted file mode 100644 index 99931e8..0000000 --- a/ruby-2.3.4-remove-the-encryption-key-initialization.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 739782e37a6662fea379e7ef3ec89e851b04b46c Mon Sep 17 00:00:00 2001 -From: usa -Date: Wed, 5 Jul 2017 07:06:45 +0000 -Subject: [PATCH] * ext/openssl/ossl_cipher.c: remove the encryption key - initialization from Cipher#initialize. This is effectively a revert of - r32723 ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28). - the patch is derived from - https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062, - written by Kazuki Yamaguchi. [Backport #8221] - -git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59267 b2dd03c8-39d4-4d8f-98ff-823fe69b080e ---- - ChangeLog | 9 +++++++++ - ext/openssl/ossl_cipher.c | 23 ++++++++++++++--------- - test/openssl/test_cipher.rb | 29 +++++++++++++++++++++++------ - version.h | 6 +++--- - 3 files changed, 46 insertions(+), 15 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 33b9dbe79fef..ad89c9c4bd52 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,12 @@ -+Wed Jul 5 15:55:35 2017 NAKAMURA Usaku -+ -+ * ext/openssl/ossl_cipher.c: remove the encryption key initialization -+ from Cipher#initialize. This is effectively a revert of r32723 -+ ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28). -+ the patch is derived from https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062, -+ written by Kazuki Yamaguchi. -+ [Backport #8221] -+ - Wed Mar 29 23:47:31 2017 CHIKANAGA Tomoyuki - - * hash.c (any_hash): fix CI failure on L32LLP64 architecture. -diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c -index 09b021d9873a..24caba6e3721 100644 ---- a/ext/openssl/ossl_cipher.c -+++ b/ext/openssl/ossl_cipher.c -@@ -34,6 +34,7 @@ - */ - VALUE cCipher; - VALUE eCipherError; -+static ID id_key_set; - - static VALUE ossl_cipher_alloc(VALUE klass); - static void ossl_cipher_free(void *ptr); -@@ -114,7 +115,6 @@ ossl_cipher_initialize(VALUE self, VALUE str) - EVP_CIPHER_CTX *ctx; - const EVP_CIPHER *cipher; - char *name; -- unsigned char key[EVP_MAX_KEY_LENGTH]; - - name = StringValuePtr(str); - GetCipherInit(self, ctx); -@@ -126,14 +126,7 @@ ossl_cipher_initialize(VALUE self, VALUE str) - if (!(cipher = EVP_get_cipherbyname(name))) { - ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%s)", name); - } -- /* -- * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows -- * uninitialized key, but other EVPs (such as AES) does not allow it. -- * Calling EVP_CipherUpdate() without initializing key causes SEGV so we -- * set the data filled with "\0" as the key by default. -- */ -- memset(key, 0, EVP_MAX_KEY_LENGTH); -- if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1) -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1) - ossl_raise(eCipherError, NULL); - - return self; -@@ -252,6 +245,9 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode) - ossl_raise(eCipherError, NULL); - } - -+ if (p_key) -+ rb_ivar_set(self, id_key_set, Qtrue); -+ - return self; - } - -@@ -338,6 +334,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self) - OPENSSL_cleanse(key, sizeof key); - OPENSSL_cleanse(iv, sizeof iv); - -+ rb_ivar_set(self, id_key_set, Qtrue); -+ - return Qnil; - } - -@@ -391,6 +389,9 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self) - - rb_scan_args(argc, argv, "11", &data, &str); - -+ if (!RTEST(rb_attr_get(self, id_key_set))) -+ ossl_raise(eCipherError, "key not set"); -+ - StringValue(data); - in = (unsigned char *)RSTRING_PTR(data); - if ((in_len = RSTRING_LEN(data)) == 0) -@@ -490,6 +491,8 @@ ossl_cipher_set_key(VALUE self, VALUE key) - if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1) - ossl_raise(eCipherError, NULL); - -+ rb_ivar_set(self, id_key_set, Qtrue); -+ - return key; - } - -@@ -1008,4 +1011,6 @@ Init_ossl_cipher(void) - rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0); - rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0); - rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1); -+ -+ id_key_set = rb_intern_const("key_set"); - } -diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb -index 89c176f4de41..95058b5f196b 100644 ---- a/test/openssl/test_cipher.rb -+++ b/test/openssl/test_cipher.rb -@@ -81,6 +81,7 @@ def test_reset - - def test_empty_data - @c1.encrypt -+ @c1.random_key - assert_raise(ArgumentError){ @c1.update("") } - end - -@@ -129,12 +130,10 @@ def test_AES - } - end - -- def test_AES_crush -- 500.times do -- assert_nothing_raised("[Bug #2768]") do -- # it caused OpenSSL SEGV by uninitialized key -- OpenSSL::Cipher::AES128.new("ECB").update "." * 17 -- end -+ def test_update_raise_if_key_not_set -+ assert_raise(OpenSSL::Cipher::CipherError) do -+ # it caused OpenSSL SEGV by uninitialized key [Bug #2768] -+ OpenSSL::Cipher::AES128.new("ECB").update "." * 17 - end - end - end -@@ -236,6 +235,24 @@ def test_aes_gcm_wrong_ciphertext - end - end - -+ def test_aes_gcm_key_iv_order_issue -+ pt = "[ruby/openssl#49]" -+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt -+ cipher.key = "x" * 16 -+ cipher.iv = "a" * 12 -+ ct1 = cipher.update(pt) << cipher.final -+ tag1 = cipher.auth_tag -+ -+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt -+ cipher.iv = "a" * 12 -+ cipher.key = "x" * 16 -+ ct2 = cipher.update(pt) << cipher.final -+ tag2 = cipher.auth_tag -+ -+ assert_equal ct1, ct2 -+ assert_equal tag1, tag2 -+ end if has_cipher?("aes-128-gcm") -+ - end - - private diff --git a/ruby-2.4.0-SMTP-injection-fix.patch b/ruby-2.4.0-SMTP-injection-fix.patch deleted file mode 100644 index 569c69b..0000000 --- a/ruby-2.4.0-SMTP-injection-fix.patch +++ /dev/null @@ -1,122 +0,0 @@ -From ea7b67981156f3eaee8420bb34c49605573387a5 Mon Sep 17 00:00:00 2001 -From: shugo -Date: Wed, 8 Jun 2016 07:06:57 +0000 -Subject: [PATCH] Security: backport SMTP injection fix - -* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when -CR or LF is included in a line, because they are not allowed in -RFC5321. - -https://hackerone.com/reports/137631 ---- - ChangeLog | 6 ++++++ - lib/net/smtp.rb | 9 +++++++++ - test/net/smtp/test_smtp.rb | 47 ++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 62 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index ab9a6bf18281..5176d362881b 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,9 @@ -+Sun Jun 11 21:25:09 2017 Shugo Maeda -+ -+ * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when -+ CR or LF is included in a line, because they are not allowed in -+ RFC5321. https://hackerone.com/reports/137631 [Backport 0827a7e] -+ - Wed Jul 5 15:55:35 2017 NAKAMURA Usaku - - * ext/openssl/ossl_cipher.c: remove the encryption key initialization -diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb -index d634274c3ee8..78f2181d2a8b 100644 ---- a/lib/net/smtp.rb -+++ b/lib/net/smtp.rb -@@ -926,7 +926,15 @@ def quit - - private - -+ def validate_line(line) -+ # A bare CR or LF is not allowed in RFC5321. -+ if /[\r\n]/ =~ line -+ raise ArgumentError, "A line must not contain CR or LF" -+ end -+ end -+ - def getok(reqline) -+ validate_line reqline - res = critical { - @socket.writeline reqline - recv_response() -@@ -936,6 +944,7 @@ def getok(reqline) - end - - def get_response(reqline) -+ validate_line reqline - @socket.writeline reqline - recv_response() - end -diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb -index 0edb3419d56e..3bcceb6fc5bb 100644 ---- a/test/net/smtp/test_smtp.rb -+++ b/test/net/smtp/test_smtp.rb -@@ -6,6 +6,8 @@ - module Net - class TestSMTP < Test::Unit::TestCase - class FakeSocket -+ attr_reader :write_io -+ - def initialize out = "250 OK\n" - @write_io = StringIO.new - @read_io = StringIO.new out -@@ -51,5 +53,50 @@ def test_rset - - assert smtp.rset - end -+ -+ def test_mailfrom -+ sock = FakeSocket.new -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, sock -+ assert smtp.mailfrom("foo@example.com").success? -+ assert_equal "MAIL FROM:\r\n", sock.write_io.string -+ end -+ -+ def test_rcptto -+ sock = FakeSocket.new -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, sock -+ assert smtp.rcptto("foo@example.com").success? -+ assert_equal "RCPT TO:\r\n", sock.write_io.string -+ end -+ -+ def test_auth_plain -+ sock = FakeSocket.new -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, sock -+ assert smtp.auth_plain("foo", "bar").success? -+ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string -+ end -+ -+ def test_crlf_injection -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, FakeSocket.new -+ -+ assert_raise(ArgumentError) do -+ smtp.mailfrom("foo\r\nbar") -+ end -+ -+ assert_raise(ArgumentError) do -+ smtp.mailfrom("foo\rbar") -+ end -+ -+ assert_raise(ArgumentError) do -+ smtp.mailfrom("foo\nbar") -+ end -+ -+ assert_raise(ArgumentError) do -+ smtp.rcptto("foo\r\nbar") -+ end -+ end - end - end diff --git a/ruby.spec b/ruby.spec index d3725f6..846f971 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global major_version 2 %global minor_version 3 -%global teeny_version 4 +%global teeny_version 5 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -21,7 +21,7 @@ %endif -%global release 64 +%global release 65 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -42,7 +42,7 @@ %global json_version 1.8.3.1 %global minitest_version 5.8.5 %global power_assert_version 0.2.6 -%global psych_version 2.1.0 +%global psych_version 2.1.0.1 %global rake_version 10.4.2 %global rdoc_version 4.2.1 %global net_telnet_version 0.1.1 @@ -126,28 +126,6 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch -# Fix IV Reuse in GCM Mode (CVE-2016-7798). -# https://bugzilla.redhat.com/show_bug.cgi?id=1381527 -# https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c -Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch -# Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM -# commands in Net::SMTP (CVE-2015-9096). -# https://bugzilla.redhat.com/show_bug.cgi?id=1461848 -# https://github.com/ruby/ruby/pull/1647 -Patch11: ruby-2.4.0-SMTP-injection-fix.patch -# Fix various RubyGems CVEs: -# an ANSI escape sequence vulnerability (CVE-2017-0899). -# a DoS vulnerability in the query command (CVE-2017-0900). -# a vulnerability in the gem installer that allowed a malicious gem -# to overwrite arbitrary files (CVE-2017-0901). -# a DNS request hijacking vulnerability (CVE-2017-0902). -# https://bugzilla.redhat.com/show_bug.cgi?id=1487591 -# https://bugs.ruby-lang.org/issues/13842 -Patch12: ruby-2.3.4-Fix-RubyGems-CVEs.patch -# Fix arbitrary heap exposure during a JSON.generate call (CVE-2017-14064). -# https://bugzilla.redhat.com/show_bug.cgi?id=1487553 -# https://bugs.ruby-lang.org/issues/13853 -Patch13: ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -501,10 +479,6 @@ rm -rf ext/fiddle/libffi* %patch6 -p1 %patch7 -p1 %patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -%patch13 %patch100 -p1 # Provide an example of usage of the tapset: @@ -995,6 +969,9 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Mon Oct 02 2017 Pavel Valena - 2.3.5-65 +- Update to Ruby 2.3.5. + * Wed Sep 06 2017 Vít Ondruch - 2.3.4-64 - Fix ANSI escape sequence vulnerability (rhbz#1487590). - Fix DoS vulnerability in the query command (rhbz#1487588). diff --git a/sources b/sources index 976cfeb..b202e1f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (ruby-2.3.4.tar.xz) = 9e3adc2de6703e50e75db37db2981006d4c69759929d61db6a0d63627cfe5977d0ad66d2c69d7161cfc0c0d1c2cb38e5181a06ccd2790df2f72ec25c2ad01e02 +SHA512 (ruby-2.3.5.tar.xz) = c55e3b71241f505b6bbad78b3bd40235064faae3443ca14b77b6356556caed6a0d055dc2e2cd7ebdb5290ab908e06d2b7d68f72469af5017eda4b29664b0d889 From a46567bd73119cf7d517ad3bcfd8b94f970a3ba1 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Fri, 6 Oct 2017 01:47:48 +0200 Subject: [PATCH 15/15] Revert experimental rounding that does not work on i686. https://bugs.ruby-lang.org/issues/13980 --- ...Revert-experimental-rounding-on-i686.patch | 81 +++++++++++++++++++ ruby.spec | 4 + 2 files changed, 85 insertions(+) create mode 100644 ruby-2.3.5-Revert-experimental-rounding-on-i686.patch diff --git a/ruby-2.3.5-Revert-experimental-rounding-on-i686.patch b/ruby-2.3.5-Revert-experimental-rounding-on-i686.patch new file mode 100644 index 0000000..9a35f69 --- /dev/null +++ b/ruby-2.3.5-Revert-experimental-rounding-on-i686.patch @@ -0,0 +1,81 @@ +From 2dfde7e8586cf35318b6053410dba74fe9f06f8d Mon Sep 17 00:00:00 2001 +From: usa +Date: Sun, 30 Apr 2017 13:27:17 +0000 +Subject: [PATCH] REVERTED: merge revision(s) 55604,55612: [Backport #13138] + + * numeric.c (flo_round): [EXPERIMENTAL] adjust the case that the + receiver is close to the exact but unrepresentable middle value + of two values in the given precision. + http://d.hatena.ne.jp/hnw/20160702 + + numeric.c: round as double + + * numeric.c (flo_round): compare as double, not long double with + i387. + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58513 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + ChangeLog | 7 ------- + test/ruby/test_float.rb | 5 ----- + 2 files changed, 12 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +--- a/ChangeLog ++++ b/ChangeLog +@@ -604,13 +604,6 @@ + to check if no library is required, instead of AC_CHECK_LIB. + [ruby-core:79368] [Bug #13175] + +-Sun Apr 30 22:24:25 2017 Nobuyoshi Nakada +- +- * numeric.c (flo_round): [EXPERIMENTAL] adjust the case that the +- receiver is close to the exact but unrepresentable middle value +- of two values in the given precision. +- http://d.hatena.ne.jp/hnw/20160702 +- + Sun Apr 9 22:21:23 2017 NAKAMURA Usaku + + thread.c: rb_thread_fd_close [ci skip] +diff --git a/numeric.c b/numeric.c ++-- a/numeric.c +@@ -1786,7 +1786,7 @@ + flo_round(int argc, VALUE *argv, VALUE num) + { + VALUE nd; ++ double number, f; +- double number, f, x; + int ndigits = 0; + int binexp; + enum {float_dig = DBL_DIG+2}; +@@ -1828,14 +1821,8 @@ + return DBL2NUM(0); + } + f = pow(10, ndigits); ++ return DBL2NUM(round(number * f) / f); ++} +- x = round(number * f); +- if (x > 0) { +- if ((double)((x + 0.5) / f) <= number) x += 1; +- } +- else { +- if ((double)((x - 0.5) / f) >= number) x -= 1; +- } +- return DBL2NUM(x / f);} + + /* + * call-seq: +diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb +--- a/test/ruby/test_float.rb ++++ b/test/ruby/test_float.rb +@@ -444,11 +444,6 @@ + assert_raise(TypeError) {1.0.round(nil)} + def (prec = Object.new).to_int; 2; end + assert_equal(1.0, 0.998.round(prec)) +- +- assert_equal(+5.02, +5.015.round(2)) +- assert_equal(-5.02, -5.015.round(2)) +- assert_equal(+1.26, +1.255.round(2)) +- assert_equal(-1.26, -1.255.round(2)) + end + + VS = [ diff --git a/ruby.spec b/ruby.spec index 846f971..beb3ce8 100644 --- a/ruby.spec +++ b/ruby.spec @@ -126,6 +126,9 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch +# Revert experimental rounding that does not work on i686: +# https://bugs.ruby-lang.org/issues/13980 +Patch10: ruby-2.3.5-Revert-experimental-rounding-on-i686.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -479,6 +482,7 @@ rm -rf ext/fiddle/libffi* %patch6 -p1 %patch7 -p1 %patch9 -p1 +%patch10 -p1 %patch100 -p1 # Provide an example of usage of the tapset: