From 37575e057fe5530e05f113dfd25b7754ab13ab1d Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Mon, 21 Apr 2008 18:53:41 +0000 Subject: [PATCH 01/10] Initialize branch F-9 for ruby --- branch | 1 + 1 file changed, 1 insertion(+) create mode 100644 branch diff --git a/branch b/branch new file mode 100644 index 0000000..1c26f78 --- /dev/null +++ b/branch @@ -0,0 +1 @@ +F-9 From 0b7e6ce3edfe215886dace13580be1570955760e Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Tue, 24 Jun 2008 03:19:02 +0000 Subject: [PATCH 02/10] - New upstream release. - Security fixes. (#452294). - CVE-2008-1891: WEBrick CGI source disclosure. - CVE-2008-2662: Integer overflow in rb_str_buf_append(). - CVE-2008-2663: Integer overflow in rb_ary_store(). - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). - CVE-2008-2725: Integer overflow in rb_ary_splice(). - CVE-2008-2726: Integer overflow in rb_ary_splice(). - ruby-1.8.6.111-CVE-2007-5162.patch: removed. --- .cvsignore | 1 + ruby-1.8.6.111-CVE-2007-5162.patch | 97 ------------------------------ ruby.spec | 15 ++++- sources | 2 +- 4 files changed, 14 insertions(+), 101 deletions(-) delete mode 100644 ruby-1.8.6.111-CVE-2007-5162.patch diff --git a/.cvsignore b/.cvsignore index d31c9b8..2ecc1d3 100644 --- a/.cvsignore +++ b/.cvsignore @@ -21,3 +21,4 @@ ruby-1.8.6-p111.tar.bz2 rubyfaq-990927.tar.gz rubyfaq-jp-990927.tar.gz ruby-1.8.6-p114.tar.bz2 +ruby-1.8.6-p230.tar.bz2 diff --git a/ruby-1.8.6.111-CVE-2007-5162.patch b/ruby-1.8.6.111-CVE-2007-5162.patch deleted file mode 100644 index 5ed628d..0000000 --- a/ruby-1.8.6.111-CVE-2007-5162.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900 -@@ -29,13 +29,23 @@ require 'net/ftp' - - module Net - class FTPTLS < FTP -+ def connect(host, port=FTP_PORT) -+ @hostname = host -+ super -+ end -+ - def login(user = "anonymous", passwd = nil, acct = nil) -+ store = OpenSSL::X509::Store.new -+ store.set_default_paths - ctx = OpenSSL::SSL::SSLContext.new('SSLv23') -+ ctx.cert_store = store -+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER - ctx.key = nil - ctx.cert = nil - voidcmd("AUTH TLS") - @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) - @sock.connect -+ @sock.post_connection_check(@hostname) - super(user, passwd, acct) - voidcmd("PBSZ 0") - end -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900 -@@ -134,6 +134,9 @@ module Net - @sock.verify_callback = @options['VerifyCallback'] - @sock.verify_depth = @options['VerifyDepth'] - @sock.connect -+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE -+ @sock.post_connection_check(@options['Host']) -+ end - @ssl = true - end - '' -diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb ---- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900 -@@ -470,7 +470,6 @@ module Net #:nodoc: - @debug_output = nil - @use_ssl = false - @ssl_context = nil -- @enable_post_connection_check = false - end - - def inspect -@@ -527,9 +526,6 @@ module Net #:nodoc: - false # redefined in net/https - end - -- # specify enabling SSL server certificate and hostname checking. -- attr_accessor :enable_post_connection_check -- - # Opens TCP connection and HTTP session. - # - # When this method is called with block, gives a HTTP object -@@ -589,12 +585,7 @@ module Net #:nodoc: - end - s.connect - if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE -- begin -- s.post_connection_check(@address) -- rescue OpenSSL::SSL::SSLError => ex -- raise ex if @enable_post_connection_check -- warn ex.message -- end -+ s.post_connection_check(@address) - end - end - on_connect -diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb ---- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900 -@@ -900,6 +900,7 @@ module Net - end - @sock = SSLSocket.new(@sock, context) - @sock.connect # start ssl session. -+ @sock.post_connection_check(@host) if verify - else - @usessl = false - end -diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb ---- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900 -@@ -229,7 +229,6 @@ module OpenURI - if target.class == URI::HTTPS - require 'net/https' - http.use_ssl = true -- http.enable_post_connection_check = true - http.verify_mode = OpenSSL::SSL::VERIFY_PEER - store = OpenSSL::X509::Store.new - store.set_default_paths diff --git a/ruby.spec b/ruby.spec index 4d0e325..b86e38a 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 114 +%define _patchlevel 230 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define arcver %{rubyver}%{?patchlevel} @@ -35,7 +35,6 @@ Patch20: ruby-rubyprefix.patch Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch -Patch24: ruby-1.8.6.111-CVE-2007-5162.patch Patch25: ruby-1.8.6.111-gcc43.patch Summary: An interpreter of object-oriented scripting language @@ -156,7 +155,6 @@ pushd %{name}-%{arcver} %patch22 -p1 %patch23 -p1 %endif -%patch24 -p1 %patch25 -p1 popd @@ -514,6 +512,17 @@ rm -rf tmp-ruby-docs %endif %changelog +* Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 +- New upstream release. +- Security fixes. (#452294). + - CVE-2008-1891: WEBrick CGI source disclosure. + - CVE-2008-2662: Integer overflow in rb_str_buf_append(). + - CVE-2008-2663: Integer overflow in rb_ary_store(). + - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). + - CVE-2008-2725: Integer overflow in rb_ary_splice(). + - CVE-2008-2726: Integer overflow in rb_ary_splice(). +- ruby-1.8.6.111-CVE-2007-5162.patch: removed. + * Tue Mar 4 2008 Akira TAGOH - 1.8.6.114-1 - Security fix for CVE-2008-1145. - Improve a spec file. (#226381) diff --git a/sources b/sources index 1dcdc28..2883da8 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz e1d38b7d4f1be55726d6927a3395ce3b ruby-1.8.6-p111.tar.bz2 634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz 4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz -b4d0c74497f684814bcfbb41b7384a71 ruby-1.8.6-p114.tar.bz2 +3eceb42d4fc56398676c20a49ac7e044 ruby-1.8.6-p230.tar.bz2 From f3156e9fcac3903f92adc2c96337d1d09c7964e8 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Wed, 25 Jun 2008 08:24:30 +0000 Subject: [PATCH 03/10] - Fix a segfault issue. (#452809) --- ruby-1.8.6.230-string-str_buf_cat.patch | 28 +++++++++++++++++++++++++ ruby.spec | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.6.230-string-str_buf_cat.patch diff --git a/ruby-1.8.6.230-string-str_buf_cat.patch b/ruby-1.8.6.230-string-str_buf_cat.patch new file mode 100644 index 0000000..287ddc9 --- /dev/null +++ b/ruby-1.8.6.230-string-str_buf_cat.patch @@ -0,0 +1,28 @@ +diff -pruN ruby-1.8.6-p230.orig/string.c ruby-1.8.6-p230/string.c +--- ruby-1.8.6-p230.orig/string.c 2008-06-20 18:24:53.000000000 +0900 ++++ ruby-1.8.6-p230/string.c 2008-06-25 16:10:17.000000000 +0900 +@@ -693,9 +693,13 @@ str_buf_cat(str, ptr, len) + const char *ptr; + long len; + { +- long capa, total; ++ long capa, total, off = -1; + + rb_str_modify(str); ++ if (ptr >= RSTRING(str)->ptr && ptr <= RSTRING(str)->ptr + RSTRING(str)->len) { ++ off = ptr - RSTRING(str)->ptr; ++ } ++ if (len == 0) return 0; + if (FL_TEST(str, STR_ASSOC)) { + FL_UNSET(str, STR_ASSOC); + capa = RSTRING(str)->aux.capa = RSTRING(str)->len; +@@ -717,6 +721,9 @@ str_buf_cat(str, ptr, len) + } + RESIZE_CAPA(str, capa); + } ++ if (off != -1) { ++ ptr = RSTRING(str)->ptr + off; ++ } + memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len); + RSTRING(str)->len = total; + RSTRING(str)->ptr[total] = '\0'; /* sentinel */ diff --git a/ruby.spec b/ruby.spec index b86e38a..17a2f93 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 1%{?dist} +Release: 2%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,6 +36,7 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch +Patch26: ruby-1.8.6.230-string-str_buf_cat.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -156,6 +157,7 @@ pushd %{name}-%{arcver} %patch23 -p1 %endif %patch25 -p1 +%patch26 -p1 popd %build @@ -512,6 +514,9 @@ rm -rf tmp-ruby-docs %endif %changelog +* Wed Jun 25 2008 Akira TAGOH - 1.8.6.230-2 +- Fix a segfault issue. (#452809) + * Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 - New upstream release. - Security fixes. (#452294). From c6652aefd694489cca81558b0b3126d8bb75306f Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Mon, 30 Jun 2008 03:41:46 +0000 Subject: [PATCH 04/10] - Backported from upstream SVN to fix a segfault issue. (#452825) - Backported from upstream SVN to fix an integer overflow in rb_ary_fill. --- ruby-1.8.6.230-p238.patch | 58 +++++++++++++++++++++++++++++++++++++++ ruby-1.8.6.230-p248.patch | 16 +++++++++++ ruby.spec | 10 ++++++- 3 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.6.230-p238.patch create mode 100644 ruby-1.8.6.230-p248.patch diff --git a/ruby-1.8.6.230-p238.patch b/ruby-1.8.6.230-p238.patch new file mode 100644 index 0000000..1cf26ff --- /dev/null +++ b/ruby-1.8.6.230-p238.patch @@ -0,0 +1,58 @@ +diff -pruN ruby-1.8.6-p230.orig/class.c ruby-1.8.6-p230/class.c +--- ruby-1.8.6-p230.orig/class.c 2008-06-15 21:06:33.000000000 +0900 ++++ ruby-1.8.6-p230/class.c 2008-06-30 11:21:41.000000000 +0900 +@@ -62,10 +62,7 @@ clone_method(mid, body, data) + NODE *fbody = body->nd_body; + + if (fbody && nd_type(fbody) == NODE_SCOPE) { +- VALUE cref = data->klass ? +- (VALUE)NEW_NODE(NODE_CREF,data->klass,0,fbody->nd_rval) : +- fbody->nd_rval; +- fbody = NEW_NODE(NODE_SCOPE, fbody->nd_tbl, cref, fbody->nd_next); ++ fbody = rb_copy_node_scope(fbody, ruby_cref); + } + st_insert(data->tbl, mid, (st_data_t)NEW_METHOD(fbody, body->nd_noex)); + return ST_CONTINUE; +diff -pruN ruby-1.8.6-p230.orig/eval.c ruby-1.8.6-p230/eval.c +--- ruby-1.8.6-p230.orig/eval.c 2008-06-16 15:43:48.000000000 +0900 ++++ ruby-1.8.6-p230/eval.c 2008-06-30 11:19:15.000000000 +0900 +@@ -2239,8 +2239,8 @@ rb_mod_alias_method(mod, newname, oldnam + return mod; + } + +-static NODE* +-copy_node_scope(node, rval) ++NODE* ++rb_copy_node_scope(node, rval) + NODE *node; + NODE *rval; + { +@@ -3948,7 +3948,7 @@ rb_eval(self, n) + noex |= NOEX_NOSUPER; + } + +- defn = copy_node_scope(node->nd_defn, ruby_cref); ++ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); + rb_add_method(ruby_class, node->nd_mid, defn, noex); + if (scope_vmode == SCOPE_MODFUNC) { + rb_add_method(rb_singleton_class(ruby_class), +@@ -3984,7 +3984,7 @@ rb_eval(self, n) + rb_warning("redefine %s", rb_id2name(node->nd_mid)); + } + } +- defn = copy_node_scope(node->nd_defn, ruby_cref); ++ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); + rb_add_method(klass, node->nd_mid, defn, + NOEX_PUBLIC|(body?body->nd_noex&NOEX_UNDEF:0)); + result = Qnil; +diff -pruN ruby-1.8.6-p230.orig/node.h ruby-1.8.6-p230/node.h +--- ruby-1.8.6-p230.orig/node.h 2007-05-23 00:01:22.000000000 +0900 ++++ ruby-1.8.6-p230/node.h 2008-06-30 11:20:06.000000000 +0900 +@@ -371,6 +371,7 @@ typedef unsigned int rb_event_t; + #define RUBY_EVENT_ALL 0xff + + typedef void (*rb_event_hook_func_t) _((rb_event_t,NODE*,VALUE,ID,VALUE)); ++NODE *rb_copy_node_scope _((NODE *, NODE *)); + void rb_add_event_hook _((rb_event_hook_func_t,rb_event_t)); + int rb_remove_event_hook _((rb_event_hook_func_t)); + diff --git a/ruby-1.8.6.230-p248.patch b/ruby-1.8.6.230-p248.patch new file mode 100644 index 0000000..1279c48 --- /dev/null +++ b/ruby-1.8.6.230-p248.patch @@ -0,0 +1,16 @@ +diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c +--- ruby-1.8.6-p230.orig/array.c 2008-06-20 15:53:16.000000000 +0900 ++++ ruby-1.8.6-p230/array.c 2008-06-30 11:33:00.000000000 +0900 +@@ -2272,10 +2272,10 @@ rb_ary_fill(argc, argv, ary) + break; + } + rb_ary_modify(ary); +- end = beg + len; +- if (end < 0) { ++ if (len > ARY_MAX_SIZE - beg) { + rb_raise(rb_eArgError, "argument too big"); + } ++ end = beg + len; + if (end > RARRAY(ary)->len) { + if (end >= RARRAY(ary)->aux.capa) { + REALLOC_N(RARRAY(ary)->ptr, VALUE, end); diff --git a/ruby.spec b/ruby.spec index 17a2f93..8651091 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 2%{?dist} +Release: 3%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -37,6 +37,8 @@ Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch Patch26: ruby-1.8.6.230-string-str_buf_cat.patch +Patch27: ruby-1.8.6.230-p238.patch +Patch28: ruby-1.8.6.230-p248.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -158,6 +160,8 @@ pushd %{name}-%{arcver} %endif %patch25 -p1 %patch26 -p1 +%patch27 -p1 +%patch28 -p1 popd %build @@ -514,6 +518,10 @@ rm -rf tmp-ruby-docs %endif %changelog +* Mon Jun 30 2008 Akira TAGOH - 1.8.6.230-3 +- Backported from upstream SVN to fix a segfault issue. (#452825) +- Backported from upstream SVN to fix an integer overflow in rb_ary_fill. + * Wed Jun 25 2008 Akira TAGOH - 1.8.6.230-2 - Fix a segfault issue. (#452809) From 4a7cd391f3999dd5c02e026068ab12b64a284140 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Tue, 1 Jul 2008 08:15:00 +0000 Subject: [PATCH 05/10] - Backported from upstream SVN to fix a segfault issue with Array#fill. --- ruby.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ruby.spec b/ruby.spec index 8651091..432ba1c 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 3%{?dist} +Release: 4%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -39,6 +39,7 @@ Patch25: ruby-1.8.6.111-gcc43.patch Patch26: ruby-1.8.6.230-string-str_buf_cat.patch Patch27: ruby-1.8.6.230-p238.patch Patch28: ruby-1.8.6.230-p248.patch +Patch29: ruby-1.8.6.230-p257.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -162,6 +163,7 @@ pushd %{name}-%{arcver} %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 popd %build @@ -518,6 +520,9 @@ rm -rf tmp-ruby-docs %endif %changelog +* Tue Jul 1 2008 Akira TAGOH - 1.8.6.230-4 +- Backported from upstream SVN to fix a segfault issue with Array#fill. + * Mon Jun 30 2008 Akira TAGOH - 1.8.6.230-3 - Backported from upstream SVN to fix a segfault issue. (#452825) - Backported from upstream SVN to fix an integer overflow in rb_ary_fill. From c389fa05dcaf525242b4504eb7658f238485cc0b Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Tue, 1 Jul 2008 08:21:22 +0000 Subject: [PATCH 06/10] *** empty log message *** --- ruby-1.8.6.230-p257.patch | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 ruby-1.8.6.230-p257.patch diff --git a/ruby-1.8.6.230-p257.patch b/ruby-1.8.6.230-p257.patch new file mode 100644 index 0000000..dbae14a --- /dev/null +++ b/ruby-1.8.6.230-p257.patch @@ -0,0 +1,12 @@ +diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c +--- ruby-1.8.6-p230.orig/array.c 2008-07-01 16:32:12.000000000 +0900 ++++ ruby-1.8.6-p230/array.c 2008-07-01 16:34:01.000000000 +0900 +@@ -2272,7 +2272,7 @@ rb_ary_fill(argc, argv, ary) + break; + } + rb_ary_modify(ary); +- if (len > ARY_MAX_SIZE - beg) { ++ if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) { + rb_raise(rb_eArgError, "argument too big"); + } + end = beg + len; From 2561310c31f9077bf9f5c5e1003b1ccd399a9976 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Sat, 23 Aug 2008 09:05:21 +0000 Subject: [PATCH 07/10] - New upstream release. - Security fixes. - CVE-2008-3655: Ruby does not properly restrict access to critical variables and methods at various safe levels. - CVE-2008-3656: DoS vulnerability in WEBrick. - CVE-2008-3657: Lack of taintness check in dl. - CVE-2008-1447: DNS spoofing vulnerability in resolv.rb. - CVE-2008-3443: Memory allocation failure in Ruby regex engine. - Remove the unnecessary backported patches. --- .cvsignore | 1 + ruby-1.8.6.230-p238.patch | 58 ------------------------- ruby-1.8.6.230-p248.patch | 16 ------- ruby-1.8.6.230-p257.patch | 12 ----- ruby-1.8.6.230-string-str_buf_cat.patch | 28 ------------ ruby-fix-autoconf-magic-code.patch | 11 ----- ruby.spec | 23 +++++----- sources | 2 +- 8 files changed, 15 insertions(+), 136 deletions(-) delete mode 100644 ruby-1.8.6.230-p238.patch delete mode 100644 ruby-1.8.6.230-p248.patch delete mode 100644 ruby-1.8.6.230-p257.patch delete mode 100644 ruby-1.8.6.230-string-str_buf_cat.patch delete mode 100644 ruby-fix-autoconf-magic-code.patch diff --git a/.cvsignore b/.cvsignore index 2ecc1d3..8b4ee53 100644 --- a/.cvsignore +++ b/.cvsignore @@ -22,3 +22,4 @@ rubyfaq-990927.tar.gz rubyfaq-jp-990927.tar.gz ruby-1.8.6-p114.tar.bz2 ruby-1.8.6-p230.tar.bz2 +ruby-1.8.6-p287.tar.bz2 diff --git a/ruby-1.8.6.230-p238.patch b/ruby-1.8.6.230-p238.patch deleted file mode 100644 index 1cf26ff..0000000 --- a/ruby-1.8.6.230-p238.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/class.c ruby-1.8.6-p230/class.c ---- ruby-1.8.6-p230.orig/class.c 2008-06-15 21:06:33.000000000 +0900 -+++ ruby-1.8.6-p230/class.c 2008-06-30 11:21:41.000000000 +0900 -@@ -62,10 +62,7 @@ clone_method(mid, body, data) - NODE *fbody = body->nd_body; - - if (fbody && nd_type(fbody) == NODE_SCOPE) { -- VALUE cref = data->klass ? -- (VALUE)NEW_NODE(NODE_CREF,data->klass,0,fbody->nd_rval) : -- fbody->nd_rval; -- fbody = NEW_NODE(NODE_SCOPE, fbody->nd_tbl, cref, fbody->nd_next); -+ fbody = rb_copy_node_scope(fbody, ruby_cref); - } - st_insert(data->tbl, mid, (st_data_t)NEW_METHOD(fbody, body->nd_noex)); - return ST_CONTINUE; -diff -pruN ruby-1.8.6-p230.orig/eval.c ruby-1.8.6-p230/eval.c ---- ruby-1.8.6-p230.orig/eval.c 2008-06-16 15:43:48.000000000 +0900 -+++ ruby-1.8.6-p230/eval.c 2008-06-30 11:19:15.000000000 +0900 -@@ -2239,8 +2239,8 @@ rb_mod_alias_method(mod, newname, oldnam - return mod; - } - --static NODE* --copy_node_scope(node, rval) -+NODE* -+rb_copy_node_scope(node, rval) - NODE *node; - NODE *rval; - { -@@ -3948,7 +3948,7 @@ rb_eval(self, n) - noex |= NOEX_NOSUPER; - } - -- defn = copy_node_scope(node->nd_defn, ruby_cref); -+ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); - rb_add_method(ruby_class, node->nd_mid, defn, noex); - if (scope_vmode == SCOPE_MODFUNC) { - rb_add_method(rb_singleton_class(ruby_class), -@@ -3984,7 +3984,7 @@ rb_eval(self, n) - rb_warning("redefine %s", rb_id2name(node->nd_mid)); - } - } -- defn = copy_node_scope(node->nd_defn, ruby_cref); -+ defn = rb_copy_node_scope(node->nd_defn, ruby_cref); - rb_add_method(klass, node->nd_mid, defn, - NOEX_PUBLIC|(body?body->nd_noex&NOEX_UNDEF:0)); - result = Qnil; -diff -pruN ruby-1.8.6-p230.orig/node.h ruby-1.8.6-p230/node.h ---- ruby-1.8.6-p230.orig/node.h 2007-05-23 00:01:22.000000000 +0900 -+++ ruby-1.8.6-p230/node.h 2008-06-30 11:20:06.000000000 +0900 -@@ -371,6 +371,7 @@ typedef unsigned int rb_event_t; - #define RUBY_EVENT_ALL 0xff - - typedef void (*rb_event_hook_func_t) _((rb_event_t,NODE*,VALUE,ID,VALUE)); -+NODE *rb_copy_node_scope _((NODE *, NODE *)); - void rb_add_event_hook _((rb_event_hook_func_t,rb_event_t)); - int rb_remove_event_hook _((rb_event_hook_func_t)); - diff --git a/ruby-1.8.6.230-p248.patch b/ruby-1.8.6.230-p248.patch deleted file mode 100644 index 1279c48..0000000 --- a/ruby-1.8.6.230-p248.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c ---- ruby-1.8.6-p230.orig/array.c 2008-06-20 15:53:16.000000000 +0900 -+++ ruby-1.8.6-p230/array.c 2008-06-30 11:33:00.000000000 +0900 -@@ -2272,10 +2272,10 @@ rb_ary_fill(argc, argv, ary) - break; - } - rb_ary_modify(ary); -- end = beg + len; -- if (end < 0) { -+ if (len > ARY_MAX_SIZE - beg) { - rb_raise(rb_eArgError, "argument too big"); - } -+ end = beg + len; - if (end > RARRAY(ary)->len) { - if (end >= RARRAY(ary)->aux.capa) { - REALLOC_N(RARRAY(ary)->ptr, VALUE, end); diff --git a/ruby-1.8.6.230-p257.patch b/ruby-1.8.6.230-p257.patch deleted file mode 100644 index dbae14a..0000000 --- a/ruby-1.8.6.230-p257.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/array.c ruby-1.8.6-p230/array.c ---- ruby-1.8.6-p230.orig/array.c 2008-07-01 16:32:12.000000000 +0900 -+++ ruby-1.8.6-p230/array.c 2008-07-01 16:34:01.000000000 +0900 -@@ -2272,7 +2272,7 @@ rb_ary_fill(argc, argv, ary) - break; - } - rb_ary_modify(ary); -- if (len > ARY_MAX_SIZE - beg) { -+ if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) { - rb_raise(rb_eArgError, "argument too big"); - } - end = beg + len; diff --git a/ruby-1.8.6.230-string-str_buf_cat.patch b/ruby-1.8.6.230-string-str_buf_cat.patch deleted file mode 100644 index 287ddc9..0000000 --- a/ruby-1.8.6.230-string-str_buf_cat.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -pruN ruby-1.8.6-p230.orig/string.c ruby-1.8.6-p230/string.c ---- ruby-1.8.6-p230.orig/string.c 2008-06-20 18:24:53.000000000 +0900 -+++ ruby-1.8.6-p230/string.c 2008-06-25 16:10:17.000000000 +0900 -@@ -693,9 +693,13 @@ str_buf_cat(str, ptr, len) - const char *ptr; - long len; - { -- long capa, total; -+ long capa, total, off = -1; - - rb_str_modify(str); -+ if (ptr >= RSTRING(str)->ptr && ptr <= RSTRING(str)->ptr + RSTRING(str)->len) { -+ off = ptr - RSTRING(str)->ptr; -+ } -+ if (len == 0) return 0; - if (FL_TEST(str, STR_ASSOC)) { - FL_UNSET(str, STR_ASSOC); - capa = RSTRING(str)->aux.capa = RSTRING(str)->len; -@@ -717,6 +721,9 @@ str_buf_cat(str, ptr, len) - } - RESIZE_CAPA(str, capa); - } -+ if (off != -1) { -+ ptr = RSTRING(str)->ptr + off; -+ } - memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len); - RSTRING(str)->len = total; - RSTRING(str)->ptr[total] = '\0'; /* sentinel */ diff --git a/ruby-fix-autoconf-magic-code.patch b/ruby-fix-autoconf-magic-code.patch deleted file mode 100644 index 58ac75f..0000000 --- a/ruby-fix-autoconf-magic-code.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ruN ruby-1.8.4.orig/mkconfig.rb ruby-1.8.4/mkconfig.rb ---- ruby-1.8.4.orig/mkconfig.rb 2006-07-19 20:39:48.000000000 +0900 -+++ ruby-1.8.4/mkconfig.rb 2006-07-19 20:40:12.000000000 +0900 -@@ -37,6 +37,7 @@ - has_version = false - File.foreach "config.status" do |line| - next if /^#/ =~ line -+ line.gsub!(/\|#_!!_#\|/, '') - if /^s[%,]@program_transform_name@[%,]s,(.*)/ =~ line - next if $install_name - ptn = $1.sub(/\$\$/, '$').split(/,/) #' diff --git a/ruby.spec b/ruby.spec index 432ba1c..f030211 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 230 +%define _patchlevel 287 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define arcver %{rubyver}%{?patchlevel} @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 4%{?dist} +Release: 1%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,10 +36,6 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch -Patch26: ruby-1.8.6.230-string-str_buf_cat.patch -Patch27: ruby-1.8.6.230-p238.patch -Patch28: ruby-1.8.6.230-p248.patch -Patch29: ruby-1.8.6.230-p257.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -160,10 +156,6 @@ pushd %{name}-%{arcver} %patch23 -p1 %endif %patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 popd %build @@ -520,6 +512,17 @@ rm -rf tmp-ruby-docs %endif %changelog +* Sat Aug 23 2008 Akira TAGOH - 1.8.6.287-1 +- New upstream release. +- Security fixes. + - CVE-2008-3655: Ruby does not properly restrict access to critical + variables and methods at various safe levels. + - CVE-2008-3656: DoS vulnerability in WEBrick. + - CVE-2008-3657: Lack of taintness check in dl. + - CVE-2008-1447: DNS spoofing vulnerability in resolv.rb. + - CVE-2008-3443: Memory allocation failure in Ruby regex engine. +- Remove the unnecessary backported patches. + * Tue Jul 1 2008 Akira TAGOH - 1.8.6.230-4 - Backported from upstream SVN to fix a segfault issue with Array#fill. diff --git a/sources b/sources index 2883da8..881802a 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz e1d38b7d4f1be55726d6927a3395ce3b ruby-1.8.6-p111.tar.bz2 634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz 4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz -3eceb42d4fc56398676c20a49ac7e044 ruby-1.8.6-p230.tar.bz2 +80b5f3db12531d36e6c81fac6d05dda9 ruby-1.8.6-p287.tar.bz2 From 1fae7c569d0772efbdccd2c68376ae41aaa4916c Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Wed, 8 Oct 2008 13:52:38 +0000 Subject: [PATCH 08/10] - CVE-2008-3790: DoS vulnerability in the REXML module. --- ruby-1.8.6-rexml-CVE-2008-3790.patch | 96 ++++++++++++++++++++++++++++ ruby.spec | 7 +- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.6-rexml-CVE-2008-3790.patch diff --git a/ruby-1.8.6-rexml-CVE-2008-3790.patch b/ruby-1.8.6-rexml-CVE-2008-3790.patch new file mode 100644 index 0000000..2ce6e1f --- /dev/null +++ b/ruby-1.8.6-rexml-CVE-2008-3790.patch @@ -0,0 +1,96 @@ +diff -pruN ruby-1.8.6-p287.orig/lib/rexml/document.rb ruby-1.8.6-p287/lib/rexml/document.rb +--- ruby-1.8.6-p287.orig/lib/rexml/document.rb 2007-11-04 13:50:15.000000000 +0900 ++++ ruby-1.8.6-p287/lib/rexml/document.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -32,6 +32,7 @@ module REXML + # @param context if supplied, contains the context of the document; + # this should be a Hash. + def initialize( source = nil, context = {} ) ++ @entity_expansion_count = 0 + super() + @context = context + return if source.nil? +@@ -200,6 +201,27 @@ module REXML + Parsers::StreamParser.new( source, listener ).parse + end + ++ @@entity_expansion_limit = 10_000 ++ ++ # Set the entity expansion limit. By defualt the limit is set to 10000. ++ def Document::entity_expansion_limit=( val ) ++ @@entity_expansion_limit = val ++ end ++ ++ # Get the entity expansion limit. By defualt the limit is set to 10000. ++ def Document::entity_expansion_limit ++ return @@entity_expansion_limit ++ end ++ ++ attr_reader :entity_expansion_count ++ ++ def record_entity_expansion ++ @entity_expansion_count += 1 ++ if @entity_expansion_count > @@entity_expansion_limit ++ raise "number of entity expansions exceeded, processing aborted." ++ end ++ end ++ + private + def build( source ) + Parsers::TreeParser.new( source, self ).parse +diff -pruN ruby-1.8.6-p287.orig/lib/rexml/entity.rb ruby-1.8.6-p287/lib/rexml/entity.rb +--- ruby-1.8.6-p287.orig/lib/rexml/entity.rb 2007-07-28 11:46:08.000000000 +0900 ++++ ruby-1.8.6-p287/lib/rexml/entity.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -73,6 +73,7 @@ module REXML + # all entities -- both %ent; and &ent; entities. This differs from + # +value()+ in that +value+ only replaces %ent; entities. + def unnormalized ++ document.record_entity_expansion + v = value() + return nil if v.nil? + @unnormalized = Text::unnormalize(v, parent) +diff -pruN ruby-1.8.6-p287.orig/test/rexml/test_document.rb ruby-1.8.6-p287/test/rexml/test_document.rb +--- ruby-1.8.6-p287.orig/test/rexml/test_document.rb 1970-01-01 09:00:00.000000000 +0900 ++++ ruby-1.8.6-p287/test/rexml/test_document.rb 2008-10-08 22:25:14.000000000 +0900 +@@ -0,0 +1,42 @@ ++require "rexml/document" ++require "test/unit" ++ ++class REXML::TestDocument < Test::Unit::TestCase ++ def test_new ++ doc = REXML::Document.new(< ++Hello world! ++EOF ++ assert_equal("Hello world!", doc.root.children.first.value) ++ end ++ ++ XML_WITH_NESTED_ENTITY = < ++ ++ ++ ++ ++ ++ ++ ++]> ++ ++&a; ++ ++EOF ++ ++ def test_entity_expansion_limit ++ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ REXML::Document.entity_expansion_limit = 100 ++ assert_equal(100, REXML::Document.entity_expansion_limit) ++ doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ assert_equal(101, doc.entity_expansion_count) ++ end ++end diff --git a/ruby.spec b/ruby.spec index f030211..f1f4628 100644 --- a/ruby.spec +++ b/ruby.spec @@ -12,7 +12,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 1%{?dist} +Release: 2%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,6 +36,7 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch +Patch26: ruby-1.8.6-rexml-CVE-2008-3790.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -156,6 +157,7 @@ pushd %{name}-%{arcver} %patch23 -p1 %endif %patch25 -p1 +%patch26 -p1 popd %build @@ -512,6 +514,9 @@ rm -rf tmp-ruby-docs %endif %changelog +* Wed Oct 8 2008 Akira TAGOH - 1.8.6.287-2 +- CVE-2008-3790: DoS vulnerability in the REXML module. + * Sat Aug 23 2008 Akira TAGOH - 1.8.6.287-1 - New upstream release. - Security fixes. From 0d34702d7a4006eb27988f046556c7198033069f Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Thu, 26 Nov 2009 01:30:26 +0000 Subject: [PATCH 09/10] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d363f5c..9141959 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: ruby -# $Id: Makefile,v 1.1 2004/09/09 11:54:27 cvsdist Exp $ +# $Id: Makefile,v 1.2 2007/10/15 19:21:20 notting Exp $ NAME := ruby SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From e333e5f81fd363587607a41bdfef15ceb8761476 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 11:44:18 +0000 Subject: [PATCH 10/10] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- branch | 1 - 3 files changed, 22 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 branch diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 9141959..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: ruby -# $Id: Makefile,v 1.2 2007/10/15 19:21:20 notting Exp $ -NAME := ruby -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attempt a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/branch b/branch deleted file mode 100644 index 1c26f78..0000000 --- a/branch +++ /dev/null @@ -1 +0,0 @@ -F-9