From 556d824d52e0a3a0c37d91e3cc445cbee5c18153 Mon Sep 17 00:00:00 2001 From: TASAKA Mamoru Date: Mon, 25 Feb 2013 10:59:52 +0900 Subject: [PATCH 1/5] Update to 1.9.3 p392 - Fix entity expansion DoS vulnerability in REXML (bug 914716) --- .gitignore | 1 + ruby.spec | 10 +++++++--- sources | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index f5ae591..6a939a7 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-1.9.3-p362.tar.gz /ruby-1.9.3-p374.tar.gz /ruby-1.9.3-p385.tar.gz +/ruby-1.9.3-p392.tar.gz diff --git a/ruby.spec b/ruby.spec index 887454d..bfa0754 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %global major_version 1 %global minor_version 9 %global teeny_version 3 -%global patch_level 385 +%global patch_level 392 %global major_minor_version %{major_version}.%{minor_version} @@ -43,7 +43,7 @@ %global rdoc_version 3.9.5 %global bigdecimal_version 1.1.0 %global io_console_version 0.3 -%global json_version 1.5.4 +%global json_version 1.5.5 %global minitest_version 2.5.1 %global _normalized_cpu %(echo %{_target_cpu} | sed 's/^ppc/powerpc/;s/i.86/i386/;s/sparcv./sparc/') @@ -56,7 +56,7 @@ Version: %{ruby_version_patch_level} # we cannot reset the release number to 1 even when the main (ruby) version # is updated - because it may be that the versions of sub-components don't # change. -Release: 28%{?dist} +Release: 29%{?dist} Group: Development/Languages # Public Domain for example for: include/ruby/st.h, strftime.c, ... License: (Ruby or BSD) and Public Domain @@ -778,6 +778,10 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Mon Feb 25 2013 Mamoru TASAKA - 1.9.3.392-29 +- Update to 1.9.3 p392 +- Fix entity expansion DoS vulnerability in REXML (bug 914716) + * Mon Feb 11 2013 Mamoru TASAKA - 1.9.3.385-28 - Update to 1.9.3 p385 diff --git a/sources b/sources index 2c2210c..6849aa1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3e0d7f8512400c1a6732327728a56f1d ruby-1.9.3-p385.tar.gz +f689a7b61379f83cbbed3c7077d83859 ruby-1.9.3-p392.tar.gz From aa2899b823a97541f91cb871c899a0922dcf0092 Mon Sep 17 00:00:00 2001 From: TASAKA Mamoru Date: Thu, 16 May 2013 17:16:05 +0900 Subject: [PATCH 2/5] Update to 1.9.3 p429 - Fix object taint bypassing in DL and Fiddle (CVE-2013-2065) --- .gitignore | 1 + ruby.spec | 13 +++++++------ sources | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 6a939a7..606f3bf 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-1.9.3-p374.tar.gz /ruby-1.9.3-p385.tar.gz /ruby-1.9.3-p392.tar.gz +/ruby-1.9.3-p429.tar.gz diff --git a/ruby.spec b/ruby.spec index bfa0754..89e29a6 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %global major_version 1 %global minor_version 9 %global teeny_version 3 -%global patch_level 392 +%global patch_level 429 %global major_minor_version %{major_version}.%{minor_version} @@ -56,7 +56,7 @@ Version: %{ruby_version_patch_level} # we cannot reset the release number to 1 even when the main (ruby) version # is updated - because it may be that the versions of sub-components don't # change. -Release: 29%{?dist} +Release: 30%{?dist} Group: Development/Languages # Public Domain for example for: include/ruby/st.h, strftime.c, ... License: (Ruby or BSD) and Public Domain @@ -78,9 +78,6 @@ Patch4: ruby-1.9.3-fix-s390x-build.patch # Fix the uninstaller, so that it doesn't say that gem doesn't exist # when it exists outside of the GEM_HOME (already fixed in the upstream) Patch5: ruby-1.9.3-rubygems-1.8.11-uninstaller.patch -# Already fixed upstream: -# https://github.com/ruby/ruby/commit/f212df564a4e1025f9fb019ce727022a97bfff53 -Patch7: ruby-1.9.3-bignum-test-fix.patch # Allows to install RubyGems into custom directory, outside of Ruby's tree. # http://redmine.ruby-lang.org/issues/5617 Patch8: ruby-1.9.3-custom-rubygems-location.patch @@ -348,7 +345,6 @@ Tcl/Tk interface for the object-oriented scripting language Ruby. %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 @@ -361,6 +357,7 @@ Tcl/Tk interface for the object-oriented scripting language Ruby. autoconf %configure \ + --disable-werror \ --with-rubylibprefix='%{ruby_libdir}' \ --with-archdir='%{ruby_libarchdir}' \ --with-sitedir='%{ruby_sitelibdir}' \ @@ -778,6 +775,10 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Thu May 16 2013 Mamoru TASAKA - 1.9.3.429-30 +- Update to 1.9.3 p429 +- Fix object taint bypassing in DL and Fiddle (CVE-2013-2065) + * Mon Feb 25 2013 Mamoru TASAKA - 1.9.3.392-29 - Update to 1.9.3 p392 - Fix entity expansion DoS vulnerability in REXML (bug 914716) diff --git a/sources b/sources index 6849aa1..2f5abc8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f689a7b61379f83cbbed3c7077d83859 ruby-1.9.3-p392.tar.gz +993c72f7f805a9eb453f90b0b7fe0d2b ruby-1.9.3-p429.tar.gz From b1f489610b4971da56d93ebf1357dc9c220d7c81 Mon Sep 17 00:00:00 2001 From: TASAKA Mamoru Date: Mon, 1 Jul 2013 11:45:15 +0900 Subject: [PATCH 3/5] Update to 1.9.3 p448 - Fix hostname check bypassing vulnerability in SSL client (CVE-2013-4073) --- .gitignore | 1 + ruby-1.9.3-fix-s390x-build.patch | 12 ------------ ruby.spec | 14 ++++++++++---- sources | 2 +- 4 files changed, 12 insertions(+), 17 deletions(-) delete mode 100644 ruby-1.9.3-fix-s390x-build.patch diff --git a/.gitignore b/.gitignore index 606f3bf..2fe56c0 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-1.9.3-p385.tar.gz /ruby-1.9.3-p392.tar.gz /ruby-1.9.3-p429.tar.gz +/ruby-1.9.3-p448.tar.gz diff --git a/ruby-1.9.3-fix-s390x-build.patch b/ruby-1.9.3-fix-s390x-build.patch deleted file mode 100644 index d0ade91..0000000 --- a/ruby-1.9.3-fix-s390x-build.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ruby-1.9.3-p0/ext/tk/extconf.rb.orig ruby-1.9.3-p0/ext/tk/extconf.rb ---- ruby-1.9.3-p0/ext/tk/extconf.rb.orig 2011-06-29 16:11:19.000000000 +0200 -+++ ruby-1.9.3-p0/ext/tk/extconf.rb 2011-10-18 16:15:59.406299659 +0200 -@@ -114,7 +114,7 @@ def is_macosx? - end - - def maybe_64bit? -- /64|universal/ =~ RUBY_PLATFORM -+ /64|universal|s390x/ =~ RUBY_PLATFORM - end - - def check_tcltk_version(version) diff --git a/ruby.spec b/ruby.spec index 89e29a6..2d97373 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %global major_version 1 %global minor_version 9 %global teeny_version 3 -%global patch_level 429 +%global patch_level 448 %global major_minor_version %{major_version}.%{minor_version} @@ -56,7 +56,7 @@ Version: %{ruby_version_patch_level} # we cannot reset the release number to 1 even when the main (ruby) version # is updated - because it may be that the versions of sub-components don't # change. -Release: 30%{?dist} +Release: 31%{?dist} Group: Development/Languages # Public Domain for example for: include/ruby/st.h, strftime.c, ... License: (Ruby or BSD) and Public Domain @@ -74,7 +74,8 @@ Patch2: ruby-1.9.3-added-site-and-vendor-arch-flags.patch # some differencies in build between Fedora and RHEL. Patch3: ruby-1.9.3-always-use-i386.patch # http://redmine.ruby-lang.org/issues/5465 -Patch4: ruby-1.9.3-fix-s390x-build.patch +# Fixed in 1.9.3 p448 +#Patch4: ruby-1.9.3-fix-s390x-build.patch # Fix the uninstaller, so that it doesn't say that gem doesn't exist # when it exists outside of the GEM_HOME (already fixed in the upstream) Patch5: ruby-1.9.3-rubygems-1.8.11-uninstaller.patch @@ -343,7 +344,7 @@ Tcl/Tk interface for the object-oriented scripting language Ruby. %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 +#%%patch4 -p1 %patch5 -p1 %patch8 -p1 %patch9 -p1 @@ -775,6 +776,11 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Mon Jul 1 2013 Mamoru TASAKA - 1.9.3.448-31 +- Update to 1.9.3 p448 +- Fix hostname check bypassing vulnerability in SSL client + (CVE-2013-4073) + * Thu May 16 2013 Mamoru TASAKA - 1.9.3.429-30 - Update to 1.9.3 p429 - Fix object taint bypassing in DL and Fiddle (CVE-2013-2065) diff --git a/sources b/sources index 2f5abc8..8e4d44c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -993c72f7f805a9eb453f90b0b7fe0d2b ruby-1.9.3-p429.tar.gz +a893cff26bcf351b8975ebf2a63b1023 ruby-1.9.3-p448.tar.gz From 1889b338c5125037d2dd592692dc23e277748b63 Mon Sep 17 00:00:00 2001 From: Mamoru TASAKA Date: Mon, 25 Nov 2013 11:32:07 +0900 Subject: [PATCH 4/5] Update to 1.9.3 p484 - Fix heap overflow in floating point parsing (CVE-2013-4164) --- ruby.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ruby.spec b/ruby.spec index 2d97373..a619e5e 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %global major_version 1 %global minor_version 9 %global teeny_version 3 -%global patch_level 448 +%global patch_level 484 %global major_minor_version %{major_version}.%{minor_version} @@ -56,7 +56,7 @@ Version: %{ruby_version_patch_level} # we cannot reset the release number to 1 even when the main (ruby) version # is updated - because it may be that the versions of sub-components don't # change. -Release: 31%{?dist} +Release: 32%{?dist} Group: Development/Languages # Public Domain for example for: include/ruby/st.h, strftime.c, ... License: (Ruby or BSD) and Public Domain @@ -776,6 +776,10 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Mon Nov 25 2013 Mamoru TASAKA - 1.9.3.484-32 +- Update to 1.9.3 p484 +- Fix heap overflow in floating point parsing (CVE-2013-4164) + * Mon Jul 1 2013 Mamoru TASAKA - 1.9.3.448-31 - Update to 1.9.3 p448 - Fix hostname check bypassing vulnerability in SSL client From a6a6e2e7fde73935d980c194c0ce9ee50d499c60 Mon Sep 17 00:00:00 2001 From: Mamoru TASAKA Date: Mon, 25 Nov 2013 11:43:50 +0900 Subject: [PATCH 5/5] upload new-source --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 2fe56c0..c784ee1 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-1.9.3-p392.tar.gz /ruby-1.9.3-p429.tar.gz /ruby-1.9.3-p448.tar.gz +/ruby-1.9.3-p484.tar.gz diff --git a/sources b/sources index 8e4d44c..880729b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a893cff26bcf351b8975ebf2a63b1023 ruby-1.9.3-p448.tar.gz +8ac0dee72fe12d75c8b2d0ef5d0c2968 ruby-1.9.3-p484.tar.gz