From 78166da9c39ffdb6979a0252736024fd6316161d Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Fri, 30 Dec 2011 00:36:43 +0900 Subject: [PATCH 1/7] Update to 1.8.7p352 Randomize hash on process startup (CVE-2011-4815, bug 750564) --- .gitignore | 1 + ruby.spec | 25 +++++++++++++++++++++++-- sources | 4 +--- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index a4c19e9..c1f83dd 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-1.8.7-p334.tar.bz2 /ruby-1.8.7-p352.tar.bz2 /ruby-revc2dfaa7d40531aef3706bcc16f38178b0c6633ee-ext_tk.tar.gz +/ruby-1.8.7-p357.tar.bz2 diff --git a/ruby.spec b/ruby.spec index f8c992b..9c74507 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global rubyxver 1.8 %global rubyver 1.8.7 -%global _patchlevel 352 +%global _patchlevel 357 %global dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %global patchlevel %{?_patchlevel:-p%{_patchlevel}} @@ -11,7 +11,7 @@ %{!?sitelibbase: %global sitelibbase %{vendorlibbase}/site_ruby} %{!?sitearchbase: %global sitearchbase %{vendorarchbase}/site_ruby} -%global _normalized_cpu %(echo %{_target_cpu} | sed 's/^ppc/powerpc/;s/i.86/i386/;s/sparcv./sparc/;s/armv.*/arm/') +%global _normalized_cpu %(echo %{_target_cpu} | sed 's/^ppc/powerpc/;s/i.86/i386/;s/sparcv./sparc/') # Fri Jul 15 21:28:10 2011 +0000 %global ruby_tk_git_revision c2dfaa7d40531aef3706bcc16f38178b0c6633ee @@ -24,7 +24,9 @@ URL: http://www.ruby-lang.org/ BuildRequires: compat-readline5-devel BuildRequires: db4-devel +%if 0%{?fedora} < 17 BuildRequires: gdbm-devel +%endif BuildRequires: libX11-devel BuildRequires: ncurses-devel BuildRequires: openssl-devel @@ -200,6 +202,11 @@ popd # when it is no longer needed. sed -i.redirect -e '\@RUBY@s@\.rb >@\.rb | cat >@' %{name}-%{arcver}/ext/dl/depend +# Disable gdbm support on F-17 for now +%if 0%{?fedora} >= 17 +sed -i '\@dblib =@s|gdbm[^ ]*||g' %{name}-%{arcver}/ext/dbm/extconf.rb +%endif + %build pushd %{name}-%{arcver} @@ -537,6 +544,20 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/ri %changelog +* Thu Dec 29 2011 Mamoru Tasaka - 1.8.7.357-1 +- Update to 1.8.7p352 +- Randomize hash on process startup (CVE-2011-4815, bug 750564) + +* Fri Dec 23 2011 Dennis Gilmore - 1.8.7.352-2 +- dont normalise arm cpus to arm +- there is something weird about how ruby choses where to put bits + +* Thu Nov 16 2011 Mamoru Tasaka - 1.8.7.352-3 +- F-17: kill gdbm support for now due to licensing compatibility issue + +* Sat Oct 1 2011 Mamoru Tasaka - 1.8.7.352-2 +- F-17: rebuild against new gdbm + * Sat Jul 16 2011 Mamoru Tasaka - 1.8.7.352-1 - Update to 1.8.7 p352 - CVE-2011-2686 is fixed in this version (bug 722415) diff --git a/sources b/sources index e7e916e..1d94212 100644 --- a/sources +++ b/sources @@ -1,4 +1,2 @@ -fcc35655da3047f64650a526c179ade8 ruby-revf30eca26639ce538339bc488c7ed1fd397b0c13f-ext_tk.tar.gz -2f14f604bf981bb938ab5fc8b09eb1a6 ruby-1.8.7-p334.tar.bz2 -0c61ea41d1b1183b219b9afe97f18f52 ruby-1.8.7-p352.tar.bz2 +3abd9e2a29f756a0d30c7bfca578cdeb ruby-1.8.7-p357.tar.bz2 01b1053cf357459349bf74363756ad41 ruby-revc2dfaa7d40531aef3706bcc16f38178b0c6633ee-ext_tk.tar.gz From cde63783a87c40a3ba16048e2226d146b8a98af0 Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Fri, 30 Dec 2011 00:39:00 +0900 Subject: [PATCH 2/7] Fix changelog --- ruby.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ruby.spec b/ruby.spec index 9c74507..78519d7 100644 --- a/ruby.spec +++ b/ruby.spec @@ -545,7 +545,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Thu Dec 29 2011 Mamoru Tasaka - 1.8.7.357-1 -- Update to 1.8.7p352 +- Update to 1.8.7p357 - Randomize hash on process startup (CVE-2011-4815, bug 750564) * Fri Dec 23 2011 Dennis Gilmore - 1.8.7.352-2 From ab59b463603b3fc9267e87b574f37c115f98fbfd Mon Sep 17 00:00:00 2001 From: TASAKA Mamoru Date: Fri, 13 Apr 2012 16:00:53 +0900 Subject: [PATCH 3/7] Update to 1.8.7p358 --- .gitignore | 1 + ruby.spec | 5 ++++- sources | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index c1f83dd..50fe66a 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-1.8.7-p352.tar.bz2 /ruby-revc2dfaa7d40531aef3706bcc16f38178b0c6633ee-ext_tk.tar.gz /ruby-1.8.7-p357.tar.bz2 +/ruby-1.8.7-p358.tar.bz2 diff --git a/ruby.spec b/ruby.spec index 78519d7..3d7eb64 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global rubyxver 1.8 %global rubyver 1.8.7 -%global _patchlevel 357 +%global _patchlevel 358 %global dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %global patchlevel %{?_patchlevel:-p%{_patchlevel}} @@ -544,6 +544,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/ri %changelog +* Fri Apr 13 2012 Mamoru Tasaka - 1.8.7.358-1 +- Update to 1.8.7p358 + * Thu Dec 29 2011 Mamoru Tasaka - 1.8.7.357-1 - Update to 1.8.7p357 - Randomize hash on process startup (CVE-2011-4815, bug 750564) diff --git a/sources b/sources index 1d94212..91e1a36 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 3abd9e2a29f756a0d30c7bfca578cdeb ruby-1.8.7-p357.tar.bz2 01b1053cf357459349bf74363756ad41 ruby-revc2dfaa7d40531aef3706bcc16f38178b0c6633ee-ext_tk.tar.gz +de35f00997f4ccee3e22dff0f2d01b8a ruby-1.8.7-p358.tar.bz2 From 713605f70035809932267023efb5cbf88c779e2b Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Sun, 17 Jun 2012 22:47:07 +0900 Subject: [PATCH 4/7] Fix sed usage wrt shebang modification (Christian Iseli ) --- ruby.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ruby.spec b/ruby.spec index 3d7eb64..8e1128b 100644 --- a/ruby.spec +++ b/ruby.spec @@ -17,7 +17,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 1%{?dist} +Release: 2%{?dist} # Please check if ruby upstream changes this to "Ruby or GPLv2+" License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ @@ -321,7 +321,7 @@ find -type f | xargs chmod 0644 grep -rl '#![ \t]*%{_prefix}/local/bin' . | \ xargs sed -i -e '1s|\(#![ \t]*\)%{_prefix}/local/bin|\1%{_bindir}|' grep -rl '#![ \t]*\./ruby' . | \ - xargs sed -i -e '1s|\(#![ \t]*\)\./ruby|%{_bindir}/ruby|' + xargs sed -i -e '1s|\(#![ \t]*\)\./ruby|\1%{_bindir}/ruby|' # Fix encoding # Suppress message @@ -544,6 +544,10 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/ri %changelog +* Sun Jun 16 2012 Mamoru Tasaka - 1.8.7.358-2 +- Fix sed usage wrt shebang modification + (Christian Iseli ) + * Fri Apr 13 2012 Mamoru Tasaka - 1.8.7.358-1 - Update to 1.8.7p358 From 4adf276cbf1be9dfee226a8ed8f4db344801247e Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Thu, 4 Oct 2012 22:38:33 +0900 Subject: [PATCH 5/7] Backport fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch --- ruby-1.8.7-p358-CVE-2012-4466.patch | 13 +++++++++++++ ruby.spec | 8 +++++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 ruby-1.8.7-p358-CVE-2012-4466.patch diff --git a/ruby-1.8.7-p358-CVE-2012-4466.patch b/ruby-1.8.7-p358-CVE-2012-4466.patch new file mode 100644 index 0000000..3bcafa2 --- /dev/null +++ b/ruby-1.8.7-p358-CVE-2012-4466.patch @@ -0,0 +1,13 @@ +Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch +Mamoru Tasaka + +--- ruby-1.8.7-p358/error.c.sec 2011-02-18 21:32:35.000000000 +0900 ++++ ruby-1.8.7-p358/error.c 2012-10-04 22:32:06.000000000 +0900 +@@ -757,7 +757,6 @@ name_err_mesg_to_str(obj) + args[2] = d; + mesg = rb_f_sprintf(3, args); + } +- if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg); + return mesg; + } + diff --git a/ruby.spec b/ruby.spec index 8e1128b..e1c2cdd 100644 --- a/ruby.spec +++ b/ruby.spec @@ -17,7 +17,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 2%{?dist} +Release: 3%{?dist} # Please check if ruby upstream changes this to "Ruby or GPLv2+" License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ @@ -63,6 +63,8 @@ Patch33: ruby-1.8.7-p249-mkmf-use-shared.patch # Remove duplicate path entry # bug 718695 Patch34: ruby-1.8.7-p352-path-uniq.patch +# Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch +Patch35: ruby-1.8.7-p358-CVE-2012-4466.patch # Change ruby load path to conform to Fedora/ruby # library placement (various 1.8.6 patches consolidated into this) Patch100: ruby-1.8.7-lib-paths.patch @@ -184,6 +186,7 @@ pushd %{name}-%{arcver} %patch29 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 %patch100 -p1 ( @@ -544,6 +547,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/ri %changelog +* Thu Oct 04 2012 Mamoru Tasaka - 1.8.7.358-3 +- Backport fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch + * Sun Jun 16 2012 Mamoru Tasaka - 1.8.7.358-2 - Fix sed usage wrt shebang modification (Christian Iseli ) From f95865cef3d0a40481629ea3233aba84b3eac0ca Mon Sep 17 00:00:00 2001 From: TASAKA Mamoru Date: Fri, 5 Oct 2012 18:26:21 +0900 Subject: [PATCH 6/7] Also backport fix for the left part of CVE-2011-1005 (causing the MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit same issue as CVE-2012-4464) (Vít Ondruch ) --- ruby-1.8.7-p358-CVE-2012-4464-4466.patch | 29 ++++++++++++++++++++++++ ruby-1.8.7-p358-CVE-2012-4466.patch | 13 ----------- ruby.spec | 9 ++++++-- 3 files changed, 36 insertions(+), 15 deletions(-) create mode 100644 ruby-1.8.7-p358-CVE-2012-4464-4466.patch delete mode 100644 ruby-1.8.7-p358-CVE-2012-4466.patch diff --git a/ruby-1.8.7-p358-CVE-2012-4464-4466.patch b/ruby-1.8.7-p358-CVE-2012-4464-4466.patch new file mode 100644 index 0000000..6787d6f --- /dev/null +++ b/ruby-1.8.7-p358-CVE-2012-4464-4466.patch @@ -0,0 +1,29 @@ +Backported fix for CVE-2012-4464,4466 on trunk:rev37068 to 1.8.7 branch. +Note that for ruby-1.8 branch, there was a fix for CVE-2011-1005 on rev 30903, +however the fix proved to be incomplete. + +Mamoru Tasaka + + +--- ruby-1.8.7-p358/error.c.sec 2011-02-18 21:32:35.000000000 +0900 ++++ ruby-1.8.7-p358/error.c 2012-10-04 23:58:12.000000000 +0900 +@@ -665,9 +665,11 @@ + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + StringValue(str); ++#if 0 + if (str != mesg) { + OBJ_INFECT(str, mesg); + } ++#endif + return str; + } + +@@ -757,7 +759,6 @@ + args[2] = d; + mesg = rb_f_sprintf(3, args); + } +- if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg); + return mesg; + } + diff --git a/ruby-1.8.7-p358-CVE-2012-4466.patch b/ruby-1.8.7-p358-CVE-2012-4466.patch deleted file mode 100644 index 3bcafa2..0000000 --- a/ruby-1.8.7-p358-CVE-2012-4466.patch +++ /dev/null @@ -1,13 +0,0 @@ -Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch -Mamoru Tasaka - ---- ruby-1.8.7-p358/error.c.sec 2011-02-18 21:32:35.000000000 +0900 -+++ ruby-1.8.7-p358/error.c 2012-10-04 22:32:06.000000000 +0900 -@@ -757,7 +757,6 @@ name_err_mesg_to_str(obj) - args[2] = d; - mesg = rb_f_sprintf(3, args); - } -- if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg); - return mesg; - } - diff --git a/ruby.spec b/ruby.spec index e1c2cdd..b021b11 100644 --- a/ruby.spec +++ b/ruby.spec @@ -17,7 +17,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 3%{?dist} +Release: 4%{?dist} # Please check if ruby upstream changes this to "Ruby or GPLv2+" License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ @@ -64,7 +64,7 @@ Patch33: ruby-1.8.7-p249-mkmf-use-shared.patch # bug 718695 Patch34: ruby-1.8.7-p352-path-uniq.patch # Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch -Patch35: ruby-1.8.7-p358-CVE-2012-4466.patch +Patch35: ruby-1.8.7-p358-CVE-2012-4464-4466.patch # Change ruby load path to conform to Fedora/ruby # library placement (various 1.8.6 patches consolidated into this) Patch100: ruby-1.8.7-lib-paths.patch @@ -547,6 +547,11 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/ri %changelog +* Fri Oct 04 2012 Mamoru Tasaka - 1.8.7.358-4 +- Also backport fix for the left part of CVE-2011-1005 (causing the + same issue as CVE-2012-4464) + (Vít Ondruch ) + * Thu Oct 04 2012 Mamoru Tasaka - 1.8.7.358-3 - Backport fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch From 3f2726e74225b9d2d15fb5e07a8391befec28283 Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Sat, 13 Oct 2012 14:33:32 +0900 Subject: [PATCH 7/7] Update to 1.8.7 p371 --- .gitignore | 1 + ruby.spec | 11 +++++++---- sources | 3 +-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 50fe66a..fc9c886 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-revc2dfaa7d40531aef3706bcc16f38178b0c6633ee-ext_tk.tar.gz /ruby-1.8.7-p357.tar.bz2 /ruby-1.8.7-p358.tar.bz2 +/ruby-1.8.7-p371.tar.bz2 diff --git a/ruby.spec b/ruby.spec index b021b11..65daf90 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global rubyxver 1.8 %global rubyver 1.8.7 -%global _patchlevel 358 +%global _patchlevel 371 %global dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %global patchlevel %{?_patchlevel:-p%{_patchlevel}} @@ -17,7 +17,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 4%{?dist} +Release: 1%{?dist} # Please check if ruby upstream changes this to "Ruby or GPLv2+" License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ @@ -64,7 +64,7 @@ Patch33: ruby-1.8.7-p249-mkmf-use-shared.patch # bug 718695 Patch34: ruby-1.8.7-p352-path-uniq.patch # Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch -Patch35: ruby-1.8.7-p358-CVE-2012-4464-4466.patch +#Patch35: ruby-1.8.7-p358-CVE-2012-4464-4466.patch # Change ruby load path to conform to Fedora/ruby # library placement (various 1.8.6 patches consolidated into this) Patch100: ruby-1.8.7-lib-paths.patch @@ -186,7 +186,7 @@ pushd %{name}-%{arcver} %patch29 -p1 %patch33 -p1 %patch34 -p1 -%patch35 -p1 +#%%patch35 -p1 %patch100 -p1 ( @@ -547,6 +547,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/ri %changelog +* Sat Oct 13 2012 Mamoru TASAKA - 1.8.7.371-1 +- Update to 1.8.7 p371 + * Fri Oct 04 2012 Mamoru Tasaka - 1.8.7.358-4 - Also backport fix for the left part of CVE-2011-1005 (causing the same issue as CVE-2012-4464) diff --git a/sources b/sources index 91e1a36..a05b866 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -3abd9e2a29f756a0d30c7bfca578cdeb ruby-1.8.7-p357.tar.bz2 01b1053cf357459349bf74363756ad41 ruby-revc2dfaa7d40531aef3706bcc16f38178b0c6633ee-ext_tk.tar.gz -de35f00997f4ccee3e22dff0f2d01b8a ruby-1.8.7-p358.tar.bz2 +c27526b298659a186bdb5107fcec2341 ruby-1.8.7-p371.tar.bz2