dist-git conversion

#2781)

.gitignore

@@ -21,3 +21,5 @@ ruby-1.8.6-p111.tar.bz2
 rubyfaq-990927.tar.gz
 rubyfaq-jp-990927.tar.gz
 ruby-1.8.6-p114.tar.bz2
+ruby-1.8.6-p230.tar.bz2
+ruby-1.8.6-p287.tar.bz2

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: ruby
-# $Id: Makefile,v 1.1 2004/09/09 11:54:27 cvsdist Exp $
-NAME := ruby
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

ruby-1.8.6-rexml-CVE-2008-3790.patch

@@ -0,0 +1,96 @@
+diff -pruN ruby-1.8.6-p287.orig/lib/rexml/document.rb ruby-1.8.6-p287/lib/rexml/document.rb
+--- ruby-1.8.6-p287.orig/lib/rexml/document.rb	2007-11-04 13:50:15.000000000 +0900
++++ ruby-1.8.6-p287/lib/rexml/document.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -32,6 +32,7 @@ module REXML
+ 	  # @param context if supplied, contains the context of the document;
+ 	  # this should be a Hash.
+ 		def initialize( source = nil, context = {} )
++      @entity_expansion_count = 0
+ 			super()
+ 			@context = context
+ 			return if source.nil?
+@@ -200,6 +201,27 @@ module REXML
+ 			Parsers::StreamParser.new( source, listener ).parse
+ 		end
+ 
++    @@entity_expansion_limit = 10_000
++
++    # Set the entity expansion limit. By defualt the limit is set to 10000.
++    def Document::entity_expansion_limit=( val )
++      @@entity_expansion_limit = val
++    end
++
++    # Get the entity expansion limit. By defualt the limit is set to 10000.
++    def Document::entity_expansion_limit
++      return @@entity_expansion_limit
++    end
++
++    attr_reader :entity_expansion_count
++    
++    def record_entity_expansion
++      @entity_expansion_count += 1
++      if @entity_expansion_count > @@entity_expansion_limit
++        raise "number of entity expansions exceeded, processing aborted."
++      end
++    end
++
+ 		private
+ 		def build( source )
+       Parsers::TreeParser.new( source, self ).parse
+diff -pruN ruby-1.8.6-p287.orig/lib/rexml/entity.rb ruby-1.8.6-p287/lib/rexml/entity.rb
+--- ruby-1.8.6-p287.orig/lib/rexml/entity.rb	2007-07-28 11:46:08.000000000 +0900
++++ ruby-1.8.6-p287/lib/rexml/entity.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -73,6 +73,7 @@ module REXML
+ 		# all entities -- both %ent; and &ent; entities.  This differs from
+ 		# +value()+ in that +value+ only replaces %ent; entities.
+ 		def unnormalized
++      document.record_entity_expansion
+ 			v = value()
+ 			return nil if v.nil?
+ 			@unnormalized = Text::unnormalize(v, parent)
+diff -pruN ruby-1.8.6-p287.orig/test/rexml/test_document.rb ruby-1.8.6-p287/test/rexml/test_document.rb
+--- ruby-1.8.6-p287.orig/test/rexml/test_document.rb	1970-01-01 09:00:00.000000000 +0900
++++ ruby-1.8.6-p287/test/rexml/test_document.rb	2008-10-08 22:25:14.000000000 +0900
+@@ -0,0 +1,42 @@
++require "rexml/document"
++require "test/unit"
++
++class REXML::TestDocument < Test::Unit::TestCase
++  def test_new
++    doc = REXML::Document.new(<<EOF)
++<?xml version="1.0" encoding="UTF-8"?>
++<message>Hello world!</message>
++EOF
++    assert_equal("Hello world!", doc.root.children.first.value)
++  end
++
++  XML_WITH_NESTED_ENTITY = <<EOF
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE member [
++  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
++  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
++  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
++  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
++  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
++  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
++  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
++]>
++<member>
++&a;
++</member>
++EOF
++
++  def test_entity_expansion_limit
++    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    REXML::Document.entity_expansion_limit = 100
++    assert_equal(100, REXML::Document.entity_expansion_limit)
++    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    assert_equal(101, doc.entity_expansion_count)
++  end
++end

ruby-1.8.6.111-CVE-2007-5162.patch

@@ -1,97 +0,0 @@
-diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb
---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb	2007-02-13 08:01:19.000000000 +0900
-+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb	2007-10-29 21:10:24.000000000 +0900
-@@ -29,13 +29,23 @@ require 'net/ftp'
- 
- module Net
-   class FTPTLS < FTP
-+    def connect(host, port=FTP_PORT)
-+       @hostname = host
-+       super
-+    end
-+
-     def login(user = "anonymous", passwd = nil, acct = nil)
-+       store = OpenSSL::X509::Store.new
-+       store.set_default_paths
-        ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
-+       ctx.cert_store = store
-+       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
-        ctx.key = nil
-        ctx.cert = nil
-        voidcmd("AUTH TLS")
-        @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
-        @sock.connect
-+       @sock.post_connection_check(@hostname)
-        super(user, passwd, acct)
-        voidcmd("PBSZ 0")
-     end
-diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb
---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb	2007-02-13 08:01:19.000000000 +0900
-+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb	2007-10-29 21:13:03.000000000 +0900
-@@ -134,6 +134,9 @@ module Net
-             @sock.verify_callback = @options['VerifyCallback']
-             @sock.verify_depth    = @options['VerifyDepth']
-             @sock.connect
-+            if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
-+              @sock.post_connection_check(@options['Host'])
-+            end
-             @ssl = true
-           end
-           ''
-diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb
---- ruby-1.8.6-p111.orig/lib/net/http.rb	2007-09-24 17:12:24.000000000 +0900
-+++ ruby-1.8.6-p111/lib/net/http.rb	2007-10-29 21:12:12.000000000 +0900
-@@ -470,7 +470,6 @@ module Net   #:nodoc:
-       @debug_output = nil
-       @use_ssl = false
-       @ssl_context = nil
--      @enable_post_connection_check = false
-     end
- 
-     def inspect
-@@ -527,9 +526,6 @@ module Net   #:nodoc:
-       false   # redefined in net/https
-     end
- 
--    # specify enabling SSL server certificate and hostname checking.
--    attr_accessor :enable_post_connection_check
--
-     # Opens TCP connection and HTTP session.
-     # 
-     # When this method is called with block, gives a HTTP object
-@@ -589,12 +585,7 @@ module Net   #:nodoc:
-         end
-         s.connect
-         if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
--          begin
--            s.post_connection_check(@address)
--          rescue OpenSSL::SSL::SSLError => ex
--            raise ex if @enable_post_connection_check
--            warn ex.message
--          end
-+          s.post_connection_check(@address)
-         end
-       end
-       on_connect
-diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb
---- ruby-1.8.6-p111.orig/lib/net/imap.rb	2007-08-22 08:28:09.000000000 +0900
-+++ ruby-1.8.6-p111/lib/net/imap.rb	2007-10-29 21:14:38.000000000 +0900
-@@ -900,6 +900,7 @@ module Net
-         end
-         @sock = SSLSocket.new(@sock, context)
-         @sock.connect   # start ssl session.
-+        @sock.post_connection_check(@host) if verify
-       else
-         @usessl = false
-       end
-diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb
---- ruby-1.8.6-p111.orig/lib/open-uri.rb	2007-09-24 17:12:24.000000000 +0900
-+++ ruby-1.8.6-p111/lib/open-uri.rb	2007-10-29 21:16:03.000000000 +0900
-@@ -229,7 +229,6 @@ module OpenURI
-     if target.class == URI::HTTPS
-       require 'net/https'
-       http.use_ssl = true
--      http.enable_post_connection_check = true
-       http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-       store = OpenSSL::X509::Store.new
-       store.set_default_paths

ruby-fix-autoconf-magic-code.patch

@@ -1,11 +0,0 @@
-diff -ruN ruby-1.8.4.orig/mkconfig.rb ruby-1.8.4/mkconfig.rb
---- ruby-1.8.4.orig/mkconfig.rb	2006-07-19 20:39:48.000000000 +0900
-+++ ruby-1.8.4/mkconfig.rb	2006-07-19 20:40:12.000000000 +0900
-@@ -37,6 +37,7 @@
- has_version = false
- File.foreach "config.status" do |line|
-   next if /^#/ =~ line
-+  line.gsub!(/\|#_!!_#\|/, '')
-   if /^s[%,]@program_transform_name@[%,]s,(.*)/ =~ line
-     next if $install_name
-     ptn = $1.sub(/\$\$/, '$').split(/,/)	#'

ruby.spec

@@ -1,6 +1,6 @@
 %define	rubyxver	1.8
 %define	rubyver		1.8.6
-%define _patchlevel	114
+%define _patchlevel	287
 %define dotpatchlevel	%{?_patchlevel:.%{_patchlevel}}
 %define patchlevel	%{?_patchlevel:-p%{_patchlevel}}
 %define	arcver		%{rubyver}%{?patchlevel}
@@ -12,7 +12,7 @@
 
 Name:		ruby
 Version:	%{rubyver}%{?dotpatchlevel}
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	Ruby or GPLv2
 URL:		http://www.ruby-lang.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -35,8 +35,8 @@ Patch20:	ruby-rubyprefix.patch
 Patch21:	ruby-deprecated-sitelib-search-path.patch
 Patch22:	ruby-deprecated-search-path.patch
 Patch23:	ruby-multilib.patch
-Patch24:	ruby-1.8.6.111-CVE-2007-5162.patch
 Patch25:	ruby-1.8.6.111-gcc43.patch
+Patch26:	ruby-1.8.6-rexml-CVE-2008-3790.patch
 
 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@@ -156,8 +156,8 @@ pushd %{name}-%{arcver}
 %patch22 -p1
 %patch23 -p1
 %endif
-%patch24 -p1
 %patch25 -p1
+%patch26 -p1
 popd
 
 %build
@@ -514,6 +514,41 @@ rm -rf tmp-ruby-docs
 %endif
 
 %changelog
+* Wed Oct  8 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.287-2
+- CVE-2008-3790: DoS vulnerability in the REXML module.
+
+* Sat Aug 23 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.287-1
+- New upstream release.
+- Security fixes.
+  - CVE-2008-3655: Ruby does not properly restrict access to critical
+                   variables and methods at various safe levels.
+  - CVE-2008-3656: DoS vulnerability in WEBrick.
+  - CVE-2008-3657: Lack of taintness check in dl.
+  - CVE-2008-1447: DNS spoofing vulnerability in resolv.rb.
+  - CVE-2008-3443: Memory allocation failure in Ruby regex engine.
+- Remove the unnecessary backported patches.
+
+* Tue Jul  1 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.230-4
+- Backported from upstream SVN to fix a segfault issue with Array#fill.
+
+* Mon Jun 30 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.230-3
+- Backported from upstream SVN to fix a segfault issue. (#452825)
+- Backported from upstream SVN to fix an integer overflow in rb_ary_fill.
+
+* Wed Jun 25 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.230-2
+- Fix a segfault issue. (#452809)
+
+* Tue Jun 24 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.230-1
+- New upstream release.
+- Security fixes. (#452294).
+  - CVE-2008-1891: WEBrick CGI source disclosure.
+  - CVE-2008-2662: Integer overflow in rb_str_buf_append().
+  - CVE-2008-2663: Integer overflow in rb_ary_store().
+  - CVE-2008-2664: Unsafe use of alloca in rb_str_format().
+  - CVE-2008-2725: Integer overflow in rb_ary_splice().
+  - CVE-2008-2726: Integer overflow in rb_ary_splice().
+- ruby-1.8.6.111-CVE-2007-5162.patch: removed.
+
 * Tue Mar  4 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.114-1
 - Security fix for CVE-2008-1145.
 - Improve a spec file. (#226381)

sources

@@ -3,4 +3,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75  ruby-refm-rdp-1.8.1-ja-html.tar.gz
 e1d38b7d4f1be55726d6927a3395ce3b  ruby-1.8.6-p111.tar.bz2
 634c25b14e19925d10af3720d72e8741  rubyfaq-990927.tar.gz
 4fcec898f51d8371cc42d0a013940469  rubyfaq-jp-990927.tar.gz
-b4d0c74497f684814bcfbb41b7384a71  ruby-1.8.6-p114.tar.bz2
+80b5f3db12531d36e6c81fac6d05dda9  ruby-1.8.6-p287.tar.bz2