[pkgsrc/trunk]: pkgsrc/lang/ruby25-base lang/ruby25-base: Add security patch ...

[taca <taca%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/498c8f7c525f
branches:  trunk
changeset: 331051:498c8f7c525f
user:      taca <taca%pkgsrc.org@localhost>
date:      Tue Mar 12 04:22:34 2019 +0000

description:
lang/ruby25-base: Add security patch for rubygems

Add security patch for rubygems, fixing these problem.

* CVE-2019-8320: Delete directory using symlink when decompressing tar
* CVE-2019-8321: Escape sequence injection vulnerability in verbose
* CVE-2019-8322: Escape sequence injection vulnerability in gem owner
* CVE-2019-8323: Escape sequence injection vulnerability in API response handlin
g
* CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
* CVE-2019-8325: Escape sequence injection vulnerability in errors

https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/

Since original patch included in official announce dose not cleanly applied to
Ruby 2.5.3, use a local version which drop patch to none existing test.

Bump PKGREVISION.

diffstat:

 lang/ruby25-base/Makefile |  8 ++++++--
 lang/ruby25-base/distinfo |  6 +++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diffs (35 lines):

diff -r f823a71fac88 -r 498c8f7c525f lang/ruby25-base/Makefile
--- a/lang/ruby25-base/Makefile Tue Mar 12 04:19:40 2019 +0000
+++ b/lang/ruby25-base/Makefile Tue Mar 12 04:22:34 2019 +0000
@@ -1,11 +1,15 @@
-# $NetBSD: Makefile,v 1.7 2019/02/14 06:03:50 taca Exp $
+# $NetBSD: Makefile,v 1.8 2019/03/12 04:22:34 taca Exp $
 
 DISTNAME=      ${RUBY_DISTNAME}
 PKGNAME=       ${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    lang ruby
 MASTER_SITES=  ${MASTER_SITE_RUBY}
 
+# announced patch is failed to apply, so use local version.
+PATCHFILES=    ruby-2.5.3-rubygems.patch-20190311
+PATCH_SITES=   ${MASTER_SITE_LOCAL}
+
 MAINTAINER=    taca%NetBSD.org@localhost
 HOMEPAGE=      ${RUBY_HOMEPAGE}
 COMMENT=       Ruby ${RUBY_VERSION} release minimum base package
diff -r f823a71fac88 -r 498c8f7c525f lang/ruby25-base/distinfo
--- a/lang/ruby25-base/distinfo Tue Mar 12 04:19:40 2019 +0000
+++ b/lang/ruby25-base/distinfo Tue Mar 12 04:22:34 2019 +0000
@@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.8 2019/01/03 05:19:03 taca Exp $
+$NetBSD: distinfo,v 1.9 2019/03/12 04:22:34 taca Exp $
 
+SHA1 (ruby-2.5.3-rubygems.patch-20190311) = 73db190d5ff6922084fbbf33efac1a25090d22dc
+RMD160 (ruby-2.5.3-rubygems.patch-20190311) = 25a070342fd16a653e2f0f0a7e5b125b508b7ff3
+SHA512 (ruby-2.5.3-rubygems.patch-20190311) = e1ac7fa9c51308d55612bfbb1bb9a01e4ec5602060667f1341654d58f8c40cb8b60332d1466cf9570c2dd59cdf3142ea18c3bcf4c4803cda2ea5326be8a80b98
+Size (ruby-2.5.3-rubygems.patch-20190311) = 12237 bytes
 SHA1 (ruby-2.5.3.tar.xz) = 5acbdea1ced1e36684268e1cb6f8a4e7669bce77
 RMD160 (ruby-2.5.3.tar.xz) = 3a95c15c33ef09c52d6baf427fd8fd82ecf388b5
 SHA512 (ruby-2.5.3.tar.xz) = 6dcae0e8d0bacdb2cbde636e2030596308b5af53f2eb85d3adccb67b02e6f8f9751e8117d12f8484829fdd9d995f6e327f701d9b433bcf94f1f59d13a1fd7518