pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: taca
Date: Sat Mar 23 14:28:48 UTC 2024
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby31-base: Makefile distinfo
Added Files:
pkgsrc/lang/ruby31-base/patches: patch-ext_stringio_stringio.c
patch-lib_rdoc_store.rb patch-lib_rdoc_version.rb
patch-test_stringio_test__stringio.rb
Log Message:
lang/ruby31-base: fix CVE-2024-27280 and CVE-2024-27281
Update rdoc to 6.4.1.1 to fix for CVE-2024-27281.
Update stringio to 3.0.1.2 to fix for CVE-2024-27280.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.272 -r1.273 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/ruby31-base/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/ruby31-base/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c \
pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb \
pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb \
pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.272 pkgsrc/lang/ruby/rubyversion.mk:1.273
--- pkgsrc/lang/ruby/rubyversion.mk:1.272 Sat Feb 10 14:41:47 2024
+++ pkgsrc/lang/ruby/rubyversion.mk Sat Mar 23 14:28:48 2024
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.272 2024/02/10 14:41:47 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.273 2024/03/23 14:28:48 taca Exp $
#
# This file determines which Ruby version is used as a dependency for
@@ -318,7 +318,7 @@ RUBY_PRETTYPRINT_VER= 0.1.1
RUBY_PSTORE_VER= 0.1.1
RUBY_PSYCH_VER= 4.0.4
RUBY_RACC_VER= 1.6.0
-RUBY_RDOC_VER= 6.4.0
+RUBY_RDOC_VER= 6.4.1.1
RUBY_READLINE_VER= 0.0.3
RUBY_READLINE_EXT_VER= 0.1.4
RUBY_RELINE_VER= 0.3.1
@@ -331,7 +331,7 @@ RUBY_SECURERANDOM_VER= 0.2.0
RUBY_SET_VER= 1.0.2
RUBY_SHELLWORDS_VER= 0.1.0
RUBY_SINGLETON_VER= 0.1.1
-RUBY_STRINGIO_VER= 3.0.1
+RUBY_STRINGIO_VER= 3.0.1.2
RUBY_STRSCAN_VER= 3.0.1
RUBY_SYSLOG_VER= 0.1.0
RUBY_TEMPFILE_VER= 0.1.2
Index: pkgsrc/lang/ruby31-base/Makefile
diff -u pkgsrc/lang/ruby31-base/Makefile:1.12 pkgsrc/lang/ruby31-base/Makefile:1.13
--- pkgsrc/lang/ruby31-base/Makefile:1.12 Tue Jan 16 15:14:53 2024
+++ pkgsrc/lang/ruby31-base/Makefile Sat Mar 23 14:28:48 2024
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.12 2024/01/16 15:14:53 taca Exp $
+# $NetBSD: Makefile,v 1.13 2024/03/23 14:28:48 taca Exp $
DISTNAME= ${RUBY_DISTNAME}
PKGNAME= ${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= lang ruby
MASTER_SITES= ${MASTER_SITE_RUBY}
Index: pkgsrc/lang/ruby31-base/distinfo
diff -u pkgsrc/lang/ruby31-base/distinfo:1.11 pkgsrc/lang/ruby31-base/distinfo:1.12
--- pkgsrc/lang/ruby31-base/distinfo:1.11 Thu Jun 29 15:39:12 2023
+++ pkgsrc/lang/ruby31-base/distinfo Sat Mar 23 14:28:48 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.11 2023/06/29 15:39:12 taca Exp $
+$NetBSD: distinfo,v 1.12 2024/03/23 14:28:48 taca Exp $
BLAKE2s (ruby-3.1.4.tar.xz) = cefa8daefd26c8da56db3e114f27cb1b0af8c427d4ba9b650ef60034cb7b413c
SHA512 (ruby-3.1.4.tar.xz) = a627bb629a10750b8b2081ad451a41faea0fc85d95aa1e267e3d2a0f56a35bb58195d4a8d13bbdbd82f4197a96dae22b1cee1dfc83861ec33a67ece07aef5633
@@ -6,10 +6,13 @@ Size (ruby-3.1.4.tar.xz) = 15316604 byte
SHA1 (patch-common.mk) = c23eed58427b2fd4ba8fdb3692f609701a666c6d
SHA1 (patch-configure) = 7bce8e1de07e3ff81cc984faef9ba12518557b7a
SHA1 (patch-ext_openssl_openssl__missing.h) = 3f8d79736fd14806dfaf76e333eec63ff3ff5890
+SHA1 (patch-ext_stringio_stringio.c) = b771382484fdfc1b40b13b8dcb1a94e3f32a546e
SHA1 (patch-include_ruby_internal_static__assert.h) = 7d5c3ae7ff674b9b34639924fcf08237164de9f8
SHA1 (patch-lib_mkmf.rb) = 4a3cd18548dbdf43a13695d4e76f817c0347e335
SHA1 (patch-lib_rdoc_encoding.rb) = 0e82d2942d9bfcb67dc7c994889d7bc5ec2ae85a
SHA1 (patch-lib_rdoc_ri_driver.rb) = f4d3e59e35b608acd4edc17916142c7f033e6198
+SHA1 (patch-lib_rdoc_store.rb) = 890352671278d21c0040f1b3bac34a8ac76ee0dc
+SHA1 (patch-lib_rdoc_version.rb) = fd715eb2cf9d9bbeaaca4ed407c497040394eacd
SHA1 (patch-lib_rubygems.rb) = 060549c43b84f73c77432a72cdcf22941be4eb17
SHA1 (patch-lib_rubygems_commands_setup__command.rb) = 66c475a5308deb2ed5096b88cf65549732f87421
SHA1 (patch-lib_rubygems_dependency__installer.rb) = 1776508907f17547ffe93f637d6f18d335061d76
@@ -21,6 +24,7 @@ SHA1 (patch-lib_uri_rfc3986__parser.rb)
SHA1 (patch-lib_uri_version.rb) = 16ef6469b63b74032a91358cdc7fd70fb5bce87a
SHA1 (patch-template_Makefile.in) = a4b94293de165e87021b79a0a7f683ba76e168d9
SHA1 (patch-test_rubygems_test__gem.rb) = 32f7c7d7f8a024c045d78c2bce93944fc3113d04
+SHA1 (patch-test_stringio_test__stringio.rb) = 20ca6e512a99e176547d6599ac7dfc7b9db42c36
SHA1 (patch-thread__pthread.c) = 7c1231933a2d6ce9d56891ab512371841697fbca
SHA1 (patch-tool_ifchange) = 1814cd41f0b0a93b181799cb117bd1f57068cf33
SHA1 (patch-tool_runruby.rb) = 5dd8a3bea5e9776f7521f85955dddd2127e4c4d0
Added files:
Index: pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c:1.1
--- /dev/null Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c Sat Mar 23 14:28:48 2024
@@ -0,0 +1,24 @@
+$NetBSD: patch-ext_stringio_stringio.c,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update stringio to 3.0.1.2 to fix for CVE-2024-27280.
+
+--- ext/stringio/stringio.c.orig 2023-03-30 10:53:51.000000000 +0000
++++ ext/stringio/stringio.c
+@@ -12,7 +12,7 @@
+
+ **********************************************************************/
+
+-#define STRINGIO_VERSION "3.0.1"
++#define STRINGIO_VERSION "3.0.1.2"
+
+ #include "ruby.h"
+ #include "ruby/io.h"
+@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr,
+ len = RSTRING_LEN(str);
+ rest = pos - len;
+ if (cl > pos) {
+- long ex = (rest < 0 ? cl-pos : cl+rest);
++ long ex = cl - (rest < 0 ? pos : len);
+ rb_str_modify_expand(str, ex);
+ rb_str_set_len(str, len + ex);
+ s = RSTRING_PTR(str);
Index: pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb:1.1
--- /dev/null Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb Sat Mar 23 14:28:48 2024
@@ -0,0 +1,84 @@
+$NetBSD: patch-lib_rdoc_store.rb,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update rdoc to 6.4.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/store.rb.orig 2023-03-30 10:53:51.000000000 +0000
++++ lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ class RDoc::Store
+ def load_cache
+ #orig_enc = @encoding
+
+- File.open cache_path, 'rb' do |io|
+- @cache = Marshal.load io.read
+- end
++ @cache = marshal_load(cache_path)
+
+ load_enc = @cache[:encoding]
+
+@@ -615,9 +613,7 @@ class RDoc::Store
+ def load_class_data klass_name
+ file = class_file klass_name
+
+- File.open file, 'rb' do |io|
+- Marshal.load io.read
+- end
++ marshal_load(file)
+ rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, klass_name)
+ error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ class RDoc::Store
+ def load_method klass_name, method_name
+ file = method_file klass_name, method_name
+
+- File.open file, 'rb' do |io|
+- obj = Marshal.load io.read
+- obj.store = self
+- obj.parent =
+- find_class_or_module(klass_name) || load_class(klass_name) unless
+- obj.parent
+- obj
+- end
++ obj = marshal_load(file)
++ obj.store = self
++ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++ obj
+ rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, klass_name + method_name)
+ error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ class RDoc::Store
+ def load_page page_name
+ file = page_file page_name
+
+- File.open file, 'rb' do |io|
+- obj = Marshal.load io.read
+- obj.store = self
+- obj
+- end
++ obj = marshal.load(file)
++ obj.store = self
++ obj
+ rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, page_name)
+ error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ class RDoc::Store
+ @unique_modules
+ end
+
++ private
++ def marshal_load(file)
++ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++ end
++
++ MarshalFilter = proc do |obj|
++ case obj
++ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++ else
++ unless obj.class.name.start_with?("RDoc::")
++ raise TypeError, "not permitted class: #{obj.class.name}"
++ end
++ end
++ obj
++ end
++ private_constant :MarshalFilter
++
+ end
Index: pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb:1.1
--- /dev/null Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb Sat Mar 23 14:28:48 2024
@@ -0,0 +1,14 @@
+$NetBSD: patch-lib_rdoc_version.rb,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update rdoc to 6.4.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/version.rb.orig 2023-03-30 10:53:51.000000000 +0000
++++ lib/rdoc/version.rb
+@@ -3,6 +3,6 @@ module RDoc
+ ##
+ # RDoc version you are using
+
+- VERSION = '6.4.0'
++ VERSION = '6.4.1.1'
+
+ end
Index: pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb:1.1
--- /dev/null Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb Sat Mar 23 14:28:48 2024
@@ -0,0 +1,60 @@
+$NetBSD: patch-test_stringio_test__stringio.rb,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update stringio to 3.0.1.2 to fix for CVE-2024-27280.
+
+--- test/stringio/test_stringio.rb.orig 2023-03-30 10:53:51.000000000 +0000
++++ test/stringio/test_stringio.rb
+@@ -759,6 +759,15 @@ class TestStringIO < Test::Unit::TestCas
+ assert_equal("b""\0""a", s.string)
+ end
+
++ def test_ungetc_fill
++ count = 100
++ s = StringIO.new
++ s.print 'a' * count
++ s.ungetc('b' * (count * 5))
++ assert_equal((count * 5), s.string.size)
++ assert_match(/\Ab+\z/, s.string)
++ end
++
+ def test_ungetbyte_pos
+ b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
+ s = StringIO.new( b )
+@@ -784,6 +793,15 @@ class TestStringIO < Test::Unit::TestCas
+ assert_equal("b""\0""a", s.string)
+ end
+
++ def test_ungetbyte_fill
++ count = 100
++ s = StringIO.new
++ s.print 'a' * count
++ s.ungetbyte('b' * (count * 5))
++ assert_equal((count * 5), s.string.size)
++ assert_match(/\Ab+\z/, s.string)
++ end
++
+ def test_frozen
+ s = StringIO.new
+ s.freeze
+@@ -827,18 +845,17 @@ class TestStringIO < Test::Unit::TestCas
+ end
+
+ def test_overflow
+- omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
++ return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+ limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
+ assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+ begin;
+ limit = #{limit}
+ ary = []
+- while true
++ begin
+ x = "a"*0x100000
+ break if [x].pack("p").unpack("i!")[0] < 0
+ ary << x
+- omit if ary.size > 100
+- end
++ end while ary.size <= 100
+ s = StringIO.new(x)
+ s.gets("xxx", limit)
+ assert_equal(0x100000, s.pos)
Home |
Main Index |
Thread Index |
Old Index