From 76119c738a16db4b0c4e3642f47f781b5649f0b5 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Mon, 2 Oct 2017 13:54:11 +0200 Subject: [PATCH] Update to Ruby 2.3.5. Patch10, Patch11, Patch12 and Patch13 subsumed. --- ...-additional-preludes-by-configuratio.patch | 2 +- ...0-Enable-configuration-of-archlibdir.patch | 2 +- ...ed-paths-when-empty-version-string-i.patch | 2 +- ruby-2.1.0-always-use-i386.patch | 2 +- ruby-2.1.0-custom-rubygems-location.patch | 4 +- ruby-2.3.0-ruby_version.patch | 6 +- ...e-frozen-strings-in-serialized-specs.patch | 8 +- ruby-2.3.4-Fix-RubyGems-CVEs.patch | 355 ------------------ ...exposure-during-a-JSON.generate-call.patch | 93 ----- ...ve-the-encryption-key-initialization.patch | 170 --------- ruby-2.4.0-SMTP-injection-fix.patch | 122 ------ ruby.spec | 35 +- sources | 2 +- 13 files changed, 20 insertions(+), 783 deletions(-) delete mode 100644 ruby-2.3.4-Fix-RubyGems-CVEs.patch delete mode 100644 ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch delete mode 100644 ruby-2.3.4-remove-the-encryption-key-initialization.patch delete mode 100644 ruby-2.4.0-SMTP-injection-fix.patch diff --git a/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch b/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch index fcd4767..6dd21d3 100644 --- a/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch +++ b/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch @@ -39,7 +39,7 @@ diff --git a/configure.in b/configure.in index 0e371e2..d4f1dcb 100644 --- a/configure.in +++ b/configure.in -@@ -4407,6 +4407,13 @@ AC_SUBST(rubyarchhdrdir)dnl +@@ -4402,6 +4402,13 @@ AC_SUBST(rubyarchhdrdir)dnl AC_SUBST(sitearchhdrdir)dnl AC_SUBST(vendorarchhdrdir)dnl diff --git a/ruby-2.1.0-Enable-configuration-of-archlibdir.patch b/ruby-2.1.0-Enable-configuration-of-archlibdir.patch index e9b6536..3d3b4fc 100644 --- a/ruby-2.1.0-Enable-configuration-of-archlibdir.patch +++ b/ruby-2.1.0-Enable-configuration-of-archlibdir.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 37d9a62..553d4d0 100644 --- a/configure.in +++ b/configure.in -@@ -3665,6 +3665,11 @@ if test ${multiarch+set}; then +@@ -3666,6 +3666,11 @@ if test ${multiarch+set}; then fi archlibdir='${libdir}/${arch}' diff --git a/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index 06370d1..dd588ab 100644 --- a/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.in b/configure.in index db37cd6..ce8d149 100644 --- a/configure.in +++ b/configure.in -@@ -4261,7 +4261,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -4256,7 +4256,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/ruby-2.1.0-always-use-i386.patch b/ruby-2.1.0-always-use-i386.patch index b19da44..58689fd 100644 --- a/ruby-2.1.0-always-use-i386.patch +++ b/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 553d4d0..03a4152 100644 --- a/configure.in +++ b/configure.in -@@ -4325,6 +4325,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -4320,6 +4320,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/ruby-2.1.0-custom-rubygems-location.patch b/ruby-2.1.0-custom-rubygems-location.patch index 849bc19..5134e3e 100644 --- a/ruby-2.1.0-custom-rubygems-location.patch +++ b/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.in b/configure.in index 03a4152..0e371e2 100644 --- a/configure.in +++ b/configure.in -@@ -4297,6 +4297,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -4292,6 +4292,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 03a4152..0e371e2 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -4321,6 +4325,7 @@ AC_SUBST(sitearchdir)dnl +@@ -4316,6 +4320,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/ruby-2.3.0-ruby_version.patch b/ruby-2.3.0-ruby_version.patch index 8d79c50..019b542 100644 --- a/ruby-2.3.0-ruby_version.patch +++ b/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.in b/configure.in index db37cd6..6e73fae 100644 --- a/configure.in +++ b/configure.in -@@ -4210,9 +4210,6 @@ AS_CASE(["$target_os"], +@@ -4205,9 +4205,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index db37cd6..6e73fae 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -4235,58 +4232,64 @@ AC_ARG_WITH(ridir, +@@ -4230,58 +4227,64 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -124,7 +124,7 @@ index db37cd6..6e73fae 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -4303,6 +4306,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -4298,6 +4301,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl diff --git a/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch b/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch index 5647460..e9e5819 100644 --- a/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch +++ b/ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch @@ -13,7 +13,7 @@ diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb index 7128532..654996a 100644 --- a/lib/rubygems/specification.rb +++ b/lib/rubygems/specification.rb -@@ -2335,7 +2335,7 @@ class Gem::Specification < Gem::BasicSpecification +@@ -2337,7 +2337,7 @@ class Gem::Specification < Gem::BasicSpecification def ruby_code(obj) case obj @@ -22,7 +22,7 @@ index 7128532..654996a 100644 when Array then '[' + obj.map { |x| ruby_code x }.join(", ") + ']' when Hash then seg = obj.keys.sort.map { |k| "#{k.to_s.dump} => #{obj[k].to_s.dump}" } -@@ -2525,14 +2525,14 @@ class Gem::Specification < Gem::BasicSpecification +@@ -2527,14 +2527,14 @@ class Gem::Specification < Gem::BasicSpecification dependencies.each do |dep| req = dep.requirements_list.inspect dep.instance_variable_set :@type, :runtime if dep.type.nil? # HACK @@ -39,7 +39,7 @@ index 7128532..654996a 100644 end result << ' end' -@@ -2540,7 +2540,7 @@ class Gem::Specification < Gem::BasicSpecification +@@ -2542,7 +2542,7 @@ class Gem::Specification < Gem::BasicSpecification result << " else" dependencies.each do |dep| version_reqs_param = dep.requirements_list.inspect @@ -209,7 +209,7 @@ index dc7b134..204e100 100644 end end SPEC -@@ -3294,20 +3294,20 @@ Did you mean 'Ruby'? +@@ -3324,20 +3324,20 @@ Did you mean 'Ruby'? # stub: m 1 ruby lib Gem::Specification.new do |s| diff --git a/ruby-2.3.4-Fix-RubyGems-CVEs.patch b/ruby-2.3.4-Fix-RubyGems-CVEs.patch deleted file mode 100644 index 99f86de..0000000 --- a/ruby-2.3.4-Fix-RubyGems-CVEs.patch +++ /dev/null @@ -1,355 +0,0 @@ -diff --git lib/rubygems.rb lib/rubygems.rb -index 04031c765c..9c0219ce06 100644 ---- lib/rubygems.rb -+++ lib/rubygems.rb -@@ -10,7 +10,7 @@ - require 'thread' - - module Gem -- VERSION = '2.5.2' -+ VERSION = '2.5.2.1' - end - - # Must be first since it unloads the prelude from 1.9.2 -diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb -index d6196b44ed..61e9808860 100644 ---- lib/rubygems/commands/query_command.rb -+++ lib/rubygems/commands/query_command.rb -@@ -226,7 +226,7 @@ def output_versions output, versions - end - end - -- output << make_entry(matching_tuples, platforms) -+ output << clean_text(make_entry(matching_tuples, platforms)) - end - end - -@@ -344,7 +344,8 @@ def spec_platforms entry, platforms - end - - def spec_summary entry, spec -- entry << "\n\n" << format_text(spec.summary, 68, 4) -+ summary = truncate_text(spec.summary, "the summary for #{spec.full_name}") -+ entry << "\n\n" << format_text(summary, 68, 4) - end - - end -diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb -index 85358e0d1a..709b77d126 100644 ---- lib/rubygems/installer.rb -+++ lib/rubygems/installer.rb -@@ -693,6 +693,11 @@ def verify_gem_home(unpack = false) # :nodoc: - unpack or File.writable?(gem_home) - end - -+ def verify_spec_name -+ return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN -+ raise Gem::InstallError, "#{spec} has an invalid name" -+ end -+ - ## - # Return the text for an application file. - -@@ -812,6 +817,8 @@ def pre_install_checks - - ensure_loadable_spec - -+ verify_spec_name -+ - if options[:install_as_default] - Gem.ensure_default_gem_subdirectories gem_home - else -diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb -index fda1e067ef..254bebfadf 100644 ---- lib/rubygems/remote_fetcher.rb -+++ lib/rubygems/remote_fetcher.rb -@@ -104,7 +104,7 @@ def api_endpoint(uri) - else - target = res.target.to_s.strip - -- if /\.#{Regexp.quote(host)}\z/ =~ target -+ if URI("http://" + target).host.end_with?(".#{host}") - return URI.parse "#{uri.scheme}://#{target}#{uri.path}" - end - -diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb -index 8e2557cdb2..dd4fde1776 100644 ---- lib/rubygems/specification.rb -+++ lib/rubygems/specification.rb -@@ -108,6 +108,8 @@ class Gem::Specification < Gem::BasicSpecification - - private_constant :LOAD_CACHE if defined? private_constant - -+ VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc: -+ - # :startdoc: - - ## -@@ -2665,9 +2667,15 @@ def validate packaging = true - end - end - -- unless String === name then -+ if !name.is_a?(String) then - raise Gem::InvalidSpecificationException, -- "invalid value for attribute name: \"#{name.inspect}\"" -+ "invalid value for attribute name: \"#{name.inspect}\" must be a string" -+ elsif name !~ /[a-zA-Z]/ then -+ raise Gem::InvalidSpecificationException, -+ "invalid value for attribute name: #{name.dump} must include at least one letter" -+ elsif name !~ VALID_NAME_PATTERN then -+ raise Gem::InvalidSpecificationException, -+ "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores" - end - - if raw_require_paths.empty? then -diff --git lib/rubygems/text.rb lib/rubygems/text.rb -index 732f1b99f2..b944b62c27 100644 ---- lib/rubygems/text.rb -+++ lib/rubygems/text.rb -@@ -6,13 +6,26 @@ - - module Gem::Text - -+ ## -+ # Remove any non-printable characters and make the text suitable for -+ # printing. -+ def clean_text(text) -+ text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze) -+ end -+ -+ def truncate_text(text, description, max_length = 100_000) -+ raise ArgumentError, "max_length must be positive" unless max_length > 0 -+ return text if text.size <= max_length -+ "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length] -+ end -+ - ## - # Wraps +text+ to +wrap+ characters and optionally indents by +indent+ - # characters - - def format_text(text, wrap, indent=0) - result = [] -- work = text.dup -+ work = clean_text(text) - - while work.length > wrap do - if work =~ /^(.{0,#{wrap}})[ \n]/ then -diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb -index 78c15a1770..9ec715492f 100644 ---- test/rubygems/test_gem_commands_query_command.rb -+++ test/rubygems/test_gem_commands_query_command.rb -@@ -116,6 +116,86 @@ def test_execute_details - This is a lot of text. This is a lot of text. This is a lot of text. - This is a lot of text. - -+pl (1) -+ Platform: i386-linux -+ Author: A User -+ Homepage: http://example.com -+ -+ this is a summary -+ EOF -+ -+ assert_equal expected, @ui.output -+ assert_equal '', @ui.error -+ end -+ -+ def test_execute_details_cleans_text -+ spec_fetcher do |fetcher| -+ fetcher.spec 'a', 2 do |s| -+ s.summary = 'This is a lot of text. ' * 4 -+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] -+ s.homepage = "http://a.example.com/\x03" -+ end -+ -+ fetcher.legacy_platform -+ end -+ -+ @cmd.handle_options %w[-r -d] -+ -+ use_ui @ui do -+ @cmd.execute -+ end -+ -+ expected = <<-EOF -+ -+*** REMOTE GEMS *** -+ -+a (2) -+ Authors: Abraham Lincoln ., . Hirohito -+ Homepage: http://a.example.com/. -+ -+ This is a lot of text. This is a lot of text. This is a lot of text. -+ This is a lot of text. -+ -+pl (1) -+ Platform: i386-linux -+ Author: A User -+ Homepage: http://example.com -+ -+ this is a summary -+ EOF -+ -+ assert_equal expected, @ui.output -+ assert_equal '', @ui.error -+ end -+ -+ def test_execute_details_truncates_summary -+ spec_fetcher do |fetcher| -+ fetcher.spec 'a', 2 do |s| -+ s.summary = 'This is a lot of text. ' * 10_000 -+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] -+ s.homepage = "http://a.example.com/\x03" -+ end -+ -+ fetcher.legacy_platform -+ end -+ -+ @cmd.handle_options %w[-r -d] -+ -+ use_ui @ui do -+ @cmd.execute -+ end -+ -+ expected = <<-EOF -+ -+*** REMOTE GEMS *** -+ -+a (2) -+ Authors: Abraham Lincoln ., . Hirohito -+ Homepage: http://a.example.com/. -+ -+ Truncating the summary for a-2 to 100,000 characters: -+#{" This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449} This is a lot of te -+ - pl (1) - Platform: i386-linux - Author: A User -diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb -index 5ec71d0a01..1092a0c68f 100644 ---- test/rubygems/test_gem_installer.rb -+++ test/rubygems/test_gem_installer.rb -@@ -1227,6 +1227,26 @@ def test_pre_install_checks_wrong_rubygems_version - end - end - -+ def test_pre_install_checks_malicious_name -+ spec = util_spec '../malicious', '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate; end -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal '# has an invalid name', e.message -+ end -+ end -+ - def test_shebang - util_make_exec @spec, "#!/usr/bin/ruby" - -diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb -index 49b6b6656c..a3919c8ef2 100644 ---- test/rubygems/test_gem_remote_fetcher.rb -+++ test/rubygems/test_gem_remote_fetcher.rb -@@ -253,6 +253,21 @@ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original - dns.verify - end - -+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path -+ uri = URI.parse "http://example.com/foo" -+ target = MiniTest::Mock.new -+ target.expect :target, "evil.com/a.example.com" -+ -+ dns = MiniTest::Mock.new -+ dns.expect :getresource, target, [String, Object] -+ -+ fetch = Gem::RemoteFetcher.new nil, dns -+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) -+ -+ target.verify -+ dns.verify -+ end -+ - def test_api_endpoint_timeout_warning - uri = URI.parse "http://gems.example.com/foo" - -diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb -index bc1c8d2ca7..9a49bbbf59 100644 ---- test/rubygems/test_gem_specification.rb -+++ test/rubygems/test_gem_specification.rb -@@ -2974,7 +2974,37 @@ def test_validate_name - @a1.validate - end - -- assert_equal 'invalid value for attribute name: ":json"', e.message -+ assert_equal 'invalid value for attribute name: ":json" must be a string', e.message -+ -+ @a1.name = [] -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message -+ -+ @a1.name = "" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message -+ -+ @a1.name = "12345" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message -+ -+ @a1.name = "../malicious" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message -+ -+ @a1.name = "\ba\t" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message - end - - def test_validate_non_nil -diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb -index a6e22e04da..04f3f605e8 100644 ---- test/rubygems/test_gem_text.rb -+++ test/rubygems/test_gem_text.rb -@@ -36,6 +36,10 @@ def test_format_text_trailing # for two spaces after . - assert_equal expected, format_text(text, 78) - end - -+ def test_format_removes_nonprintable_characters -+ assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40) -+ end -+ - def test_min3 - assert_equal 1, min3(1, 1, 1) - assert_equal 1, min3(1, 1, 2) -@@ -74,4 +78,11 @@ def test_levenshtein_distance_replace - assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest") - assert_equal 7, levenshtein_distance("zentest", "xxxxxxx") - end -+ -+ def test_truncate_text -+ assert_equal "abc", truncate_text("abc", "desc") -+ assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2) -+ s = "ab" * 500_001 -+ assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000) -+ end - end diff --git a/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch b/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch deleted file mode 100644 index 7c9034d..0000000 --- a/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff --git ext/json/generator/generator.c ext/json/generator/generator.c -index a135e28348..2cdca5685f 100644 ---- ext/json/generator/generator.c -+++ ext/json/generator/generator.c -@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) { - char *result; - if (len <= 0) return NULL; - result = ALLOC_N(char, len); -- memccpy(result, ptr, 0, len); -+ memcpy(result, ptr, len); - return result; - } - -@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent) - } - } else { - if (state->indent) ruby_xfree(state->indent); -- state->indent = strdup(RSTRING_PTR(indent)); -+ state->indent = fstrndup(RSTRING_PTR(indent), len); - state->indent_len = len; - } - return Qnil; -@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space) - } - } else { - if (state->space) ruby_xfree(state->space); -- state->space = strdup(RSTRING_PTR(space)); -+ state->space = fstrndup(RSTRING_PTR(space), len); - state->space_len = len; - } - return Qnil; -@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before) - } - } else { - if (state->space_before) ruby_xfree(state->space_before); -- state->space_before = strdup(RSTRING_PTR(space_before)); -+ state->space_before = fstrndup(RSTRING_PTR(space_before), len); - state->space_before_len = len; - } - return Qnil; -@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl) - } - } else { - if (state->object_nl) ruby_xfree(state->object_nl); -- state->object_nl = strdup(RSTRING_PTR(object_nl)); -+ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len); - state->object_nl_len = len; - } - return Qnil; -@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl) - } - } else { - if (state->array_nl) ruby_xfree(state->array_nl); -- state->array_nl = strdup(RSTRING_PTR(array_nl)); -+ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); - state->array_nl_len = len; - } - return Qnil; -diff --git ext/json/generator/generator.h ext/json/generator/generator.h -index 298c0a4965..6bbf817b7d 100644 ---- ext/json/generator/generator.h -+++ ext/json/generator/generator.h -@@ -1,7 +1,6 @@ - #ifndef _GENERATOR_H_ - #define _GENERATOR_H_ - --#include - #include - #include - -diff --git ext/json/lib/json/version.rb ext/json/lib/json/version.rb -index b5748334b9..cd7ddf8777 100644 ---- ext/json/lib/json/version.rb -+++ ext/json/lib/json/version.rb -@@ -1,7 +1,7 @@ - # frozen_string_literal: false - module JSON - # JSON version -- VERSION = '1.8.3' -+ VERSION = '1.8.3.1' - VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc: - VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc: - VERSION_MINOR = VERSION_ARRAY[1] # :nodoc: ---- ext/json/json.gemspec -+++ ext/json/json.gemspec -@@ -1,6 +1,6 @@ - Gem::Specification.new do |s| - s.name = "json" -- s.version = "1.8.3" -+ s.version = "1.8.3.1" - s.summary = "This json is bundled with Ruby" - s.executables = [] - s.files = ["json.rb", "json/add/bigdecimal.rb", "json/add/complex.rb", "json/add/core.rb", "json/add/date.rb", "json/add/date_time.rb", "json/add/exception.rb", "json/add/ostruct.rb", "json/add/range.rb", "json/add/rational.rb", "json/add/regexp.rb", "json/add/struct.rb", "json/add/symbol.rb", "json/add/time.rb", "json/common.rb", "json/ext.rb", "json/ext/generator.bundle", "json/ext/parser.bundle", "json/generic_object.rb", "json/version.rb"] diff --git a/ruby-2.3.4-remove-the-encryption-key-initialization.patch b/ruby-2.3.4-remove-the-encryption-key-initialization.patch deleted file mode 100644 index 99931e8..0000000 --- a/ruby-2.3.4-remove-the-encryption-key-initialization.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 739782e37a6662fea379e7ef3ec89e851b04b46c Mon Sep 17 00:00:00 2001 -From: usa -Date: Wed, 5 Jul 2017 07:06:45 +0000 -Subject: [PATCH] * ext/openssl/ossl_cipher.c: remove the encryption key - initialization from Cipher#initialize. This is effectively a revert of - r32723 ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28). - the patch is derived from - https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062, - written by Kazuki Yamaguchi. [Backport #8221] - -git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59267 b2dd03c8-39d4-4d8f-98ff-823fe69b080e ---- - ChangeLog | 9 +++++++++ - ext/openssl/ossl_cipher.c | 23 ++++++++++++++--------- - test/openssl/test_cipher.rb | 29 +++++++++++++++++++++++------ - version.h | 6 +++--- - 3 files changed, 46 insertions(+), 15 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 33b9dbe79fef..ad89c9c4bd52 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,12 @@ -+Wed Jul 5 15:55:35 2017 NAKAMURA Usaku -+ -+ * ext/openssl/ossl_cipher.c: remove the encryption key initialization -+ from Cipher#initialize. This is effectively a revert of r32723 -+ ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28). -+ the patch is derived from https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062, -+ written by Kazuki Yamaguchi. -+ [Backport #8221] -+ - Wed Mar 29 23:47:31 2017 CHIKANAGA Tomoyuki - - * hash.c (any_hash): fix CI failure on L32LLP64 architecture. -diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c -index 09b021d9873a..24caba6e3721 100644 ---- a/ext/openssl/ossl_cipher.c -+++ b/ext/openssl/ossl_cipher.c -@@ -34,6 +34,7 @@ - */ - VALUE cCipher; - VALUE eCipherError; -+static ID id_key_set; - - static VALUE ossl_cipher_alloc(VALUE klass); - static void ossl_cipher_free(void *ptr); -@@ -114,7 +115,6 @@ ossl_cipher_initialize(VALUE self, VALUE str) - EVP_CIPHER_CTX *ctx; - const EVP_CIPHER *cipher; - char *name; -- unsigned char key[EVP_MAX_KEY_LENGTH]; - - name = StringValuePtr(str); - GetCipherInit(self, ctx); -@@ -126,14 +126,7 @@ ossl_cipher_initialize(VALUE self, VALUE str) - if (!(cipher = EVP_get_cipherbyname(name))) { - ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%s)", name); - } -- /* -- * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows -- * uninitialized key, but other EVPs (such as AES) does not allow it. -- * Calling EVP_CipherUpdate() without initializing key causes SEGV so we -- * set the data filled with "\0" as the key by default. -- */ -- memset(key, 0, EVP_MAX_KEY_LENGTH); -- if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1) -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1) - ossl_raise(eCipherError, NULL); - - return self; -@@ -252,6 +245,9 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode) - ossl_raise(eCipherError, NULL); - } - -+ if (p_key) -+ rb_ivar_set(self, id_key_set, Qtrue); -+ - return self; - } - -@@ -338,6 +334,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self) - OPENSSL_cleanse(key, sizeof key); - OPENSSL_cleanse(iv, sizeof iv); - -+ rb_ivar_set(self, id_key_set, Qtrue); -+ - return Qnil; - } - -@@ -391,6 +389,9 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self) - - rb_scan_args(argc, argv, "11", &data, &str); - -+ if (!RTEST(rb_attr_get(self, id_key_set))) -+ ossl_raise(eCipherError, "key not set"); -+ - StringValue(data); - in = (unsigned char *)RSTRING_PTR(data); - if ((in_len = RSTRING_LEN(data)) == 0) -@@ -490,6 +491,8 @@ ossl_cipher_set_key(VALUE self, VALUE key) - if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1) - ossl_raise(eCipherError, NULL); - -+ rb_ivar_set(self, id_key_set, Qtrue); -+ - return key; - } - -@@ -1008,4 +1011,6 @@ Init_ossl_cipher(void) - rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0); - rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0); - rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1); -+ -+ id_key_set = rb_intern_const("key_set"); - } -diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb -index 89c176f4de41..95058b5f196b 100644 ---- a/test/openssl/test_cipher.rb -+++ b/test/openssl/test_cipher.rb -@@ -81,6 +81,7 @@ def test_reset - - def test_empty_data - @c1.encrypt -+ @c1.random_key - assert_raise(ArgumentError){ @c1.update("") } - end - -@@ -129,12 +130,10 @@ def test_AES - } - end - -- def test_AES_crush -- 500.times do -- assert_nothing_raised("[Bug #2768]") do -- # it caused OpenSSL SEGV by uninitialized key -- OpenSSL::Cipher::AES128.new("ECB").update "." * 17 -- end -+ def test_update_raise_if_key_not_set -+ assert_raise(OpenSSL::Cipher::CipherError) do -+ # it caused OpenSSL SEGV by uninitialized key [Bug #2768] -+ OpenSSL::Cipher::AES128.new("ECB").update "." * 17 - end - end - end -@@ -236,6 +235,24 @@ def test_aes_gcm_wrong_ciphertext - end - end - -+ def test_aes_gcm_key_iv_order_issue -+ pt = "[ruby/openssl#49]" -+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt -+ cipher.key = "x" * 16 -+ cipher.iv = "a" * 12 -+ ct1 = cipher.update(pt) << cipher.final -+ tag1 = cipher.auth_tag -+ -+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt -+ cipher.iv = "a" * 12 -+ cipher.key = "x" * 16 -+ ct2 = cipher.update(pt) << cipher.final -+ tag2 = cipher.auth_tag -+ -+ assert_equal ct1, ct2 -+ assert_equal tag1, tag2 -+ end if has_cipher?("aes-128-gcm") -+ - end - - private diff --git a/ruby-2.4.0-SMTP-injection-fix.patch b/ruby-2.4.0-SMTP-injection-fix.patch deleted file mode 100644 index 569c69b..0000000 --- a/ruby-2.4.0-SMTP-injection-fix.patch +++ /dev/null @@ -1,122 +0,0 @@ -From ea7b67981156f3eaee8420bb34c49605573387a5 Mon Sep 17 00:00:00 2001 -From: shugo -Date: Wed, 8 Jun 2016 07:06:57 +0000 -Subject: [PATCH] Security: backport SMTP injection fix - -* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when -CR or LF is included in a line, because they are not allowed in -RFC5321. - -https://hackerone.com/reports/137631 ---- - ChangeLog | 6 ++++++ - lib/net/smtp.rb | 9 +++++++++ - test/net/smtp/test_smtp.rb | 47 ++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 62 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index ab9a6bf18281..5176d362881b 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,9 @@ -+Sun Jun 11 21:25:09 2017 Shugo Maeda -+ -+ * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when -+ CR or LF is included in a line, because they are not allowed in -+ RFC5321. https://hackerone.com/reports/137631 [Backport 0827a7e] -+ - Wed Jul 5 15:55:35 2017 NAKAMURA Usaku - - * ext/openssl/ossl_cipher.c: remove the encryption key initialization -diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb -index d634274c3ee8..78f2181d2a8b 100644 ---- a/lib/net/smtp.rb -+++ b/lib/net/smtp.rb -@@ -926,7 +926,15 @@ def quit - - private - -+ def validate_line(line) -+ # A bare CR or LF is not allowed in RFC5321. -+ if /[\r\n]/ =~ line -+ raise ArgumentError, "A line must not contain CR or LF" -+ end -+ end -+ - def getok(reqline) -+ validate_line reqline - res = critical { - @socket.writeline reqline - recv_response() -@@ -936,6 +944,7 @@ def getok(reqline) - end - - def get_response(reqline) -+ validate_line reqline - @socket.writeline reqline - recv_response() - end -diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb -index 0edb3419d56e..3bcceb6fc5bb 100644 ---- a/test/net/smtp/test_smtp.rb -+++ b/test/net/smtp/test_smtp.rb -@@ -6,6 +6,8 @@ - module Net - class TestSMTP < Test::Unit::TestCase - class FakeSocket -+ attr_reader :write_io -+ - def initialize out = "250 OK\n" - @write_io = StringIO.new - @read_io = StringIO.new out -@@ -51,5 +53,50 @@ def test_rset - - assert smtp.rset - end -+ -+ def test_mailfrom -+ sock = FakeSocket.new -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, sock -+ assert smtp.mailfrom("foo@example.com").success? -+ assert_equal "MAIL FROM:\r\n", sock.write_io.string -+ end -+ -+ def test_rcptto -+ sock = FakeSocket.new -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, sock -+ assert smtp.rcptto("foo@example.com").success? -+ assert_equal "RCPT TO:\r\n", sock.write_io.string -+ end -+ -+ def test_auth_plain -+ sock = FakeSocket.new -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, sock -+ assert smtp.auth_plain("foo", "bar").success? -+ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string -+ end -+ -+ def test_crlf_injection -+ smtp = Net::SMTP.new 'localhost', 25 -+ smtp.instance_variable_set :@socket, FakeSocket.new -+ -+ assert_raise(ArgumentError) do -+ smtp.mailfrom("foo\r\nbar") -+ end -+ -+ assert_raise(ArgumentError) do -+ smtp.mailfrom("foo\rbar") -+ end -+ -+ assert_raise(ArgumentError) do -+ smtp.mailfrom("foo\nbar") -+ end -+ -+ assert_raise(ArgumentError) do -+ smtp.rcptto("foo\r\nbar") -+ end -+ end - end - end diff --git a/ruby.spec b/ruby.spec index d3725f6..846f971 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global major_version 2 %global minor_version 3 -%global teeny_version 4 +%global teeny_version 5 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -21,7 +21,7 @@ %endif -%global release 64 +%global release 65 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -42,7 +42,7 @@ %global json_version 1.8.3.1 %global minitest_version 5.8.5 %global power_assert_version 0.2.6 -%global psych_version 2.1.0 +%global psych_version 2.1.0.1 %global rake_version 10.4.2 %global rdoc_version 4.2.1 %global net_telnet_version 0.1.1 @@ -126,28 +126,6 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch -# Fix IV Reuse in GCM Mode (CVE-2016-7798). -# https://bugzilla.redhat.com/show_bug.cgi?id=1381527 -# https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c -Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch -# Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM -# commands in Net::SMTP (CVE-2015-9096). -# https://bugzilla.redhat.com/show_bug.cgi?id=1461848 -# https://github.com/ruby/ruby/pull/1647 -Patch11: ruby-2.4.0-SMTP-injection-fix.patch -# Fix various RubyGems CVEs: -# an ANSI escape sequence vulnerability (CVE-2017-0899). -# a DoS vulnerability in the query command (CVE-2017-0900). -# a vulnerability in the gem installer that allowed a malicious gem -# to overwrite arbitrary files (CVE-2017-0901). -# a DNS request hijacking vulnerability (CVE-2017-0902). -# https://bugzilla.redhat.com/show_bug.cgi?id=1487591 -# https://bugs.ruby-lang.org/issues/13842 -Patch12: ruby-2.3.4-Fix-RubyGems-CVEs.patch -# Fix arbitrary heap exposure during a JSON.generate call (CVE-2017-14064). -# https://bugzilla.redhat.com/show_bug.cgi?id=1487553 -# https://bugs.ruby-lang.org/issues/13853 -Patch13: ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -501,10 +479,6 @@ rm -rf ext/fiddle/libffi* %patch6 -p1 %patch7 -p1 %patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -%patch13 %patch100 -p1 # Provide an example of usage of the tapset: @@ -995,6 +969,9 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Mon Oct 02 2017 Pavel Valena - 2.3.5-65 +- Update to Ruby 2.3.5. + * Wed Sep 06 2017 Vít Ondruch - 2.3.4-64 - Fix ANSI escape sequence vulnerability (rhbz#1487590). - Fix DoS vulnerability in the query command (rhbz#1487588). diff --git a/sources b/sources index 976cfeb..b202e1f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (ruby-2.3.4.tar.xz) = 9e3adc2de6703e50e75db37db2981006d4c69759929d61db6a0d63627cfe5977d0ad66d2c69d7161cfc0c0d1c2cb38e5181a06ccd2790df2f72ec25c2ad01e02 +SHA512 (ruby-2.3.5.tar.xz) = c55e3b71241f505b6bbad78b3bd40235064faae3443ca14b77b6356556caed6a0d055dc2e2cd7ebdb5290ab908e06d2b7d68f72469af5017eda4b29664b0d889