From 352f32d3d161062d6bf28571c5370769dbb170b2 Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Sat, 13 Oct 2012 14:53:07 +0900 Subject: [PATCH] Update to 1.9.3 p286 - Don't create files when NUL-containing path name is passed (bug 865940) --- .gitignore | 1 + ruby-1.9.3-backport-from-trunk-rev37068.patch | 103 ------------------ ruby-1.9.3-p286-open-devtty-on-koji.patch | 14 +++ ruby.spec | 22 +++- sources | 2 +- 5 files changed, 32 insertions(+), 110 deletions(-) delete mode 100644 ruby-1.9.3-backport-from-trunk-rev37068.patch create mode 100644 ruby-1.9.3-p286-open-devtty-on-koji.patch diff --git a/.gitignore b/.gitignore index 08ebd24..b512d18 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-1.9.3-p0.tar.gz /ruby-1.9.3-p125.tar.gz /ruby-1.9.3-p194.tar.gz +/ruby-1.9.3-p286.tar.gz diff --git a/ruby-1.9.3-backport-from-trunk-rev37068.patch b/ruby-1.9.3-backport-from-trunk-rev37068.patch deleted file mode 100644 index 81b6b79..0000000 --- a/ruby-1.9.3-backport-from-trunk-rev37068.patch +++ /dev/null @@ -1,103 +0,0 @@ -Patch from trunk for CVE-2012-4464, CVE-2012-4466 -Part for test/ruby/test_exception.rb was adjusted for ruby 1.9.3 - -Mamoru Tasaka - ------------------------------------------------------------------------- -r37068 | shugo | 2012-10-03 02:25:10 +0900 (Wed, 03 Oct 2012) | 2 lines - -* error.c (exc_to_s, name_err_to_s, name_err_mesg_to_str): do not - taint messages. ------------------------------------------------------------------------- -Index: error.c -=================================================================== ---- error.c (revision 37067) -+++ error.c (revision 37068) -@@ -635,7 +635,6 @@ - - if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - r = rb_String(mesg); -- OBJ_INFECT(r, exc); - return r; - } - -@@ -996,11 +995,7 @@ - - if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - StringValue(str); -- if (str != mesg) { -- rb_iv_set(exc, "mesg", mesg = str); -- } -- OBJ_INFECT(mesg, exc); -- return mesg; -+ return str; - } - - /* -@@ -1131,7 +1126,6 @@ - args[2] = d; - mesg = rb_f_sprintf(NAME_ERR_MESG_COUNT, args); - } -- OBJ_INFECT(mesg, obj); - return mesg; - } - -Index: test/ruby/test_exception.rb -=================================================================== ---- test/ruby/test_exception.rb (revision 37067) -+++ test/ruby/test_exception.rb (modified) -@@ -333,4 +333,54 @@ - load(t.path) - end - end -+ -+ def test_to_s_taintness_propagation -+ for exc in [Exception, NameError] -+ m = "abcdefg" -+ e = exc.new(m) -+ e.taint -+ s = e.to_s -+ assert_equal(false, m.tainted?, -+ "#{exc}#to_s should not propagate taintness") -+ assert_equal(false, s.tainted?, -+ "#{exc}#to_s should not propagate taintness") -+ end -+ -+ o = Object.new -+ def o.to_str -+ "foo" -+ end -+ o.taint -+ e = NameError.new(o) -+ s = e.to_s -+ assert_equal(false, s.tainted?) -+ end -+ -+ def test_exception_to_s_should_not_propagate_untrustedness -+ favorite_lang = "Ruby" -+ -+ for exc in [Exception, NameError] -+ assert_raise(SecurityError) do -+ lambda { -+ $SAFE = 4 -+ exc.new(favorite_lang).to_s -+ favorite_lang.replace("Python") -+ }.call -+ end -+ end -+ -+ assert_raise(SecurityError) do -+ lambda { -+ $SAFE = 4 -+ o = Object.new -+ o.singleton_class.send(:define_method, :to_str) { -+ favorite_lang -+ } -+ NameError.new(o).to_s -+ favorite_lang.replace("Python") -+ }.call -+ end -+ -+ assert_equal("Ruby", favorite_lang) -+ end - end diff --git a/ruby-1.9.3-p286-open-devtty-on-koji.patch b/ruby-1.9.3-p286-open-devtty-on-koji.patch new file mode 100644 index 0000000..699895a --- /dev/null +++ b/ruby-1.9.3-p286-open-devtty-on-koji.patch @@ -0,0 +1,14 @@ +--- ruby-1.9.3-p286/test/ruby/test_io.rb.devtty 2012-10-12 17:37:54.000000000 +0900 ++++ ruby-1.9.3-p286/test/ruby/test_io.rb 2012-10-13 14:00:24.000000000 +0900 +@@ -2068,6 +2068,11 @@ + return if /linux/ !~ RUBY_PLATFORM + return if /^i.?86|^x86_64/ !~ RUBY_PLATFORM + return unless File.exist?('/dev/tty') ++ begin ++ File.open('/dev/tty') {|f|} ++ rescue Errno::ENXIO ++ return ++ end + + File.open('/dev/tty') { |f| + tiocgwinsz=0x5413 diff --git a/ruby.spec b/ruby.spec index 7a1a7a4..4c85534 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %global major_version 1 %global minor_version 9 %global teeny_version 3 -%global patch_level 194 +%global patch_level 286 %global major_minor_version %{major_version}.%{minor_version} @@ -56,7 +56,7 @@ Version: %{ruby_version_patch_level} # we cannot reset the release number to 1 even when the main (ruby) version # is updated - because it may be that the versions of sub-components don't # change. -Release: 18%{?dist} +Release: 19%{?dist} Group: Development/Languages # Public Domain for example for: include/ruby/st.h, strftime.c, ... License: (Ruby or BSD) and Public Domain @@ -79,7 +79,8 @@ Patch4: ruby-1.9.3-fix-s390x-build.patch # when it exists outside of the GEM_HOME (already fixed in the upstream) Patch5: ruby-1.9.3-rubygems-1.8.11-uninstaller.patch # http://redmine.ruby-lang.org/issues/5135 - see comment 29 -Patch6: ruby-1.9.3-webrick-test-fix.patch +# Fixed in ruby 1.9.3p286 +#Patch6: ruby-1.9.3-webrick-test-fix.patch # Already fixed upstream: # https://github.com/ruby/ruby/commit/f212df564a4e1025f9fb019ce727022a97bfff53 Patch7: ruby-1.9.3-bignum-test-fix.patch @@ -91,7 +92,11 @@ Patch8: ruby-1.9.3-custom-rubygems-location.patch Patch9: rubygems-1.8.11-binary-extensions.patch # Patch from trunk for CVE-4464, CVE-4466 # http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 -Patch10: ruby-1.9.3-backport-from-trunk-rev37068.patch +# Fixed in ruby 1.9.3p286 +#Patch10: ruby-1.9.3-backport-from-trunk-rev37068.patch +# Opening /dev/tty fails with ENXIO (ref: man 2 open) on koji. +# Let's rescue this +Patch10: ruby-1.9.3-p286-open-devtty-on-koji.patch # Make mkmf verbose by default Patch12: ruby-1.9.3-mkmf-verbose.patch @@ -330,11 +335,11 @@ Tcl/Tk interface for the object-oriented scripting language Ruby. %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 +#%%patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 -%patch10 -p0 +%patch10 -p1 %patch12 -p1 %build @@ -741,6 +746,11 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Sat Oct 13 2012 Mamoru TASAKA - 1.9.3.286-19 +- Update to 1.9.3 p286 +- Don't create files when NUL-containing path name is passed + (bug 865940) + * Thu Oct 04 2012 Mamoru Tasaka - 1.9.3.194-18 - Patch from trunk for CVE-2012-4464, CVE-2012-4466 diff --git a/sources b/sources index 391168d..ff5d890 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -bc0c715c69da4d1d8bd57069c19f6c0e ruby-1.9.3-p194.tar.gz +e2469b55c2a3d0d643097d47fe4984bb ruby-1.9.3-p286.tar.gz