- New upstream release.

- ruby-r12567.patch: removed. - ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is insufficient verification of SSL certificate.
2007-10-10 01:05:17 +00:00 · 2007-10-10 01:05:17 +00:00 · 0ce3eec117
commit 0ce3eec117
parent 443bb961d5
5 changed files with 111 additions and 34 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -14,3 +14,4 @@ ruby-1.8.5-p2.tar.gz
 ruby-1.8.5-p12.tar.gz
 ruby-1.8.6.tar.bz2
 ruby-1.8.6-p36.tar.bz2
+ruby-1.8.6-p110.tar.bz2
--- a/ruby-1.8.6-CVE-2007-5162.patch
+++ b/ruby-1.8.6-CVE-2007-5162.patch
@ -0,0 +1,99 @@
+diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb
+--- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb	2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb	2007-10-04 22:38:48.000000000 +0900
+@@ -88,7 +88,7 @@
+             end
+           }
+         end
+-        raise SSLError, "hostname not match"
+        raise SSLError, "hostname not match with the server certificate"
+       end
+     end
+ 
+diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb
+--- ruby-1.8.6-p110.orig/lib/net/http.rb	2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p110/lib/net/http.rb	2007-10-04 22:41:34.000000000 +0900
+@@ -470,6 +470,7 @@
+       @debug_output = nil
+       @use_ssl = false
+       @ssl_context = nil
+      @enable_post_connection_check = true
+     end
+ 
+     def inspect
+@@ -526,6 +527,9 @@
+       false   # redefined in net/https
+     end
+ 
+    # specify enabling SSL server certificate and hostname checking.
+    attr_accessor :enable_post_connection_check
+
+     # Opens TCP connection and HTTP session.
+     # 
+     # When this method is called with block, gives a HTTP object
+@@ -584,6 +588,14 @@
+           HTTPResponse.read_new(@socket).value
+         end
+         s.connect
+        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+          begin
+           s.post_connection_check(@address)
+          rescue OpenSSL::SSL::SSLError => ex
+           raise ex if @enable_post_connection_check
+           warn ex.message
+          end
+        end
+       end
+       on_connect
+     end
+diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb
+--- ruby-1.8.6-p110.orig/lib/open-uri.rb	2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p110/lib/open-uri.rb	2007-10-04 22:42:18.000000000 +0900
+@@ -229,6 +229,7 @@
+     if target.class == URI::HTTPS
+       require 'net/https'
+       http.use_ssl = true
+      http.enable_post_connection_check = true
+       http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+       store = OpenSSL::X509::Store.new
+       store.set_default_paths
+@@ -240,16 +241,6 @@
+ 
+     resp = nil
+     http.start {
+-      if target.class == URI::HTTPS
+-        # xxx: information hiding violation
+-        sock = http.instance_variable_get(:@socket)
+-        if sock.respond_to?(:io)
+-          sock = sock.io # 1.9
+-        else
+-          sock = sock.instance_variable_get(:@socket) # 1.8
+-        end
+-        sock.post_connection_check(target_host)
+-      end
+       req = Net::HTTP::Get.new(request_uri, header)
+       if options.include? :http_basic_authentication
+         user, pass = options[:http_basic_authentication]
+diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h
+--- ruby-1.8.6-p110.orig/version.h	2007-09-23 09:01:50.000000000 +0900
+++ ruby-1.8.6-p110/version.h	2007-10-04 22:42:37.000000000 +0900
+@@ -1,15 +1,15 @@
+ #define RUBY_VERSION "1.8.6"
+-#define RUBY_RELEASE_DATE "2007-09-23"
+#define RUBY_RELEASE_DATE "2007-09-24"
+ #define RUBY_VERSION_CODE 186
+-#define RUBY_RELEASE_CODE 20070923
+-#define RUBY_PATCHLEVEL 110
+#define RUBY_RELEASE_CODE 20070924
+#define RUBY_PATCHLEVEL 111
+ 
+ #define RUBY_VERSION_MAJOR 1
+ #define RUBY_VERSION_MINOR 8
+ #define RUBY_VERSION_TEENY 6
+ #define RUBY_RELEASE_YEAR 2007
+ #define RUBY_RELEASE_MONTH 9
+-#define RUBY_RELEASE_DAY 23
+#define RUBY_RELEASE_DAY 24
+ 
+ #ifdef RUBY_EXTERN
+ RUBY_EXTERN const char ruby_version[];
--- a/ruby-r12567.patch
+++ b/ruby-r12567.patch
@ -1,30 +0,0 @@
-Mon Jun 18 11:29:49 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>
-
-	* intern.h, ext/thread/thread.c: moved prototype of rb_thread_status()
-	  to get rid of error in C++.  [ruby-list:43615]
-
-Index: intern.h
-===================================================================
--- intern.h	(リビジョン 12566)
-+++ intern.h	(リビジョン 12567)
-@@ -204,7 +204,6 @@
- void rb_thread_polling _((void));
- void rb_thread_sleep _((int));
- void rb_thread_sleep_forever _((void));
-enum rb_thread_status rb_thread_status _((VALUE));
- VALUE rb_thread_stop _((void));
- VALUE rb_thread_wakeup _((VALUE));
- VALUE rb_thread_wakeup_alive _((VALUE));
-Index: ext/thread/thread.c
-===================================================================
--- ext/thread/thread.c	(リビジョン 12566)
-+++ ext/thread/thread.c	(リビジョン 12567)
-@@ -14,6 +14,8 @@
- #include <rubysig.h>
- #include <node.h>
- 
-+enum rb_thread_status rb_thread_status _((VALUE));
-+
- static VALUE rb_cMutex;
- static VALUE rb_cConditionVariable;
- static VALUE rb_cQueue;
--- a/ruby.spec
+++ b/ruby.spec
@ -1,7 +1,7 @@
 %define manver		1.4.6
 %define	rubyxver	1.8
 %define	rubyver		1.8.6
-%define _patchlevel	36
+%define _patchlevel	110
 %define dotpatchlevel	%{?_patchlevel:.%{_patchlevel}}
 %define patchlevel	%{?_patchlevel:-p%{_patchlevel}}
 %define	sitedir		%{_libdir}/ruby/site_ruby
@ -11,7 +11,7 @@

 Name:		ruby
 Version:	%{rubyver}%{?dotpatchlevel}
-Release:	4%{?dist}
+Release:	1%{?dist}
 License:	Ruby or GPL+
 URL:		http://www.ruby-lang.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -36,7 +36,7 @@ Patch20:	ruby-rubyprefix.patch
 Patch21:	ruby-deprecated-sitelib-search-path.patch
 Patch22:	ruby-deprecated-search-path.patch
 Patch23:	ruby-multilib.patch
-Patch24:	ruby-r12567.patch
+Patch24:	ruby-1.8.6-CVE-2007-5162.patch

 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@ -153,7 +153,7 @@ pushd %{name}-%{rubyver}%{?patchlevel}
 %patch22 -p1
 %patch23 -p1
 %endif
-%patch24 -p0
+%patch24 -p1
 popd

 %build
@ -471,6 +471,12 @@ rm -rf tmp-ruby-docs
 %endif

 %changelog
+* Wed Oct 10 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.110-1
+- New upstream release.
+  - ruby-r12567.patch: removed.
+- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is
+  insufficient verification of SSL certificate.
+
 * Thu Aug 23 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.36-4
 - Rebuild

--- a/1
+++ b/1
@ -3,3 +3,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75  ruby-refm-rdp-1.8.1-ja-html.tar.gz
 7f3e181c0be9a1579e43a5a8b26372d6  rubyfaq-990927.tar.bz2
 8aa2e2da327dc43ff6e46e634eb657b6  rubyfaq-jp-990927.tar.bz2
 eb7f25818cb6993839b38d1f21bd4ea1  ruby-1.8.6-p36.tar.bz2
+39cbf0cc610e636983cb3311bef3f2d0  ruby-1.8.6-p110.tar.bz2