From 9f5e44d23cf18e670b17da8080a69d8b6f054367 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Tue, 24 Jun 2008 03:32:31 +0000 Subject: [PATCH] - New upstream release. - Security fixes. (#452295) - CVE-2008-1891: WEBrick CGI source disclosure. - CVE-2008-2662: Integer overflow in rb_str_buf_append(). - CVE-2008-2663: Integer overflow in rb_ary_store(). - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). - CVE-2008-2725: Integer overflow in rb_ary_splice(). - CVE-2008-2726: Integer overflow in rb_ary_splice(). - ruby-1.8.6.111-CVE-2007-5162.patch: removed. - Build ruby-mode package for all archtectures. --- .cvsignore | 1 + ruby-1.8.6.111-CVE-2007-5162.patch | 97 ------------------------------ ruby.spec | 26 ++++---- sources | 2 +- 4 files changed, 15 insertions(+), 111 deletions(-) delete mode 100644 ruby-1.8.6.111-CVE-2007-5162.patch diff --git a/.cvsignore b/.cvsignore index d31c9b8..2ecc1d3 100644 --- a/.cvsignore +++ b/.cvsignore @@ -21,3 +21,4 @@ ruby-1.8.6-p111.tar.bz2 rubyfaq-990927.tar.gz rubyfaq-jp-990927.tar.gz ruby-1.8.6-p114.tar.bz2 +ruby-1.8.6-p230.tar.bz2 diff --git a/ruby-1.8.6.111-CVE-2007-5162.patch b/ruby-1.8.6.111-CVE-2007-5162.patch deleted file mode 100644 index 5ed628d..0000000 --- a/ruby-1.8.6.111-CVE-2007-5162.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900 -@@ -29,13 +29,23 @@ require 'net/ftp' - - module Net - class FTPTLS < FTP -+ def connect(host, port=FTP_PORT) -+ @hostname = host -+ super -+ end -+ - def login(user = "anonymous", passwd = nil, acct = nil) -+ store = OpenSSL::X509::Store.new -+ store.set_default_paths - ctx = OpenSSL::SSL::SSLContext.new('SSLv23') -+ ctx.cert_store = store -+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER - ctx.key = nil - ctx.cert = nil - voidcmd("AUTH TLS") - @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) - @sock.connect -+ @sock.post_connection_check(@hostname) - super(user, passwd, acct) - voidcmd("PBSZ 0") - end -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900 -@@ -134,6 +134,9 @@ module Net - @sock.verify_callback = @options['VerifyCallback'] - @sock.verify_depth = @options['VerifyDepth'] - @sock.connect -+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE -+ @sock.post_connection_check(@options['Host']) -+ end - @ssl = true - end - '' -diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb ---- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900 -@@ -470,7 +470,6 @@ module Net #:nodoc: - @debug_output = nil - @use_ssl = false - @ssl_context = nil -- @enable_post_connection_check = false - end - - def inspect -@@ -527,9 +526,6 @@ module Net #:nodoc: - false # redefined in net/https - end - -- # specify enabling SSL server certificate and hostname checking. -- attr_accessor :enable_post_connection_check -- - # Opens TCP connection and HTTP session. - # - # When this method is called with block, gives a HTTP object -@@ -589,12 +585,7 @@ module Net #:nodoc: - end - s.connect - if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE -- begin -- s.post_connection_check(@address) -- rescue OpenSSL::SSL::SSLError => ex -- raise ex if @enable_post_connection_check -- warn ex.message -- end -+ s.post_connection_check(@address) - end - end - on_connect -diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb ---- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900 -@@ -900,6 +900,7 @@ module Net - end - @sock = SSLSocket.new(@sock, context) - @sock.connect # start ssl session. -+ @sock.post_connection_check(@host) if verify - else - @usessl = false - end -diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb ---- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900 -@@ -229,7 +229,6 @@ module OpenURI - if target.class == URI::HTTPS - require 'net/https' - http.use_ssl = true -- http.enable_post_connection_check = true - http.verify_mode = OpenSSL::SSL::VERIFY_PEER - store = OpenSSL::X509::Store.new - store.set_default_paths diff --git a/ruby.spec b/ruby.spec index 4d0e325..656c16b 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 114 +%define _patchlevel 230 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define arcver %{rubyver}%{?patchlevel} @@ -17,9 +17,7 @@ License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: readline readline-devel ncurses ncurses-devel gdbm gdbm-devel glibc-devel tcl-devel tk-devel libX11-devel autoconf gcc unzip openssl-devel db4-devel byacc -%ifnarch ppc64 BuildRequires: emacs -%endif Source0: ftp://ftp.ruby-lang.org/pub/%{name}/%{rubyxver}/%{name}-%{arcver}.tar.bz2 ## Dead link @@ -35,7 +33,6 @@ Patch20: ruby-rubyprefix.patch Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch -Patch24: ruby-1.8.6.111-CVE-2007-5162.patch Patch25: ruby-1.8.6.111-gcc43.patch Summary: An interpreter of object-oriented scripting language @@ -115,7 +112,6 @@ Group: Documentation Manuals and FAQs for the object-oriented scripting language Ruby. -%ifnarch ppc64 %package mode Summary: Emacs Lisp ruby-mode for the scripting language Ruby Group: Applications/Editors @@ -123,7 +119,6 @@ Requires: emacs-common %description mode Emacs Lisp ruby-mode for the object-oriented scripting language Ruby. -%endif %package ri @@ -156,7 +151,6 @@ pushd %{name}-%{arcver} %patch22 -p1 %patch23 -p1 %endif -%patch24 -p1 %patch25 -p1 popd @@ -203,10 +197,8 @@ popd %install rm -rf $RPM_BUILD_ROOT -%ifnarch ppc64 mkdir -p $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode mkdir -p $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/site-start.d -%endif # installing documents and exapmles... rm -rf tmp-ruby-docs @@ -310,7 +302,6 @@ mkdir -p $RPM_BUILD_ROOT%{sitedir}/%{rubyxver}/%{_normalized_cpu}-%{_target_os} # XXX: installing irb install -p -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_mandir}/man1/ -%ifnarch ppc64 # installing ruby-mode cd %{name}-%{arcver} cp -p misc/*.el $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode @@ -327,7 +318,6 @@ install -p -m 644 %{SOURCE10} \ $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/site-start.d cd .. -%endif # remove shebang for i in $RPM_BUILD_ROOT%{_prefix}/lib/ruby/1.8/{abbrev,generator,irb/{cmd/subirb,ext/save-history},matrix,rdoc/{markup/sample/rdoc2latex,parsers/parse_rb},set,tsort}.rb; do @@ -500,7 +490,6 @@ rm -rf tmp-ruby-docs %doc tmp-ruby-docs/ruby-docs/* %doc tmp-ruby-docs/ruby-libs/* -%ifnarch ppc64 %files mode %defattr(-, root, root, -) %doc %{name}-%{arcver}/COPYING* @@ -511,9 +500,20 @@ rm -rf tmp-ruby-docs %doc %{name}-%{arcver}/misc/README %{_datadir}/emacs/site-lisp/ruby-mode %{_datadir}/emacs/site-lisp/site-start.d/ruby-mode-init.el -%endif %changelog +* Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 +- New upstream release. +- Security fixes. (#452295) + - CVE-2008-1891: WEBrick CGI source disclosure. + - CVE-2008-2662: Integer overflow in rb_str_buf_append(). + - CVE-2008-2663: Integer overflow in rb_ary_store(). + - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). + - CVE-2008-2725: Integer overflow in rb_ary_splice(). + - CVE-2008-2726: Integer overflow in rb_ary_splice(). +- ruby-1.8.6.111-CVE-2007-5162.patch: removed. +- Build ruby-mode package for all archtectures. + * Tue Mar 4 2008 Akira TAGOH - 1.8.6.114-1 - Security fix for CVE-2008-1145. - Improve a spec file. (#226381) diff --git a/sources b/sources index dff6ae6..33ddadd 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz 4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz -b4d0c74497f684814bcfbb41b7384a71 ruby-1.8.6-p114.tar.bz2 +3eceb42d4fc56398676c20a49ac7e044 ruby-1.8.6-p230.tar.bz2