- New upstream release.

- Security fixes. (#452295)
- CVE-2008-1891: WEBrick CGI source disclosure.
- CVE-2008-2662: Integer overflow in rb_str_buf_append().
- CVE-2008-2663: Integer overflow in rb_ary_store().
- CVE-2008-2664: Unsafe use of alloca in rb_str_format().
- CVE-2008-2725: Integer overflow in rb_ary_splice().
- CVE-2008-2726: Integer overflow in rb_ary_splice().
- ruby-1.8.6.111-CVE-2007-5162.patch: removed.
- Build ruby-mode package for all archtectures.
This commit is contained in:
Akira TAGOH 2008-06-24 03:32:31 +00:00
parent a4b170df84
commit 9f5e44d23c
4 changed files with 15 additions and 111 deletions

View File

@ -21,3 +21,4 @@ ruby-1.8.6-p111.tar.bz2
rubyfaq-990927.tar.gz
rubyfaq-jp-990927.tar.gz
ruby-1.8.6-p114.tar.bz2
ruby-1.8.6-p230.tar.bz2

View File

@ -1,97 +0,0 @@
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900
@@ -29,13 +29,23 @@ require 'net/ftp'
module Net
class FTPTLS < FTP
+ def connect(host, port=FTP_PORT)
+ @hostname = host
+ super
+ end
+
def login(user = "anonymous", passwd = nil, acct = nil)
+ store = OpenSSL::X509::Store.new
+ store.set_default_paths
ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
+ ctx.cert_store = store
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ctx.key = nil
ctx.cert = nil
voidcmd("AUTH TLS")
@sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
@sock.connect
+ @sock.post_connection_check(@hostname)
super(user, passwd, acct)
voidcmd("PBSZ 0")
end
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900
@@ -134,6 +134,9 @@ module Net
@sock.verify_callback = @options['VerifyCallback']
@sock.verify_depth = @options['VerifyDepth']
@sock.connect
+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
+ @sock.post_connection_check(@options['Host'])
+ end
@ssl = true
end
''
diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb
--- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900
+++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900
@@ -470,7 +470,6 @@ module Net #:nodoc:
@debug_output = nil
@use_ssl = false
@ssl_context = nil
- @enable_post_connection_check = false
end
def inspect
@@ -527,9 +526,6 @@ module Net #:nodoc:
false # redefined in net/https
end
- # specify enabling SSL server certificate and hostname checking.
- attr_accessor :enable_post_connection_check
-
# Opens TCP connection and HTTP session.
#
# When this method is called with block, gives a HTTP object
@@ -589,12 +585,7 @@ module Net #:nodoc:
end
s.connect
if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
- begin
- s.post_connection_check(@address)
- rescue OpenSSL::SSL::SSLError => ex
- raise ex if @enable_post_connection_check
- warn ex.message
- end
+ s.post_connection_check(@address)
end
end
on_connect
diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb
--- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900
+++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900
@@ -900,6 +900,7 @@ module Net
end
@sock = SSLSocket.new(@sock, context)
@sock.connect # start ssl session.
+ @sock.post_connection_check(@host) if verify
else
@usessl = false
end
diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb
--- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900
+++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900
@@ -229,7 +229,6 @@ module OpenURI
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
- http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths

View File

@ -1,6 +1,6 @@
%define rubyxver 1.8
%define rubyver 1.8.6
%define _patchlevel 114
%define _patchlevel 230
%define dotpatchlevel %{?_patchlevel:.%{_patchlevel}}
%define patchlevel %{?_patchlevel:-p%{_patchlevel}}
%define arcver %{rubyver}%{?patchlevel}
@ -17,9 +17,7 @@ License: Ruby or GPLv2
URL: http://www.ruby-lang.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: readline readline-devel ncurses ncurses-devel gdbm gdbm-devel glibc-devel tcl-devel tk-devel libX11-devel autoconf gcc unzip openssl-devel db4-devel byacc
%ifnarch ppc64
BuildRequires: emacs
%endif
Source0: ftp://ftp.ruby-lang.org/pub/%{name}/%{rubyxver}/%{name}-%{arcver}.tar.bz2
## Dead link
@ -35,7 +33,6 @@ Patch20: ruby-rubyprefix.patch
Patch21: ruby-deprecated-sitelib-search-path.patch
Patch22: ruby-deprecated-search-path.patch
Patch23: ruby-multilib.patch
Patch24: ruby-1.8.6.111-CVE-2007-5162.patch
Patch25: ruby-1.8.6.111-gcc43.patch
Summary: An interpreter of object-oriented scripting language
@ -115,7 +112,6 @@ Group: Documentation
Manuals and FAQs for the object-oriented scripting language Ruby.
%ifnarch ppc64
%package mode
Summary: Emacs Lisp ruby-mode for the scripting language Ruby
Group: Applications/Editors
@ -123,7 +119,6 @@ Requires: emacs-common
%description mode
Emacs Lisp ruby-mode for the object-oriented scripting language Ruby.
%endif
%package ri
@ -156,7 +151,6 @@ pushd %{name}-%{arcver}
%patch22 -p1
%patch23 -p1
%endif
%patch24 -p1
%patch25 -p1
popd
@ -203,10 +197,8 @@ popd
%install
rm -rf $RPM_BUILD_ROOT
%ifnarch ppc64
mkdir -p $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode
mkdir -p $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/site-start.d
%endif
# installing documents and exapmles...
rm -rf tmp-ruby-docs
@ -310,7 +302,6 @@ mkdir -p $RPM_BUILD_ROOT%{sitedir}/%{rubyxver}/%{_normalized_cpu}-%{_target_os}
# XXX: installing irb
install -p -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_mandir}/man1/
%ifnarch ppc64
# installing ruby-mode
cd %{name}-%{arcver}
cp -p misc/*.el $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode
@ -327,7 +318,6 @@ install -p -m 644 %{SOURCE10} \
$RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/site-start.d
cd ..
%endif
# remove shebang
for i in $RPM_BUILD_ROOT%{_prefix}/lib/ruby/1.8/{abbrev,generator,irb/{cmd/subirb,ext/save-history},matrix,rdoc/{markup/sample/rdoc2latex,parsers/parse_rb},set,tsort}.rb; do
@ -500,7 +490,6 @@ rm -rf tmp-ruby-docs
%doc tmp-ruby-docs/ruby-docs/*
%doc tmp-ruby-docs/ruby-libs/*
%ifnarch ppc64
%files mode
%defattr(-, root, root, -)
%doc %{name}-%{arcver}/COPYING*
@ -511,9 +500,20 @@ rm -rf tmp-ruby-docs
%doc %{name}-%{arcver}/misc/README
%{_datadir}/emacs/site-lisp/ruby-mode
%{_datadir}/emacs/site-lisp/site-start.d/ruby-mode-init.el
%endif
%changelog
* Tue Jun 24 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.230-1
- New upstream release.
- Security fixes. (#452295)
- CVE-2008-1891: WEBrick CGI source disclosure.
- CVE-2008-2662: Integer overflow in rb_str_buf_append().
- CVE-2008-2663: Integer overflow in rb_ary_store().
- CVE-2008-2664: Unsafe use of alloca in rb_str_format().
- CVE-2008-2725: Integer overflow in rb_ary_splice().
- CVE-2008-2726: Integer overflow in rb_ary_splice().
- ruby-1.8.6.111-CVE-2007-5162.patch: removed.
- Build ruby-mode package for all archtectures.
* Tue Mar 4 2008 Akira TAGOH <tagoh@redhat.com> - 1.8.6.114-1
- Security fix for CVE-2008-1145.
- Improve a spec file. (#226381)

View File

@ -2,4 +2,4 @@
d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz
634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz
4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz
b4d0c74497f684814bcfbb41b7384a71 ruby-1.8.6-p114.tar.bz2
3eceb42d4fc56398676c20a49ac7e044 ruby-1.8.6-p230.tar.bz2