From e9a1e47fca12f0b28f7a7d9b74cf9707630f376a Mon Sep 17 00:00:00 2001 From: Jeroen van Meeuwen Date: Sun, 15 Mar 2009 05:56:18 +0000 Subject: [PATCH] 1.8.6.287-4 --- .cvsignore | 23 +--- import.log | 1 + ruby-1.8.6-ossl-rand-range.patch | 14 --- ruby-1.8.6-p287-CVE-2008-5189.patch | 14 +++ ruby-1.8.6-p287-remove-ssl-rand-range.patch | 113 ++++++++++++++++++++ ruby.spec | 45 ++++---- sources | 3 +- 7 files changed, 154 insertions(+), 59 deletions(-) create mode 100644 import.log delete mode 100644 ruby-1.8.6-ossl-rand-range.patch create mode 100644 ruby-1.8.6-p287-CVE-2008-5189.patch create mode 100644 ruby-1.8.6-p287-remove-ssl-rand-range.patch diff --git a/.cvsignore b/.cvsignore index 8b4ee53..ca8d1fe 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,25 +1,4 @@ -ruby-1.8.1.tar.gz -ruby-man-1.4.6.tar.bz2 +ruby-1.8.6-p287.tar.bz2 ruby-refm-rdp-1.8.1-ja-html.tar.gz -rubyfaq-990927.tar.bz2 -rubyfaq-jp-990927.tar.bz2 -*.rpm -*.gz -*.bz2 -ruby-1.8.2.tar.gz -ruby-1.8.3.tar.gz -ruby-1.8.4-preview1.tar.gz -ruby-1.8.4-preview2.tar.gz -ruby-1.8.4.tar.gz -ruby-1.8.5.tar.gz -ruby-1.8.5-p2.tar.gz -ruby-1.8.5-p12.tar.gz -ruby-1.8.6.tar.bz2 -ruby-1.8.6-p36.tar.bz2 -ruby-1.8.6-p110.tar.bz2 -ruby-1.8.6-p111.tar.bz2 rubyfaq-990927.tar.gz rubyfaq-jp-990927.tar.gz -ruby-1.8.6-p114.tar.bz2 -ruby-1.8.6-p230.tar.bz2 -ruby-1.8.6-p287.tar.bz2 diff --git a/import.log b/import.log new file mode 100644 index 0000000..7da8d49 --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +ruby-1_8_6_287-4_fc10:HEAD:ruby-1.8.6.287-4.fc10.src.rpm:1237096558 diff --git a/ruby-1.8.6-ossl-rand-range.patch b/ruby-1.8.6-ossl-rand-range.patch deleted file mode 100644 index 790a760..0000000 --- a/ruby-1.8.6-ossl-rand-range.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ruby-1.8.6-p287/ext/openssl/openssl_missing.h.rand-range ruby-1.8.6-p287/ext/openssl/openssl_missing.h ---- ruby-1.8.6-p287/ext/openssl/openssl_missing.h.rand-range 2008-08-04 06:43:34.000000000 +0200 -+++ ruby-1.8.6-p287/ext/openssl/openssl_missing.h 2009-01-26 15:11:23.000000000 +0100 -@@ -120,8 +120,8 @@ int X509_CRL_add0_revoked(X509_CRL *crl, - int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); - int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); - int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); --int BN_rand_range(BIGNUM *r, BIGNUM *range); --int BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range); -+int BN_rand_range(BIGNUM *r, const BIGNUM *range); -+int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range); - char *CONF_get1_default_config_file(void); - int PEM_def_callback(char *buf, int num, int w, void *key); - diff --git a/ruby-1.8.6-p287-CVE-2008-5189.patch b/ruby-1.8.6-p287-CVE-2008-5189.patch new file mode 100644 index 0000000..2854826 --- /dev/null +++ b/ruby-1.8.6-p287-CVE-2008-5189.patch @@ -0,0 +1,14 @@ +--- lib/cgi.rb (revision 19665) ++++ lib/cgi.rb (working copy) +@@ -546,6 +546,11 @@ + when Hash + options = options.dup + end ++ options.each_value do |value| ++ if /\n(?![ \t])/ === value ++ raise ArgumentError, "potential HTTP header injection detected" ++ end ++ end + + unless options.has_key?("type") + options["type"] = "text/html" diff --git a/ruby-1.8.6-p287-remove-ssl-rand-range.patch b/ruby-1.8.6-p287-remove-ssl-rand-range.patch new file mode 100644 index 0000000..75bef4e --- /dev/null +++ b/ruby-1.8.6-p287-remove-ssl-rand-range.patch @@ -0,0 +1,113 @@ +diff -ur ruby-1.8.6-p287.orig/ext/openssl/openssl_missing.c ruby-1.8.6-p287/ext/openssl/openssl_missing.c +--- ruby-1.8.6-p287.orig/ext/openssl/openssl_missing.c 2007-02-13 00:01:19.000000000 +0100 ++++ ruby-1.8.6-p287/ext/openssl/openssl_missing.c 2009-03-15 05:32:31.000000000 +0100 +@@ -43,7 +43,7 @@ + { + return CRYPTO_set_ex_data(&str->ex_data, idx, data); + } +- ++ + void *X509_STORE_get_ex_data(X509_STORE *str, int idx) + { + return CRYPTO_get_ex_data(&str->ex_data, idx); +@@ -113,7 +113,7 @@ + #endif + + #if !defined(HAVE_EVP_CIPHER_CTX_COPY) +-/* ++/* + * this function does not exist in OpenSSL yet... or ever?. + * a future version may break this function. + * tested on 0.9.7d. +@@ -182,12 +182,12 @@ + (ASN1_STRING *)(*a)->serialNumber, + (ASN1_STRING *)(*b)->serialNumber)); + } +- ++ + int + X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) + { + X509_CRL_INFO *inf; +- ++ + inf = crl->crl; + if (!inf->revoked) + inf->revoked = sk_X509_REVOKED_new(OSSL_X509_REVOKED_cmp); +@@ -233,54 +233,6 @@ + } + #endif + +-#if !defined(HAVE_BN_RAND_RANGE) || !defined(HAVE_BN_PSEUDO_RAND_RANGE) +-static int +-bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range) +-{ +- int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand; +- int n; +- +- if (range->neg || BN_is_zero(range)) return 0; +- +- n = BN_num_bits(range); +- +- if (n == 1) { +- if (!BN_zero(r)) return 0; +- } else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { +- do { +- if (!bn_rand(r, n + 1, -1, 0)) return 0; +- if (BN_cmp(r ,range) >= 0) { +- if (!BN_sub(r, r, range)) return 0; +- if (BN_cmp(r, range) >= 0) +- if (!BN_sub(r, r, range)) return 0; +- } +- } while (BN_cmp(r, range) >= 0); +- } else { +- do { +- if (!bn_rand(r, n, -1, 0)) return 0; +- } while (BN_cmp(r, range) >= 0); +- } +- +- return 1; +-} +-#endif +- +-#if !defined(HAVE_BN_RAND_RANGE) +-int +-BN_rand_range(BIGNUM *r, BIGNUM *range) +-{ +- return bn_rand_range(0, r, range); +-} +-#endif +- +-#if !defined(HAVE_BN_PSEUDO_RAND_RANGE) +-int +-BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range) +-{ +- return bn_rand_range(1, r, range); +-} +-#endif +- + #if !defined(HAVE_CONF_GET1_DEFAULT_CONFIG_FILE) + #define OPENSSL_CONF "openssl.cnf" + char * +@@ -315,7 +267,7 @@ + { + int i,j; + const char *prompt; +- ++ + if (key) { + i = strlen(key); + i = (i > num) ? num : i; +diff -ur ruby-1.8.6-p287.orig/ext/openssl/openssl_missing.h ruby-1.8.6-p287/ext/openssl/openssl_missing.h +--- ruby-1.8.6-p287.orig/ext/openssl/openssl_missing.h 2008-08-04 06:43:34.000000000 +0200 ++++ ruby-1.8.6-p287/ext/openssl/openssl_missing.h 2009-03-15 05:33:56.000000000 +0100 +@@ -120,8 +120,6 @@ + int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); + int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); + int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); +-int BN_rand_range(BIGNUM *r, BIGNUM *range); +-int BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range); + char *CONF_get1_default_config_file(void); + int PEM_def_callback(char *buf, int num, int w, void *key); + +Only in ruby-1.8.6-p287/ext/openssl: .openssl_missing.h.swp diff --git a/ruby.spec b/ruby.spec index d046d7f..1b9c9de 100644 --- a/ruby.spec +++ b/ruby.spec @@ -34,8 +34,9 @@ Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch Patch25: ruby-1.8.6.111-gcc43.patch -Patch26: ruby-1.8.6-rexml-CVE-2008-3790.patch -Patch27: ruby-1.8.6-ossl-rand-range.patch +Patch26: ruby-1.8.6-rexml-CVE-2008-3790.patch +Patch27: ruby-1.8.6-p287-CVE-2008-5189.patch +Patch28: ruby-1.8.6-p287-remove-ssl-rand-range.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -155,7 +156,8 @@ pushd %{name}-%{arcver} %endif %patch25 -p1 %patch26 -p1 -%patch27 -p1 +%patch27 -p0 +%patch28 -p1 popd %build @@ -167,7 +169,7 @@ autoconf rb_cv_func_strtod=no export rb_cv_func_strtod -CFLAGS="$RPM_OPT_FLAGS -Wall" +CFLAGS="$RPM_OPT_FLAGS -Wall -O0 -fno-strict-aliasing" export CFLAGS %configure \ --with-sitedir='%{sitedir}' \ @@ -281,11 +283,11 @@ done find -type f | xargs chmod 0644 # convert to utf-8 -for i in `find -type f`; do - iconv -f utf-8 -t utf-8 $i > /dev/null 2>&1 || (iconv -f euc-jp -t utf-8 $i > $i.new && mv $i.new $i || exit 1) - if [ $? != 0 ]; then - iconv -f iso8859-1 -t utf-8 $i > $.new && mv $i.new $i || exit 1 - fi +for i in `find -type f ! -name "*.gif"`; do + sh -c "iconv -f utf-8 -t utf-8 $i > /dev/null 2>&1 || (iconv -f euc-jp -t utf-8 $i > $i.new && mv $i.new $i || exit 1) + if [ $? != 0 ]; then + iconv -f iso8859-1 -t utf-8 $i > $.new && mv $i.new $i || exit 1 + fi" done # done @@ -328,6 +330,8 @@ for i in $RPM_BUILD_ROOT%{_prefix}/lib/ruby/1.8/{abbrev,generator,irb/{cmd/subir sed -i -e '/^#!.*/,1D' $i done +find $RPM_BUILD_ROOT/ -name "*.so" -exec chmod 755 {} \; + %clean rm -rf $RPM_BUILD_ROOT rm -rf tmp-ruby-docs @@ -343,10 +347,10 @@ rm -rf tmp-ruby-docs %doc %{name}-%{arcver}/GPL %doc %{name}-%{arcver}/LEGAL %doc %{name}-%{arcver}/LGPL -%doc %{name}-%{arcver}/NEWS +%doc %{name}-%{arcver}/NEWS %doc %{name}-%{arcver}/README %lang(ja) %doc %{name}-%{arcver}/README.ja -%doc %{name}-%{arcver}/ToDo +%doc %{name}-%{arcver}/ToDo %doc %{name}-%{arcver}/doc/ChangeLog-1.8.0 %doc %{name}-%{arcver}/doc/NEWS-1.8.0 %doc tmp-ruby-docs/ruby/* @@ -506,12 +510,11 @@ rm -rf tmp-ruby-docs %{_datadir}/emacs/site-lisp/site-start.d/ruby-mode-init.el %changelog -* Wed Feb 25 2009 Fedora Release Engineering - 1.8.6.287-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild +* Thu Mar 05 2009 Jeroen van Meeuwen - 1.8.6.287-4 +- Rebuild for gcc4.4 -* Mon Jan 26 2009 Tomas Mraz - 1.8.6.287-3 -- rebuild with new openssl -- BN_rand_range functions are now constified +* Fri Feb 27 2009 Jeroen van Meeuwen - 1.8.6.287-3 +- CVE-2008-5189: CGI header injection. * Wed Oct 8 2008 Akira TAGOH - 1.8.6.287-2 - CVE-2008-3790: DoS vulnerability in the REXML module. @@ -891,8 +894,8 @@ rm -rf tmp-ruby-docs * Mon Dec 16 2002 Elliot Lee 1.6.7-13 - Remove ExcludeArch: x86_64 -- Fix x86_64 ruby with long2int.patch (ruby was assuming that sizeof(long) - == sizeof(int). The patch does not fix the source of the problem, just +- Fix x86_64 ruby with long2int.patch (ruby was assuming that sizeof(long) + == sizeof(int). The patch does not fix the source of the problem, just makes it a non-issue.) - _smp_mflags @@ -949,7 +952,7 @@ rm -rf tmp-ruby-docs removed. - ruby-1.6.7-100.patch: applied a bug fix patch. (ruby-dev#16274: patch for 'wm state') - (PR#206ja: SEGV handle EXIT) + (PR#206ja: SEGV handle EXIT) - ruby-1.6.7-101.patch: applied a bug fix patch. (ruby-list#34313: singleton should not be Marshal.dump'ed) (ruby-dev#16411: block local var) @@ -1050,7 +1053,7 @@ rm -rf tmp-ruby-docs * Thu Dec 14 2000 akira yamada - Removed ruby_cvs.2000101901.patch, added ruby_cvs.2000121413.patch (upgraded ruby to latest cvs version). -- Removed ruby-dev.11262.patch, ruby-dev.11265.patch, +- Removed ruby-dev.11262.patch, ruby-dev.11265.patch, and ruby-dev.11268.patch (included into above patch). * Sun Nov 12 2000 MACHINO, Satoshi 1.6.1-0vl9 @@ -1064,7 +1067,7 @@ rm -rf tmp-ruby-docs (upgraded ruby to latest cvs version). - Added ruby-dev.11262.patch. - Added ruby-dev.11265.patch. - + * Wed Oct 11 2000 akira yamada - Removed ruby_cvs.2000100313.patch and added ruby_cvs.2000101117.patch (upgraded ruby to latest cvs version). diff --git a/sources b/sources index 6e9470f..6c9de9d 100644 --- a/sources +++ b/sources @@ -1,5 +1,4 @@ -8336b859400795ec51d05878c1a658b7 ruby-man-1.4.6.tar.bz2 +80b5f3db12531d36e6c81fac6d05dda9 ruby-1.8.6-p287.tar.bz2 d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz 4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz -80b5f3db12531d36e6c81fac6d05dda9 ruby-1.8.6-p287.tar.bz2