- Fix a ruby vulnerabuility in the safe level settings.

Based on:	ports/87816
Submitted by:	Phil Oleson <oz@nixil.net>

Security:	http://vuxml.FreeBSD.org/1daea60a-4719-11da-b5c6-0004614cc33d.html

7 files changed, 56 insertions, 17 deletions

diff --git a/Mk/bsd.ruby.mk b/Mk/bsd.ruby.mk
index c63e436de039..5ea32f078c89 100644
--- a/Mk/bsd.ruby.mk
+++ b/Mk/bsd.ruby.mk
@@ -139,6 +139,10 @@ RUBY?=			${LOCALBASE}/bin/${RUBY_NAME}
 RUBY_VERSION?=		1.8.2
 #RUBY_DISTVERSION?=	${RUBY_VERSION}
 #RUBY_PATCHFILES?=	ruby-${RUBY_DISTVERSION}-yyyy.mm.dd.diff.bz2
+
+# Security patch
+RUBY_PATCHFILES?=	${RUBY_VERSION}-patch1.gz
+
 #RUBY_PORTVERSION?=	${RUBY_VERSION}
 RUBY_WRKSRC=		${WRKDIR}/ruby-${RUBY_VERSION}
 #MASTER_SITE_SUBDIR_RUBY=	snapshots
@@ -148,6 +152,10 @@ BROKEN=	"Ruby 1.7 is obsolete; set RUBY_VER to 1.8 instead."
 RUBY_VERSION?=		1.6.8
 RUBY_DISTVERSION?=	${RUBY_VERSION}-2004.07.28
 #RUBY_PATCHFILES?=	ruby-${RUBY_DISTVERSION}-${RUBY_PORTVERSION}.diff.bz2
+
+# Security patch
+RUBY_PATCHFILES?=	${RUBY_VERSION}-patch1.gz
+
 RUBY_PORTVERSION?=	${RUBY_VERSION}.2004.07.28
 #RUBY_WRKSRC=		${WRKDIR}/ruby-${RUBY_VERSION}
 MASTER_SITE_SUBDIR_RUBY=	snapshots
diff --git a/lang/ruby16/Makefile b/lang/ruby16/Makefile
index 7212c8bb08ba..627f276d9531 100644
--- a/lang/ruby16/Makefile
+++ b/lang/ruby16/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	ruby
 PORTVERSION=	${RUBY_PORTVERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	lang ruby ipv6
 MASTER_SITES=		${MASTER_SITE_RUBY}
 MASTER_SITE_SUBDIR=	${MASTER_SITE_SUBDIR_RUBY}
@@ -15,9 +15,10 @@ DISTFILES=		${RUBY_DISTNAME}${EXTRACT_SUFX}
 DIST_SUBDIR=	ruby
 
 PATCH_SITES=	${MASTER_SITE_RUBY}
-PATCH_SITE_SUBDIR=	snapshots
+#PATCH_SITE_SUBDIR=	snapshots
+PATCH_SITE_SUBDIR=	1.6
 PATCHFILES=	${RUBY_PATCHFILES}
-PATCH_DIST_STRIP=	-p1
+#PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	knu@FreeBSD.org
 COMMENT=	An object-oriented interpreted scripting language
diff --git a/lang/ruby16/distinfo b/lang/ruby16/distinfo
index dd77998b6eeb..fb6206a3971e 100644
--- a/lang/ruby16/distinfo
+++ b/lang/ruby16/distinfo
@@ -1,2 +1,4 @@
 MD5 (ruby/ruby-1.6.8-2004.07.28.tar.bz2) = dfaffe53746f58d357e577b56ff0013d
 SIZE (ruby/ruby-1.6.8-2004.07.28.tar.bz2) = 905405
+MD5 (ruby/1.6.8-patch1.gz) = 7a97381d61576e68aec94d60bc4cbbab
+SIZE (ruby/1.6.8-patch1.gz) = 1178
diff --git a/lang/ruby18/Makefile b/lang/ruby18/Makefile
index 8bc1874f16f0..5d4d5a376c8c 100644
--- a/lang/ruby18/Makefile
+++ b/lang/ruby18/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	ruby
 PORTVERSION=	${RUBY_PORTVERSION}
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	lang ruby ipv6
 MASTER_SITES=		${MASTER_SITE_RUBY}
 MASTER_SITE_SUBDIR=	${MASTER_SITE_SUBDIR_RUBY}
@@ -15,9 +15,10 @@ DISTFILES=		${RUBY_DISTNAME}${EXTRACT_SUFX}
 DIST_SUBDIR=	ruby
 
 PATCH_SITES=	${MASTER_SITE_RUBY}
-PATCH_SITE_SUBDIR=	snapshots
+#PATCH_SITE_SUBDIR=	snapshots
+PATCH_SITE_SUBDIR=	1.8
 PATCHFILES=	${RUBY_PATCHFILES}
-PATCH_DIST_STRIP=	-p1
+#PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	knu@FreeBSD.org
 COMMENT=	An object-oriented interpreted scripting language
diff --git a/lang/ruby18/distinfo b/lang/ruby18/distinfo
index e150ecddcca3..28bf85101043 100644
--- a/lang/ruby18/distinfo
+++ b/lang/ruby18/distinfo
@@ -1,2 +1,4 @@
 MD5 (ruby/ruby-1.8.2.tar.gz) = 8ffc79d96f336b80f2690a17601dea9b
 SIZE (ruby/ruby-1.8.2.tar.gz) = 3627349
+MD5 (ruby/1.8.2-patch1.gz) = 4f32bae4546421a20a9211253da103d3
+SIZE (ruby/1.8.2-patch1.gz) = 1347
diff --git a/lang/ruby18/files/patch-lib_xmlrpc_utils.rb b/lang/ruby18/files/patch-lib_xmlrpc_utils.rb
deleted file mode 100644
index bdf98e240ba7..000000000000
--- a/lang/ruby18/files/patch-lib_xmlrpc_utils.rb
+++ /dev/null
@@ -1,11 +0,0 @@
---- lib/xmlrpc/utils.rb.orig	Fri Jul  1 07:38:00 2005
-+++ lib/xmlrpc/utils.rb	Fri Jul  1 07:38:55 2005
-@@ -138,7 +138,7 @@
- 
-     def get_methods(obj, delim=".")
-       prefix = @prefix + delim
--      obj.class.public_instance_methods.collect { |name|
-+      obj.class.public_instance_methods(false).collect { |name|
-         [prefix + name, obj.method(name).to_proc, nil, nil] 
-       }
-     end
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index d7f5a76b18ee..02fec9b55a77 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -34,6 +34,42 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1daea60a-4719-11da-b5c6-0004614cc33d">
+    <topic>ruby -- vulnerability in the safe level settings</topic>
+    <affects>
+      <package>
+	<name>ruby</name>
+	<name>ruby_static</name>
+	<range><gt>1.6.*</gt><lt>1.6.8.2004.07.28_2</lt></range>
+	<range><gt>1.8.*</gt><lt>1.8.2_5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Ruby home page reports:</p>
+	<blockquote cite="http://www.ruby-lang.org/en/20051003.html">
+	  <p>The Object Oriented Scripting Language Ruby supports
+	    safely executing an untrusted code with two mechanisms:
+	    safe level and taint flag on objects.</p>
+	  <p>A vulnerability has been found that allows bypassing
+	    these mechanisms.</p>
+	  <p>By using the vulnerability, arbitrary code can be executed
+	    beyond the restrictions specified in each safe level.
+	    Therefore, Ruby has to be updated on all systems that use
+	    safe level to execute untrusted code.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CAN-2005-2337</cvename>
+      <url>http://www.ruby-lang.org/en/20051003.html</url>
+    </references>
+    <dates>
+      <discovery>2005-10-02</discovery>
+      <entry>2005-10-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2f0cb4bb-416d-11da-99fe-000854d03344">
     <topic>xloadimage -- buffer overflows in NIFF image title handling</topic>
     <affects>