diff options
author | Sergey Matveychuk <sem@FreeBSD.org> | 2005-10-27 19:40:25 +0000 |
---|---|---|
committer | Sergey Matveychuk <sem@FreeBSD.org> | 2005-10-27 19:40:25 +0000 |
commit | 705fca86db25e33096fa9baaa430c86e9ad25b22 (patch) | |
tree | cff00e9fa08f6273eab8508651faef0dcb8c497c | |
parent | - Remove some patches and use REINPLACE_CMD, *_ARGS and *_ENV instead (diff) |
- Fix a ruby vulnerabuility in the safe level settings.
Based on: ports/87816
Submitted by: Phil Oleson <oz@nixil.net>
Security: http://vuxml.FreeBSD.org/1daea60a-4719-11da-b5c6-0004614cc33d.html
Notes
Notes:
svn path=/head/; revision=146505
-rw-r--r-- | Mk/bsd.ruby.mk | 8 | ||||
-rw-r--r-- | lang/ruby16/Makefile | 7 | ||||
-rw-r--r-- | lang/ruby16/distinfo | 2 | ||||
-rw-r--r-- | lang/ruby18/Makefile | 7 | ||||
-rw-r--r-- | lang/ruby18/distinfo | 2 | ||||
-rw-r--r-- | lang/ruby18/files/patch-lib_xmlrpc_utils.rb | 11 | ||||
-rw-r--r-- | security/vuxml/vuln.xml | 36 |
7 files changed, 56 insertions, 17 deletions
diff --git a/Mk/bsd.ruby.mk b/Mk/bsd.ruby.mk index c63e436de039..5ea32f078c89 100644 --- a/Mk/bsd.ruby.mk +++ b/Mk/bsd.ruby.mk @@ -139,6 +139,10 @@ RUBY?= ${LOCALBASE}/bin/${RUBY_NAME} RUBY_VERSION?= 1.8.2 #RUBY_DISTVERSION?= ${RUBY_VERSION} #RUBY_PATCHFILES?= ruby-${RUBY_DISTVERSION}-yyyy.mm.dd.diff.bz2 + +# Security patch +RUBY_PATCHFILES?= ${RUBY_VERSION}-patch1.gz + #RUBY_PORTVERSION?= ${RUBY_VERSION} RUBY_WRKSRC= ${WRKDIR}/ruby-${RUBY_VERSION} #MASTER_SITE_SUBDIR_RUBY= snapshots @@ -148,6 +152,10 @@ BROKEN= "Ruby 1.7 is obsolete; set RUBY_VER to 1.8 instead." RUBY_VERSION?= 1.6.8 RUBY_DISTVERSION?= ${RUBY_VERSION}-2004.07.28 #RUBY_PATCHFILES?= ruby-${RUBY_DISTVERSION}-${RUBY_PORTVERSION}.diff.bz2 + +# Security patch +RUBY_PATCHFILES?= ${RUBY_VERSION}-patch1.gz + RUBY_PORTVERSION?= ${RUBY_VERSION}.2004.07.28 #RUBY_WRKSRC= ${WRKDIR}/ruby-${RUBY_VERSION} MASTER_SITE_SUBDIR_RUBY= snapshots diff --git a/lang/ruby16/Makefile b/lang/ruby16/Makefile index 7212c8bb08ba..627f276d9531 100644 --- a/lang/ruby16/Makefile +++ b/lang/ruby16/Makefile @@ -7,7 +7,7 @@ PORTNAME= ruby PORTVERSION= ${RUBY_PORTVERSION} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= lang ruby ipv6 MASTER_SITES= ${MASTER_SITE_RUBY} MASTER_SITE_SUBDIR= ${MASTER_SITE_SUBDIR_RUBY} @@ -15,9 +15,10 @@ DISTFILES= ${RUBY_DISTNAME}${EXTRACT_SUFX} DIST_SUBDIR= ruby PATCH_SITES= ${MASTER_SITE_RUBY} -PATCH_SITE_SUBDIR= snapshots +#PATCH_SITE_SUBDIR= snapshots +PATCH_SITE_SUBDIR= 1.6 PATCHFILES= ${RUBY_PATCHFILES} -PATCH_DIST_STRIP= -p1 +#PATCH_DIST_STRIP= -p1 MAINTAINER= knu@FreeBSD.org COMMENT= An object-oriented interpreted scripting language diff --git a/lang/ruby16/distinfo b/lang/ruby16/distinfo index dd77998b6eeb..fb6206a3971e 100644 --- a/lang/ruby16/distinfo +++ b/lang/ruby16/distinfo @@ -1,2 +1,4 @@ MD5 (ruby/ruby-1.6.8-2004.07.28.tar.bz2) = dfaffe53746f58d357e577b56ff0013d SIZE (ruby/ruby-1.6.8-2004.07.28.tar.bz2) = 905405 +MD5 (ruby/1.6.8-patch1.gz) = 7a97381d61576e68aec94d60bc4cbbab +SIZE (ruby/1.6.8-patch1.gz) = 1178 diff --git a/lang/ruby18/Makefile b/lang/ruby18/Makefile index 8bc1874f16f0..5d4d5a376c8c 100644 --- a/lang/ruby18/Makefile +++ b/lang/ruby18/Makefile @@ -7,7 +7,7 @@ PORTNAME= ruby PORTVERSION= ${RUBY_PORTVERSION} -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= lang ruby ipv6 MASTER_SITES= ${MASTER_SITE_RUBY} MASTER_SITE_SUBDIR= ${MASTER_SITE_SUBDIR_RUBY} @@ -15,9 +15,10 @@ DISTFILES= ${RUBY_DISTNAME}${EXTRACT_SUFX} DIST_SUBDIR= ruby PATCH_SITES= ${MASTER_SITE_RUBY} -PATCH_SITE_SUBDIR= snapshots +#PATCH_SITE_SUBDIR= snapshots +PATCH_SITE_SUBDIR= 1.8 PATCHFILES= ${RUBY_PATCHFILES} -PATCH_DIST_STRIP= -p1 +#PATCH_DIST_STRIP= -p1 MAINTAINER= knu@FreeBSD.org COMMENT= An object-oriented interpreted scripting language diff --git a/lang/ruby18/distinfo b/lang/ruby18/distinfo index e150ecddcca3..28bf85101043 100644 --- a/lang/ruby18/distinfo +++ b/lang/ruby18/distinfo @@ -1,2 +1,4 @@ MD5 (ruby/ruby-1.8.2.tar.gz) = 8ffc79d96f336b80f2690a17601dea9b SIZE (ruby/ruby-1.8.2.tar.gz) = 3627349 +MD5 (ruby/1.8.2-patch1.gz) = 4f32bae4546421a20a9211253da103d3 +SIZE (ruby/1.8.2-patch1.gz) = 1347 diff --git a/lang/ruby18/files/patch-lib_xmlrpc_utils.rb b/lang/ruby18/files/patch-lib_xmlrpc_utils.rb deleted file mode 100644 index bdf98e240ba7..000000000000 --- a/lang/ruby18/files/patch-lib_xmlrpc_utils.rb +++ /dev/null @@ -1,11 +0,0 @@ ---- lib/xmlrpc/utils.rb.orig Fri Jul 1 07:38:00 2005 -+++ lib/xmlrpc/utils.rb Fri Jul 1 07:38:55 2005 -@@ -138,7 +138,7 @@ - - def get_methods(obj, delim=".") - prefix = @prefix + delim -- obj.class.public_instance_methods.collect { |name| -+ obj.class.public_instance_methods(false).collect { |name| - [prefix + name, obj.method(name).to_proc, nil, nil] - } - end diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index d7f5a76b18ee..02fec9b55a77 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,42 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="1daea60a-4719-11da-b5c6-0004614cc33d"> + <topic>ruby -- vulnerability in the safe level settings</topic> + <affects> + <package> + <name>ruby</name> + <name>ruby_static</name> + <range><gt>1.6.*</gt><lt>1.6.8.2004.07.28_2</lt></range> + <range><gt>1.8.*</gt><lt>1.8.2_5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Ruby home page reports:</p> + <blockquote cite="http://www.ruby-lang.org/en/20051003.html"> + <p>The Object Oriented Scripting Language Ruby supports + safely executing an untrusted code with two mechanisms: + safe level and taint flag on objects.</p> + <p>A vulnerability has been found that allows bypassing + these mechanisms.</p> + <p>By using the vulnerability, arbitrary code can be executed + beyond the restrictions specified in each safe level. + Therefore, Ruby has to be updated on all systems that use + safe level to execute untrusted code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CAN-2005-2337</cvename> + <url>http://www.ruby-lang.org/en/20051003.html</url> + </references> + <dates> + <discovery>2005-10-02</discovery> + <entry>2005-10-27</entry> + </dates> + </vuln> + <vuln vid="2f0cb4bb-416d-11da-99fe-000854d03344"> <topic>xloadimage -- buffer overflows in NIFF image title handling</topic> <affects> |