Pullup ticket #2528 - requested by taca

ruby18-base: security patch Revisions pulled up: - lang/ruby18-base/Makefile 1.47 - lang/ruby18-base/distinfo 1.34 - lang/ruby18-base/patches/patch-dg 1.5 - lang/ruby18-base/patches/patch-dh 1.3 --- Module Name: pkgsrc Committed By: taca Date: Sun Sep 14 05:17:18 UTC 2008 Modified Files: pkgsrc/lang/ruby18-base: Makefile distinfo Added Files: pkgsrc/lang/ruby18-base/patches: patch-dg patch-dh Log Message: Add fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790 (http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/) from ruby_1_8 branch. Bump PKGREVISION.
author: tron <tron@pkgsrc.org> 2008-09-17 10:41:37 +0000
committer: tron <tron@pkgsrc.org> 2008-09-17 10:41:37 +0000
commit: dd62649d25bb1b97c75475d6185db4d434b33b64 (patch)
tree: 4d8d81e98de58873fb0ba47980f5ff0ab3c8c2ea
parent: 60c5f494298bb075109eebb306f9b8a5f48df0a2 (diff)
download: pkgsrc-dd62649d25bb1b97c75475d6185db4d434b33b64.tar.gz
4 files changed, 63 insertions, 2 deletions
diff --git a/lang/ruby18-base/Makefile b/lang/ruby18-base/Makefile
index 1a2a2c2add4..e1f64efec57 100644
--- a/lang/ruby18-base/Makefile
+++ b/lang/ruby18-base/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.45.4.1 2008/08/08 14:37:50 ghen Exp $
+# $NetBSD: Makefile,v 1.45.4.2 2008/09/17 10:41:37 tron Exp $
 #
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION_SUFFIX}
+PKGREVISION=	1
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 #PKGREVISION=
diff --git a/lang/ruby18-base/distinfo b/lang/ruby18-base/distinfo
index f68cd6278c9..e5efbe065ad 100644
--- a/lang/ruby18-base/distinfo
+++ b/lang/ruby18-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.31.4.2 2008/08/12 11:22:11 rtr Exp $
+$NetBSD: distinfo,v 1.31.4.3 2008/09/17 10:41:38 tron Exp $
 
 SHA1 (ruby-1.8.7-p72.tar.bz2) = 462e990a724580e4dfeeac5a271b93f6cfcbf5c7
 RMD160 (ruby-1.8.7-p72.tar.bz2) = 07bf0d6987ba111aed988093c569fb66ba54891b
@@ -6,3 +6,5 @@ Size (ruby-1.8.7-p72.tar.bz2) = 4127450 bytes
 SHA1 (patch-aa) = 59f4462dada7e7b00c7a773c8a95454f3dc4f994
 SHA1 (patch-ab) = 239872c5faf95c05d2a94fe5f40af5b8541423c7
 SHA1 (patch-ac) = eb4dd068729ba2a2c7d4d659f6bcdb1410227f3b
+SHA1 (patch-dg) = 6c92da2111af7dd09d9cc28d1d82612ead14283e
+SHA1 (patch-dh) = ac637345ee171892b551f34d0deb65f238060c7c
diff --git a/lang/ruby18-base/patches/patch-dg b/lang/ruby18-base/patches/patch-dg
new file mode 100644
index 00000000000..843e041ec45
--- /dev/null
+++ b/lang/ruby18-base/patches/patch-dg
@@ -0,0 +1,43 @@
+$NetBSD: patch-dg,v 1.4.2.1 2008/09/17 10:41:38 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790.
+(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
+
+--- lib/rexml/document.rb.orig	2008-06-06 17:05:24.000000000 +0900
++++ lib/rexml/document.rb
+@@ -32,6 +32,7 @@ module REXML
+ 	  # @param context if supplied, contains the context of the document;
+ 	  # this should be a Hash.
+ 		def initialize( source = nil, context = {} )
++      @entity_expansion_count = 0
+ 			super()
+ 			@context = context
+ 			return if source.nil?
+@@ -200,6 +201,27 @@ module REXML
+ 			Parsers::StreamParser.new( source, listener ).parse
+ 		end
+ 
++    @@entity_expansion_limit = 10_000
++
++    # Set the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_limit=( val )
++      @@entity_expansion_limit = val
++    end
++
++    # Get the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_limit
++      return @@entity_expansion_limit
++    end
++
++    attr_reader :entity_expansion_count
++    
++    def record_entity_expansion
++      @entity_expansion_count += 1
++      if @entity_expansion_count > @@entity_expansion_limit
++        raise "number of entity expansions exceeded, processing aborted."
++      end
++    end
++
+ 		private
+ 		def build( source )
+       Parsers::TreeParser.new( source, self ).parse
diff --git a/lang/ruby18-base/patches/patch-dh b/lang/ruby18-base/patches/patch-dh
new file mode 100644
index 00000000000..8f9f57b062f
--- /dev/null
+++ b/lang/ruby18-base/patches/patch-dh
@@ -0,0 +1,15 @@
+$NetBSD: patch-dh,v 1.2.8.1 2008/09/17 10:41:38 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790.
+(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
+
+--- lib/rexml/entity.rb.orig	2008-04-18 16:22:13.000000000 +0900
++++ lib/rexml/entity.rb
+@@ -73,6 +73,7 @@ module REXML
+ 		# all entities -- both %ent; and &ent; entities.  This differs from
+ 		# +value()+ in that +value+ only replaces %ent; entities.
+ 		def unnormalized
++                        document.record_entity_expansion
+ 			v = value()
+ 			return nil if v.nil?
+ 			@unnormalized = Text::unnormalize(v, parent)
author	tron <tron@pkgsrc.org>	2008-09-17 10:41:37 +0000
committer	tron <tron@pkgsrc.org>	2008-09-17 10:41:37 +0000
commit	dd62649d25bb1b97c75475d6185db4d434b33b64 (patch)
tree	4d8d81e98de58873fb0ba47980f5ff0ab3c8c2ea
parent	60c5f494298bb075109eebb306f9b8a5f48df0a2 (diff)
download	pkgsrc-dd62649d25bb1b97c75475d6185db4d434b33b64.tar.gz