diff options
author | tron <tron@pkgsrc.org> | 2008-09-17 10:41:37 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2008-09-17 10:41:37 +0000 |
commit | dd62649d25bb1b97c75475d6185db4d434b33b64 (patch) | |
tree | 4d8d81e98de58873fb0ba47980f5ff0ab3c8c2ea | |
parent | 60c5f494298bb075109eebb306f9b8a5f48df0a2 (diff) | |
download | pkgsrc-dd62649d25bb1b97c75475d6185db4d434b33b64.tar.gz |
Pullup ticket #2528 - requested by taca
ruby18-base: security patch
Revisions pulled up:
- lang/ruby18-base/Makefile 1.47
- lang/ruby18-base/distinfo 1.34
- lang/ruby18-base/patches/patch-dg 1.5
- lang/ruby18-base/patches/patch-dh 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Sep 14 05:17:18 UTC 2008
Modified Files:
pkgsrc/lang/ruby18-base: Makefile distinfo
Added Files:
pkgsrc/lang/ruby18-base/patches: patch-dg patch-dh
Log Message:
Add fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790
(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
from ruby_1_8 branch.
Bump PKGREVISION.
-rw-r--r-- | lang/ruby18-base/Makefile | 3 | ||||
-rw-r--r-- | lang/ruby18-base/distinfo | 4 | ||||
-rw-r--r-- | lang/ruby18-base/patches/patch-dg | 43 | ||||
-rw-r--r-- | lang/ruby18-base/patches/patch-dh | 15 |
4 files changed, 63 insertions, 2 deletions
diff --git a/lang/ruby18-base/Makefile b/lang/ruby18-base/Makefile index 1a2a2c2add4..e1f64efec57 100644 --- a/lang/ruby18-base/Makefile +++ b/lang/ruby18-base/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.45.4.1 2008/08/08 14:37:50 ghen Exp $ +# $NetBSD: Makefile,v 1.45.4.2 2008/09/17 10:41:37 tron Exp $ # DISTNAME= ${RUBY_DISTNAME} PKGNAME= ${RUBY_PKGPREFIX}-base-${RUBY_VERSION_SUFFIX} +PKGREVISION= 1 CATEGORIES= lang ruby MASTER_SITES= ${MASTER_SITE_RUBY} #PKGREVISION= diff --git a/lang/ruby18-base/distinfo b/lang/ruby18-base/distinfo index f68cd6278c9..e5efbe065ad 100644 --- a/lang/ruby18-base/distinfo +++ b/lang/ruby18-base/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.31.4.2 2008/08/12 11:22:11 rtr Exp $ +$NetBSD: distinfo,v 1.31.4.3 2008/09/17 10:41:38 tron Exp $ SHA1 (ruby-1.8.7-p72.tar.bz2) = 462e990a724580e4dfeeac5a271b93f6cfcbf5c7 RMD160 (ruby-1.8.7-p72.tar.bz2) = 07bf0d6987ba111aed988093c569fb66ba54891b @@ -6,3 +6,5 @@ Size (ruby-1.8.7-p72.tar.bz2) = 4127450 bytes SHA1 (patch-aa) = 59f4462dada7e7b00c7a773c8a95454f3dc4f994 SHA1 (patch-ab) = 239872c5faf95c05d2a94fe5f40af5b8541423c7 SHA1 (patch-ac) = eb4dd068729ba2a2c7d4d659f6bcdb1410227f3b +SHA1 (patch-dg) = 6c92da2111af7dd09d9cc28d1d82612ead14283e +SHA1 (patch-dh) = ac637345ee171892b551f34d0deb65f238060c7c diff --git a/lang/ruby18-base/patches/patch-dg b/lang/ruby18-base/patches/patch-dg new file mode 100644 index 00000000000..843e041ec45 --- /dev/null +++ b/lang/ruby18-base/patches/patch-dg @@ -0,0 +1,43 @@ +$NetBSD: patch-dg,v 1.4.2.1 2008/09/17 10:41:38 tron Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790. +(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/) + +--- lib/rexml/document.rb.orig 2008-06-06 17:05:24.000000000 +0900 ++++ lib/rexml/document.rb +@@ -32,6 +32,7 @@ module REXML + # @param context if supplied, contains the context of the document; + # this should be a Hash. + def initialize( source = nil, context = {} ) ++ @entity_expansion_count = 0 + super() + @context = context + return if source.nil? +@@ -200,6 +201,27 @@ module REXML + Parsers::StreamParser.new( source, listener ).parse + end + ++ @@entity_expansion_limit = 10_000 ++ ++ # Set the entity expansion limit. By default the limit is set to 10000. ++ def Document::entity_expansion_limit=( val ) ++ @@entity_expansion_limit = val ++ end ++ ++ # Get the entity expansion limit. By default the limit is set to 10000. ++ def Document::entity_expansion_limit ++ return @@entity_expansion_limit ++ end ++ ++ attr_reader :entity_expansion_count ++ ++ def record_entity_expansion ++ @entity_expansion_count += 1 ++ if @entity_expansion_count > @@entity_expansion_limit ++ raise "number of entity expansions exceeded, processing aborted." ++ end ++ end ++ + private + def build( source ) + Parsers::TreeParser.new( source, self ).parse diff --git a/lang/ruby18-base/patches/patch-dh b/lang/ruby18-base/patches/patch-dh new file mode 100644 index 00000000000..8f9f57b062f --- /dev/null +++ b/lang/ruby18-base/patches/patch-dh @@ -0,0 +1,15 @@ +$NetBSD: patch-dh,v 1.2.8.1 2008/09/17 10:41:38 tron Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790. +(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/) + +--- lib/rexml/entity.rb.orig 2008-04-18 16:22:13.000000000 +0900 ++++ lib/rexml/entity.rb +@@ -73,6 +73,7 @@ module REXML + # all entities -- both %ent; and &ent; entities. This differs from + # +value()+ in that +value+ only replaces %ent; entities. + def unnormalized ++ document.record_entity_expansion + v = value() + return nil if v.nil? + @unnormalized = Text::unnormalize(v, parent) |