diff options
| author | tron <tron@pkgsrc.org> | 2012-03-05 23:28:39 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2012-03-05 23:28:39 +0000 |
| commit | 13e42d24ee5ca3cce200a2c8a3cf2a864dcd211b (patch) | |
| tree | 444d3ec101257a1b2f67b48c6899f55b43ad9571 | |
| parent | 016ffc781417c578264e476f0dcf9b7eeaeae7a8 (diff) | |
| download | pkgsrc-13e42d24ee5ca3cce200a2c8a3cf2a864dcd211b.tar.gz | |
Pullup ticket #3693 - requested by taca
devel/ruby-activesupport3: security patch
devel/ruby-activesupport31: security patch
www/ruby-actionpack3: security patch
www/ruby-actionpack31: security patch
Revisions pulled up:
- devel/ruby-activesupport3/Makefile 1.6
- devel/ruby-activesupport3/distinfo 1.11
- devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb 1.1
- devel/ruby-activesupport31/Makefile 1.3
- devel/ruby-activesupport31/distinfo 1.2
- devel/ruby-activesupport31/patches/patch-lib_active__support_core__ext_string_output__safety.rb 1.1
- www/ruby-actionpack3/Makefile 1.11
- www/ruby-actionpack3/distinfo 1.11
- www/ruby-actionpack3/patches/patch-lib_action__view_helpers_capture__helper.rb 1.1
- www/ruby-actionpack31/Makefile 1.2
- www/ruby-actionpack31/distinfo 1.2
- www/ruby-actionpack31/patches/patch-lib_action__view_helpers_capture__helper.rb 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Mar 3 04:47:15 UTC 2012
Modified Files:
pkgsrc/devel/ruby-activesupport3: Makefile distinfo
pkgsrc/devel/ruby-activesupport31: Makefile distinfo
pkgsrc/www/ruby-actionpack3: Makefile distinfo
pkgsrc/www/ruby-actionpack31: Makefile distinfo
Added Files:
pkgsrc/devel/ruby-activesupport3/patches:
patch-lib_active__support_core__ext_string_output__safety.rb
pkgsrc/devel/ruby-activesupport31/patches:
patch-lib_active__support_core__ext_string_output__safety.rb
pkgsrc/www/ruby-actionpack3/patches:
patch-lib_action__view_helpers_capture__helper.rb
pkgsrc/www/ruby-actionpack31/patches:
patch-lib_action__view_helpers_capture__helper.rb
Log Message:
Add fix for CVE-2012-1098 to:
devel/ruby-activesupport3
devel/ruby-activesupport31
www/ruby-actionpack3
www/ruby-actionpack31
And bump each PKGREVISION.
12 files changed, 232 insertions, 10 deletions
diff --git a/devel/ruby-activesupport3/Makefile b/devel/ruby-activesupport3/Makefile index b3a95d37968..13328097af4 100644 --- a/devel/ruby-activesupport3/Makefile +++ b/devel/ruby-activesupport3/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.5 2011/12/13 15:53:37 taca Exp $ +# $NetBSD: Makefile,v 1.5.2.1 2012/03/05 23:28:39 tron Exp $ DISTNAME= activesupport-${RUBY_RAILS_VERSION} +PKGREVISION= 1 CATEGORIES= devel MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/devel/ruby-activesupport3/distinfo b/devel/ruby-activesupport3/distinfo index a44a799eb6a..59c3926e265 100644 --- a/devel/ruby-activesupport3/distinfo +++ b/devel/ruby-activesupport3/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.10 2011/11/19 15:32:34 taca Exp $ +$NetBSD: distinfo,v 1.10.2.1 2012/03/05 23:28:39 tron Exp $ SHA1 (activesupport-3.0.11.gem) = 45fd29d5663d4bf90c8695d04aaead2023525789 RMD160 (activesupport-3.0.11.gem) = cb66549165f8b6d57e8cf3883559c6884d92bf7d Size (activesupport-3.0.11.gem) = 304640 bytes +SHA1 (patch-lib_active__support_core__ext_string_output__safety.rb) = 655215cb063e589d922d0efdb48d5884dafe396a diff --git a/devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb b/devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb new file mode 100644 index 00000000000..8a0392a8802 --- /dev/null +++ b/devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb @@ -0,0 +1,93 @@ +$NetBSD: patch-lib_active__support_core__ext_string_output__safety.rb,v 1.1.2.2 2012/03/05 23:28:40 tron Exp $ + +Fix for CVE-2012-1099. + +--- lib/active_support/core_ext/string/output_safety.rb.orig 2012-03-03 03:54:59.000000000 +0000 ++++ lib/active_support/core_ext/string/output_safety.rb +@@ -85,23 +85,41 @@ module ActiveSupport #:nodoc: + end + end + ++ def [](*args) ++ return super if args.size < 2 ++ ++ if html_safe? ++ new_safe_buffer = super ++ new_safe_buffer.instance_eval { @html_safe = true } ++ new_safe_buffer ++ else ++ to_str[*args] ++ end ++ end ++ + def safe_concat(value) +- raise SafeConcatError if dirty? ++ raise SafeConcatError unless html_safe? + original_concat(value) + end + + def initialize(*) +- @dirty = false ++ @html_safe = true + super + end + + def initialize_copy(other) + super +- @dirty = other.dirty? ++ @html_safe = other.html_safe? ++ end ++ ++ def clone_empty ++ new_safe_buffer = self[0, 0] ++ new_safe_buffer.instance_variable_set(:@dirty, @dirty) ++ new_safe_buffer + end + + def concat(value) +- if dirty? || value.html_safe? ++ if !html_safe? || value.html_safe? + super(value) + else + super(ERB::Util.h(value)) +@@ -114,7 +132,7 @@ module ActiveSupport #:nodoc: + end + + def html_safe? +- !dirty? ++ defined?(@html_safe) && @html_safe + end + + def to_s +@@ -132,23 +150,17 @@ module ActiveSupport #:nodoc: + for unsafe_method in UNSAFE_STRING_METHODS + if 'String'.respond_to?(unsafe_method) + class_eval <<-EOT, __FILE__, __LINE__ + 1 +- def #{unsafe_method}(*args) +- super.to_str +- end +- +- def #{unsafe_method}!(*args) +- @dirty = true +- super +- end ++ def #{unsafe_method}(*args, &block) # def capitalize(*args, &block) ++ to_str.#{unsafe_method}(*args, &block) # to_str.capitalize(*args, &block) ++ end # end ++ ++ def #{unsafe_method}!(*args) # def capitalize!(*args) ++ @html_safe = false # @html_safe = false ++ super # super ++ end # end + EOT + end + end +- +- protected +- +- def dirty? +- @dirty +- end + end + end + diff --git a/devel/ruby-activesupport31/Makefile b/devel/ruby-activesupport31/Makefile index 9ed714b07d7..9a10763b891 100644 --- a/devel/ruby-activesupport31/Makefile +++ b/devel/ruby-activesupport31/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.2 2011/12/17 17:48:10 taca Exp $ +# $NetBSD: Makefile,v 1.2.2.1 2012/03/05 23:28:40 tron Exp $ DISTNAME= activesupport-${RUBY_RAILS_VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= devel MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/devel/ruby-activesupport31/distinfo b/devel/ruby-activesupport31/distinfo index 19a667ed4d4..326151c3d1e 100644 --- a/devel/ruby-activesupport31/distinfo +++ b/devel/ruby-activesupport31/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.1.1.1 2011/12/16 12:15:16 taca Exp $ +$NetBSD: distinfo,v 1.1.1.1.2.1 2012/03/05 23:28:40 tron Exp $ SHA1 (activesupport-3.1.3.gem) = a36dddf8a1cda7b1b7e601ab3645628db705e518 RMD160 (activesupport-3.1.3.gem) = a55b5f3b4d304dca257cf5ac302a1621cd14a091 Size (activesupport-3.1.3.gem) = 309760 bytes +SHA1 (patch-lib_active__support_core__ext_string_output__safety.rb) = fb870b00210f8403691eee216331452ade8d7110 diff --git a/devel/ruby-activesupport31/patches/patch-lib_active__support_core__ext_string_output__safety.rb b/devel/ruby-activesupport31/patches/patch-lib_active__support_core__ext_string_output__safety.rb new file mode 100644 index 00000000000..a2523d6c4fd --- /dev/null +++ b/devel/ruby-activesupport31/patches/patch-lib_active__support_core__ext_string_output__safety.rb @@ -0,0 +1,93 @@ +$NetBSD: patch-lib_active__support_core__ext_string_output__safety.rb,v 1.1.2.2 2012/03/05 23:28:40 tron Exp $ + +Fix for CVE-2012-1099. + +--- lib/active_support/core_ext/string/output_safety.rb.orig 2012-03-03 03:59:36.000000000 +0000 ++++ lib/active_support/core_ext/string/output_safety.rb +@@ -86,23 +86,41 @@ module ActiveSupport #:nodoc: + end + end + ++ def [](*args) ++ return super if args.size < 2 ++ ++ if html_safe? ++ new_safe_buffer = super ++ new_safe_buffer.instance_eval { @html_safe = true } ++ new_safe_buffer ++ else ++ to_str[*args] ++ end ++ end ++ + def safe_concat(value) +- raise SafeConcatError if dirty? ++ raise SafeConcatError unless html_safe? + original_concat(value) + end + + def initialize(*) +- @dirty = false ++ @html_safe = true + super + end + + def initialize_copy(other) + super +- @dirty = other.dirty? ++ @html_safe = other.html_safe? ++ end ++ ++ def clone_empty ++ new_safe_buffer = self[0, 0] ++ new_safe_buffer.instance_variable_set(:@dirty, @dirty) ++ new_safe_buffer + end + + def concat(value) +- if dirty? || value.html_safe? ++ if !html_safe? || value.html_safe? + super(value) + else + super(ERB::Util.h(value)) +@@ -115,7 +133,7 @@ module ActiveSupport #:nodoc: + end + + def html_safe? +- !dirty? ++ defined?(@html_safe) && @html_safe + end + + def to_s +@@ -138,23 +156,17 @@ module ActiveSupport #:nodoc: + for unsafe_method in UNSAFE_STRING_METHODS + if 'String'.respond_to?(unsafe_method) + class_eval <<-EOT, __FILE__, __LINE__ + 1 +- def #{unsafe_method}(*args) +- super.to_str +- end +- +- def #{unsafe_method}!(*args) +- @dirty = true +- super +- end ++ def #{unsafe_method}(*args, &block) # def capitalize(*args, &block) ++ to_str.#{unsafe_method}(*args, &block) # to_str.capitalize(*args, &block) ++ end # end ++ ++ def #{unsafe_method}!(*args) # def capitalize!(*args) ++ @html_safe = false # @html_safe = false ++ super # super ++ end # end + EOT + end + end +- +- protected +- +- def dirty? +- @dirty +- end + end + end + diff --git a/www/ruby-actionpack3/Makefile b/www/ruby-actionpack3/Makefile index 51847f19bcc..40bcf6ba59b 100644 --- a/www/ruby-actionpack3/Makefile +++ b/www/ruby-actionpack3/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.10 2011/12/15 14:39:10 taca Exp $ +# $NetBSD: Makefile,v 1.10.2.1 2012/03/05 23:28:40 tron Exp $ DISTNAME= actionpack-${RUBY_RAILS3_VERSION} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= www MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/www/ruby-actionpack3/distinfo b/www/ruby-actionpack3/distinfo index e7991cbe852..c4df6392172 100644 --- a/www/ruby-actionpack3/distinfo +++ b/www/ruby-actionpack3/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.10 2011/11/19 15:34:37 taca Exp $ +$NetBSD: distinfo,v 1.10.2.1 2012/03/05 23:28:40 tron Exp $ SHA1 (actionpack-3.0.11.gem) = 2161526f06ead521d0473b2bbad7e4db4a20fd5a RMD160 (actionpack-3.0.11.gem) = e21ccd58f0051e053a2dea3f3a7b2d97b6483012 Size (actionpack-3.0.11.gem) = 358912 bytes +SHA1 (patch-lib_action__view_helpers_capture__helper.rb) = bfbb8431086bc97e0e8b98e6cc29cf6705ed5070 diff --git a/www/ruby-actionpack3/patches/patch-lib_action__view_helpers_capture__helper.rb b/www/ruby-actionpack3/patches/patch-lib_action__view_helpers_capture__helper.rb new file mode 100644 index 00000000000..886dd8dd59f --- /dev/null +++ b/www/ruby-actionpack3/patches/patch-lib_action__view_helpers_capture__helper.rb @@ -0,0 +1,15 @@ +$NetBSD: patch-lib_action__view_helpers_capture__helper.rb,v 1.1.2.2 2012/03/05 23:28:40 tron Exp $ + +Fix for CVE-2012-1099. + +--- lib/action_view/helpers/capture_helper.rb.orig 2012-03-03 04:21:54.000000000 +0000 ++++ lib/action_view/helpers/capture_helper.rb +@@ -179,7 +179,7 @@ module ActionView + def flush_output_buffer #:nodoc: + if output_buffer && !output_buffer.empty? + response.body_parts << output_buffer +- self.output_buffer = output_buffer[0,0] ++ self.output_buffer = output_buffer.respond_to?(:clone_empty) ? output_buffer.clone_empty : output_buffer[0, 0] + nil + end + end diff --git a/www/ruby-actionpack31/Makefile b/www/ruby-actionpack31/Makefile index 8e7a7fbcc18..70c850c8cf5 100644 --- a/www/ruby-actionpack31/Makefile +++ b/www/ruby-actionpack31/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.1.1.1 2011/12/16 12:26:29 taca Exp $ +# $NetBSD: Makefile,v 1.1.1.1.2.1 2012/03/05 23:28:40 tron Exp $ DISTNAME= actionpack-${RUBY_RAILS_VERSION} +PKGREVISION= 1 CATEGORIES= www MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/www/ruby-actionpack31/distinfo b/www/ruby-actionpack31/distinfo index d8900230c68..de41df3e44c 100644 --- a/www/ruby-actionpack31/distinfo +++ b/www/ruby-actionpack31/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.1.1.1 2011/12/16 12:26:29 taca Exp $ +$NetBSD: distinfo,v 1.1.1.1.2.1 2012/03/05 23:28:40 tron Exp $ SHA1 (actionpack-3.1.3.gem) = 3869fcc993a4b4cdbed14bb0b03d12d2beeb6802 RMD160 (actionpack-3.1.3.gem) = b9d474a97e3f64535c094d133bd337329d888acd Size (actionpack-3.1.3.gem) = 369664 bytes +SHA1 (patch-lib_action__view_helpers_capture__helper.rb) = b1cbedccc782ac4c669c9360e003a1e38fc0baf2 diff --git a/www/ruby-actionpack31/patches/patch-lib_action__view_helpers_capture__helper.rb b/www/ruby-actionpack31/patches/patch-lib_action__view_helpers_capture__helper.rb new file mode 100644 index 00000000000..d01826e09f0 --- /dev/null +++ b/www/ruby-actionpack31/patches/patch-lib_action__view_helpers_capture__helper.rb @@ -0,0 +1,15 @@ +$NetBSD: patch-lib_action__view_helpers_capture__helper.rb,v 1.1.2.2 2012/03/05 23:28:41 tron Exp $ + +Fix for CVE-2012-1099. + +--- lib/action_view/helpers/capture_helper.rb.orig 2012-03-03 04:18:29.000000000 +0000 ++++ lib/action_view/helpers/capture_helper.rb +@@ -194,7 +194,7 @@ module ActionView + def flush_output_buffer #:nodoc: + if output_buffer && !output_buffer.empty? + response.body_parts << output_buffer +- self.output_buffer = output_buffer[0,0] ++ self.output_buffer = output_buffer.respond_to?(:clone_empty) ? output_buffer.clone_empty : output_buffer[0, 0] + nil + end + end |