diff options
author | taca <taca@pkgsrc.org> | 2008-09-14 05:17:18 +0000 |
---|---|---|
committer | taca <taca@pkgsrc.org> | 2008-09-14 05:17:18 +0000 |
commit | 214e38e04123ed8922fe6484b703ccc6f7fa114f (patch) | |
tree | fa871bdd4e509f28eb9438fd285b61675efd9068 /lang/ruby18-base | |
parent | 7c1d610b01ed09110df7541bafb981fefaaf37a7 (diff) | |
download | pkgsrc-214e38e04123ed8922fe6484b703ccc6f7fa114f.tar.gz |
Add fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790
(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
from ruby_1_8 branch.
Bump PKGREVISION.
Diffstat (limited to 'lang/ruby18-base')
-rw-r--r-- | lang/ruby18-base/Makefile | 3 | ||||
-rw-r--r-- | lang/ruby18-base/distinfo | 4 | ||||
-rw-r--r-- | lang/ruby18-base/patches/patch-dg | 43 | ||||
-rw-r--r-- | lang/ruby18-base/patches/patch-dh | 15 |
4 files changed, 63 insertions, 2 deletions
diff --git a/lang/ruby18-base/Makefile b/lang/ruby18-base/Makefile index 11d01f01158..596431fd8c4 100644 --- a/lang/ruby18-base/Makefile +++ b/lang/ruby18-base/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.46 2008/08/08 12:42:44 taca Exp $ +# $NetBSD: Makefile,v 1.47 2008/09/14 05:17:18 taca Exp $ # DISTNAME= ${RUBY_DISTNAME} PKGNAME= ${RUBY_PKGPREFIX}-base-${RUBY_VERSION_SUFFIX} +PKGREVISION= 1 CATEGORIES= lang ruby MASTER_SITES= ${MASTER_SITE_RUBY} #PKGREVISION= diff --git a/lang/ruby18-base/distinfo b/lang/ruby18-base/distinfo index 68023a37c3a..74ff8c4247a 100644 --- a/lang/ruby18-base/distinfo +++ b/lang/ruby18-base/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.33 2008/08/11 06:58:33 taca Exp $ +$NetBSD: distinfo,v 1.34 2008/09/14 05:17:18 taca Exp $ SHA1 (ruby-1.8.7-p72.tar.bz2) = 462e990a724580e4dfeeac5a271b93f6cfcbf5c7 RMD160 (ruby-1.8.7-p72.tar.bz2) = 07bf0d6987ba111aed988093c569fb66ba54891b @@ -6,3 +6,5 @@ Size (ruby-1.8.7-p72.tar.bz2) = 4127450 bytes SHA1 (patch-aa) = 59f4462dada7e7b00c7a773c8a95454f3dc4f994 SHA1 (patch-ab) = 239872c5faf95c05d2a94fe5f40af5b8541423c7 SHA1 (patch-ac) = eb4dd068729ba2a2c7d4d659f6bcdb1410227f3b +SHA1 (patch-dg) = 6c92da2111af7dd09d9cc28d1d82612ead14283e +SHA1 (patch-dh) = ac637345ee171892b551f34d0deb65f238060c7c diff --git a/lang/ruby18-base/patches/patch-dg b/lang/ruby18-base/patches/patch-dg new file mode 100644 index 00000000000..c056818b5f2 --- /dev/null +++ b/lang/ruby18-base/patches/patch-dg @@ -0,0 +1,43 @@ +$NetBSD: patch-dg,v 1.5 2008/09/14 05:17:18 taca Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790. +(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/) + +--- lib/rexml/document.rb.orig 2008-06-06 17:05:24.000000000 +0900 ++++ lib/rexml/document.rb +@@ -32,6 +32,7 @@ module REXML + # @param context if supplied, contains the context of the document; + # this should be a Hash. + def initialize( source = nil, context = {} ) ++ @entity_expansion_count = 0 + super() + @context = context + return if source.nil? +@@ -200,6 +201,27 @@ module REXML + Parsers::StreamParser.new( source, listener ).parse + end + ++ @@entity_expansion_limit = 10_000 ++ ++ # Set the entity expansion limit. By default the limit is set to 10000. ++ def Document::entity_expansion_limit=( val ) ++ @@entity_expansion_limit = val ++ end ++ ++ # Get the entity expansion limit. By default the limit is set to 10000. ++ def Document::entity_expansion_limit ++ return @@entity_expansion_limit ++ end ++ ++ attr_reader :entity_expansion_count ++ ++ def record_entity_expansion ++ @entity_expansion_count += 1 ++ if @entity_expansion_count > @@entity_expansion_limit ++ raise "number of entity expansions exceeded, processing aborted." ++ end ++ end ++ + private + def build( source ) + Parsers::TreeParser.new( source, self ).parse diff --git a/lang/ruby18-base/patches/patch-dh b/lang/ruby18-base/patches/patch-dh new file mode 100644 index 00000000000..9db6472587f --- /dev/null +++ b/lang/ruby18-base/patches/patch-dh @@ -0,0 +1,15 @@ +$NetBSD: patch-dh,v 1.3 2008/09/14 05:17:18 taca Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790. +(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/) + +--- lib/rexml/entity.rb.orig 2008-04-18 16:22:13.000000000 +0900 ++++ lib/rexml/entity.rb +@@ -73,6 +73,7 @@ module REXML + # all entities -- both %ent; and &ent; entities. This differs from + # +value()+ in that +value+ only replaces %ent; entities. + def unnormalized ++ document.record_entity_expansion + v = value() + return nil if v.nil? + @unnormalized = Text::unnormalize(v, parent) |