Add security fix for rubygems, CVE-2015-3900.

Bump PKGREVISION.
author: taca <taca@pkgsrc.org> 2015-06-23 14:03:02 +0000
committer: taca <taca@pkgsrc.org> 2015-06-23 14:03:02 +0000
commit: 4523642b13d9ecf2247e6265268f98915a92555b (patch)
tree: a1e34b5114f065684a6851828bf66e1575d3a4d3 /lang/ruby200-base
parent: 1d18598b9885aacf57add59014b465bd342b71bc (diff)
download: pkgsrc-4523642b13d9ecf2247e6265268f98915a92555b.tar.gz
3 files changed, 25 insertions, 2 deletions
diff --git a/lang/ruby200-base/Makefile b/lang/ruby200-base/Makefile
index 59d5c2f248e..627cae969dd 100644
--- a/lang/ruby200-base/Makefile
+++ b/lang/ruby200-base/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.18 2015/06/21 14:58:06 jperkin Exp $
+# $NetBSD: Makefile,v 1.19 2015/06/23 14:03:02 taca Exp $
 #
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION_FULL}
+PKGREVISION=	1
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 
diff --git a/lang/ruby200-base/distinfo b/lang/ruby200-base/distinfo
index 9e0f3e15298..4816124ab9b 100644
--- a/lang/ruby200-base/distinfo
+++ b/lang/ruby200-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2015/04/30 03:34:31 taca Exp $
+$NetBSD: distinfo,v 1.26 2015/06/23 14:03:02 taca Exp $
 
 SHA1 (ruby-2.0.0-p645.tar.bz2) = e724dd0e4a1e820a368be307aa0863a8ecf4b694
 RMD160 (ruby-2.0.0-p645.tar.bz2) = cbfd9ca2a5fe5d6ea1d89da9fd934c864bf339ab
@@ -26,6 +26,7 @@ SHA1 (patch-lib_rubygems_dependency__installer.rb) = f4e40727d231b336c1d4c2303ac
 SHA1 (patch-lib_rubygems_install__update__options.rb) = 22cfafe090db72211253b8528937e5be0e677ebf
 SHA1 (patch-lib_rubygems_installer.rb) = 7ce68eaa5893c83780f7b4e1af44a88ae63a39cf
 SHA1 (patch-lib_rubygems_platform.rb) = 135f2e9d6c0c529da9ffcea4b96507675cdf1f16
+SHA1 (patch-lib_rubygems_remote__fetcher.rb) = e6acc25febd819ca835cd4306f863d76aa67b106
 SHA1 (patch-lib_rubygems_specification.rb) = 2a283cb7854580616df2b35357281c0a881cedf1
 SHA1 (patch-man_erb.1) = 1fe6ce4f4fe6418bfabb5e132a63596562030116
 SHA1 (patch-man_irb.1) = 2bf807b4c1b1c68d1f518caa054cfd900e0fedb7
diff --git a/lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb b/lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb
new file mode 100644
index 00000000000..c4144cc9942
--- /dev/null
+++ b/lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb
@@ -0,0 +1,21 @@
+$NetBSD: patch-lib_rubygems_remote__fetcher.rb,v 1.1 2015/06/23 14:03:02 taca Exp $
+
+Fix for CVE-2015-3900.
+
+--- lib/rubygems/remote_fetcher.rb.orig	2013-10-24 14:31:17.000000000 +0000
++++ lib/rubygems/remote_fetcher.rb
+@@ -103,7 +103,13 @@ class Gem::RemoteFetcher
+     rescue Resolv::ResolvError
+       uri
+     else
+-      URI.parse "#{res.target}#{uri.path}"
++      target = res.target.to_s.strip
++
++      if /\.#{Regexp.quote(host)}\z/ =~ target
++        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
++      end
++
++      uri
+     end
+   end
+
author	taca <taca@pkgsrc.org>	2015-06-23 14:03:02 +0000
committer	taca <taca@pkgsrc.org>	2015-06-23 14:03:02 +0000
commit	4523642b13d9ecf2247e6265268f98915a92555b (patch)
tree	a1e34b5114f065684a6851828bf66e1575d3a4d3 /lang/ruby200-base
parent	1d18598b9885aacf57add59014b465bd342b71bc (diff)
download	pkgsrc-4523642b13d9ecf2247e6265268f98915a92555b.tar.gz