Add security fix for rubygems, CVE-2015-3900.

Bump PKGREVISION.

9 files changed, 75 insertions, 8 deletions

diff --git a/lang/ruby200-base/Makefile b/lang/ruby200-base/Makefile
index 59d5c2f248e..627cae969dd 100644
--- a/lang/ruby200-base/Makefile
+++ b/lang/ruby200-base/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.18 2015/06/21 14:58:06 jperkin Exp $
+# $NetBSD: Makefile,v 1.19 2015/06/23 14:03:02 taca Exp $
 #
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION_FULL}
+PKGREVISION=	1
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 
diff --git a/lang/ruby200-base/distinfo b/lang/ruby200-base/distinfo
index 9e0f3e15298..4816124ab9b 100644
--- a/lang/ruby200-base/distinfo
+++ b/lang/ruby200-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2015/04/30 03:34:31 taca Exp $
+$NetBSD: distinfo,v 1.26 2015/06/23 14:03:02 taca Exp $
 
 SHA1 (ruby-2.0.0-p645.tar.bz2) = e724dd0e4a1e820a368be307aa0863a8ecf4b694
 RMD160 (ruby-2.0.0-p645.tar.bz2) = cbfd9ca2a5fe5d6ea1d89da9fd934c864bf339ab
@@ -26,6 +26,7 @@ SHA1 (patch-lib_rubygems_dependency__installer.rb) = f4e40727d231b336c1d4c2303ac
 SHA1 (patch-lib_rubygems_install__update__options.rb) = 22cfafe090db72211253b8528937e5be0e677ebf
 SHA1 (patch-lib_rubygems_installer.rb) = 7ce68eaa5893c83780f7b4e1af44a88ae63a39cf
 SHA1 (patch-lib_rubygems_platform.rb) = 135f2e9d6c0c529da9ffcea4b96507675cdf1f16
+SHA1 (patch-lib_rubygems_remote__fetcher.rb) = e6acc25febd819ca835cd4306f863d76aa67b106
 SHA1 (patch-lib_rubygems_specification.rb) = 2a283cb7854580616df2b35357281c0a881cedf1
 SHA1 (patch-man_erb.1) = 1fe6ce4f4fe6418bfabb5e132a63596562030116
 SHA1 (patch-man_irb.1) = 2bf807b4c1b1c68d1f518caa054cfd900e0fedb7
diff --git a/lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb b/lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb
new file mode 100644
index 00000000000..c4144cc9942
--- /dev/null
+++ b/lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb
@@ -0,0 +1,21 @@
+$NetBSD: patch-lib_rubygems_remote__fetcher.rb,v 1.1 2015/06/23 14:03:02 taca Exp $
+
+Fix for CVE-2015-3900.
+
+--- lib/rubygems/remote_fetcher.rb.orig	2013-10-24 14:31:17.000000000 +0000
++++ lib/rubygems/remote_fetcher.rb
+@@ -103,7 +103,13 @@ class Gem::RemoteFetcher
+     rescue Resolv::ResolvError
+       uri
+     else
+-      URI.parse "#{res.target}#{uri.path}"
++      target = res.target.to_s.strip
++
++      if /\.#{Regexp.quote(host)}\z/ =~ target
++        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
++      end
++
++      uri
+     end
+   end
+ 
diff --git a/lang/ruby21-base/Makefile b/lang/ruby21-base/Makefile
index bf917d1cb64..3c08e3e5794 100644
--- a/lang/ruby21-base/Makefile
+++ b/lang/ruby21-base/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.13 2015/06/21 15:10:17 jperkin Exp $
+# $NetBSD: Makefile,v 1.14 2015/06/23 14:04:03 taca Exp $
 #
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION_FULL}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 
diff --git a/lang/ruby21-base/distinfo b/lang/ruby21-base/distinfo
index 1e9114bc580..05322409015 100644
--- a/lang/ruby21-base/distinfo
+++ b/lang/ruby21-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17 2015/04/30 03:27:20 taca Exp $
+$NetBSD: distinfo,v 1.18 2015/06/23 14:04:03 taca Exp $
 
 SHA1 (ruby-2.1.6.tar.bz2) = 380c3a5fa508fdaa2b227dbc00c56f703fd271d4
 RMD160 (ruby-2.1.6.tar.bz2) = fa473e794ee0df4cd30aebfa70af16840a618c43
@@ -27,6 +27,7 @@ SHA1 (patch-lib_rubygems_dependency__installer.rb) = d88441fe44de8ee61a5548dfbe0
 SHA1 (patch-lib_rubygems_install__update__options.rb) = 9a15d509928aa0440691bef8ad43bbfd2688542f
 SHA1 (patch-lib_rubygems_installer.rb) = e3c077156f135b9a8a368ea39e2728a60e6f4378
 SHA1 (patch-lib_rubygems_platform.rb) = 965a916814127ef78f43b89b7af5e06d5d83b24f
+SHA1 (patch-lib_rubygems_remote__fetcher.rb) = 860f82ea7de78150a35130942eaf719c9c622c87
 SHA1 (patch-lib_rubygems_specification.rb) = 0b30e2da8b5621ffc0f91fadc94f06ba30f47d41
 SHA1 (patch-lib_rubygems_uninstaller.rb) = 87fdddc435440aab57a6d44aba64abd0b2de6907
 SHA1 (patch-man_erb.1) = 1fe6ce4f4fe6418bfabb5e132a63596562030116
diff --git a/lang/ruby21-base/patches/patch-lib_rubygems_remote__fetcher.rb b/lang/ruby21-base/patches/patch-lib_rubygems_remote__fetcher.rb
new file mode 100644
index 00000000000..8511d602784
--- /dev/null
+++ b/lang/ruby21-base/patches/patch-lib_rubygems_remote__fetcher.rb
@@ -0,0 +1,21 @@
+$NetBSD: patch-lib_rubygems_remote__fetcher.rb,v 1.1 2015/06/23 14:04:03 taca Exp $
+
+Fix for CVE-2015-3900.
+
+--- lib/rubygems/remote_fetcher.rb.orig	2014-02-06 02:59:36.000000000 +0000
++++ lib/rubygems/remote_fetcher.rb
+@@ -90,7 +90,13 @@ class Gem::RemoteFetcher
+     rescue Resolv::ResolvError
+       uri
+     else
+-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
++      target = res.target.to_s.strip
++
++      if /\.#{Regexp.quote(host)}\z/ =~ target
++        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
++      end
++
++      uri
+     end
+   end
+ 
diff --git a/lang/ruby22-base/Makefile b/lang/ruby22-base/Makefile
index a5956dc720d..f9e719a5b00 100644
--- a/lang/ruby22-base/Makefile
+++ b/lang/ruby22-base/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.2 2015/04/30 03:27:52 taca Exp $
+# $NetBSD: Makefile,v 1.3 2015/06/23 14:04:40 taca Exp $
 #
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION_FULL}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 
diff --git a/lang/ruby22-base/distinfo b/lang/ruby22-base/distinfo
index a140b64ae66..6b6dcff6e3a 100644
--- a/lang/ruby22-base/distinfo
+++ b/lang/ruby22-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2015/04/30 03:27:52 taca Exp $
+$NetBSD: distinfo,v 1.5 2015/06/23 14:04:40 taca Exp $
 
 SHA1 (ruby-2.2.2.tar.bz2) = de97ec6132ac76bb7c0f92b5ca4682138093af1b
 RMD160 (ruby-2.2.2.tar.bz2) = af9f1c4de12fc25c0d6e20bf339cc13e7d89df2d
@@ -15,6 +15,7 @@ SHA1 (patch-lib_rubygems_dependency__installer.rb) = 33279f961cc4c530f0d81c8b415
 SHA1 (patch-lib_rubygems_install__update__options.rb) = 8ec3a2387f3a83e19d76b7a900ebf3b37bdcc043
 SHA1 (patch-lib_rubygems_installer.rb) = 864f3f8fe2949aedd85f730e447d8495f58d3b25
 SHA1 (patch-lib_rubygems_platform.rb) = 2bddd029a2678de5a5d016af33f629caa712fbce
+SHA1 (patch-lib_rubygems_remote__fetcher.rb) = 02c149b7b29e457dad909ebec38691440e192816
 SHA1 (patch-man_erb.1) = 1fe6ce4f4fe6418bfabb5e132a63596562030116
 SHA1 (patch-man_irb.1) = 2bf807b4c1b1c68d1f518caa054cfd900e0fedb7
 SHA1 (patch-man_ri.1) = b07be05375977cfac0f88765a95e85db4f858885
diff --git a/lang/ruby22-base/patches/patch-lib_rubygems_remote__fetcher.rb b/lang/ruby22-base/patches/patch-lib_rubygems_remote__fetcher.rb
new file mode 100644
index 00000000000..66ffba2fd3d
--- /dev/null
+++ b/lang/ruby22-base/patches/patch-lib_rubygems_remote__fetcher.rb
@@ -0,0 +1,21 @@
+$NetBSD: patch-lib_rubygems_remote__fetcher.rb,v 1.1 2015/06/23 14:04:40 taca Exp $
+
+Fix for CVE-2015-3900.
+
+--- lib/rubygems/remote_fetcher.rb.orig	2014-11-17 03:55:02.000000000 +0000
++++ lib/rubygems/remote_fetcher.rb
+@@ -94,7 +94,13 @@ class Gem::RemoteFetcher
+     rescue Resolv::ResolvError
+       uri
+     else
+-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
++      target = res.target.to_s.strip
++
++      if /\.#{Regexp.quote(host)}\z/ =~ target
++        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
++      end
++
++      uri
+     end
+   end
+