From a6a08fef90e544be9ffa0e06a5de99a9b62cb92e Mon Sep 17 00:00:00 2001 From: tron Date: Fri, 20 Feb 2015 20:18:59 +0000 Subject: Pullup ticket #4620 - requested by taca lang/ruby18-base: security patch Revisions pulled up: - lang/ruby18-base/Makefile 1.83 - lang/ruby18-base/distinfo 1.61 - lang/ruby18-base/patches/patch-lib_rexml_entity.rb 1.1 --- Module Name: pkgsrc Committed By: taca Date: Mon Feb 16 14:03:32 UTC 2015 Modified Files: pkgsrc/lang/ruby18-base: Makefile distinfo Added Files: pkgsrc/lang/ruby18-base/patches: patch-lib_rexml_entity.rb Log Message: Add fix for CVE-2015-1426. Bump PKGREVISION. --- lang/ruby18-base/Makefile | 4 ++-- lang/ruby18-base/distinfo | 3 ++- lang/ruby18-base/patches/patch-lib_rexml_entity.rb | 22 ++++++++++++++++++++++ 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 lang/ruby18-base/patches/patch-lib_rexml_entity.rb diff --git a/lang/ruby18-base/Makefile b/lang/ruby18-base/Makefile index a07726f54c9..3c9a4b3cba4 100644 --- a/lang/ruby18-base/Makefile +++ b/lang/ruby18-base/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.82 2014/06/26 15:59:31 jperkin Exp $ +# $NetBSD: Makefile,v 1.82.6.1 2015/02/20 20:18:59 tron Exp $ # DISTNAME= ${RUBY_DISTNAME} PKGNAME= ${RUBY_PKGPREFIX}-base-${RUBY_VERSION_FULL} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= lang ruby MASTER_SITES= ${MASTER_SITE_RUBY} diff --git a/lang/ruby18-base/distinfo b/lang/ruby18-base/distinfo index 93790f832e7..5adba4b328e 100644 --- a/lang/ruby18-base/distinfo +++ b/lang/ruby18-base/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.60 2013/11/24 15:26:30 taca Exp $ +$NetBSD: distinfo,v 1.60.10.1 2015/02/20 20:18:59 tron Exp $ SHA1 (ruby-1.8.7-p374.tar.bz2) = cf82b6cbeed8e389705aa6b66c2a8141626705c3 RMD160 (ruby-1.8.7-p374.tar.bz2) = 314efaa961c80c9294202c6e40dec0e38865ed94 @@ -50,3 +50,4 @@ SHA1 (patch-ga) = 73f50504baf74ee77d00dcfb5a9446bbaf122726 SHA1 (patch-gb) = 345ad3e5df6fd9febe7b398f091662fd7c300dc4 SHA1 (patch-lib_rdoc_options.rb) = 0f14417733ad6fc6fbc93af1c8463ecd59abce7c SHA1 (patch-lib_rdoc_rdoc.rb) = bef895245cc06ca84fd1e5d506c3c65932921b3a +SHA1 (patch-lib_rexml_entity.rb) = 5038826abfa6a56406fe369dfc74c9fe096665f6 diff --git a/lang/ruby18-base/patches/patch-lib_rexml_entity.rb b/lang/ruby18-base/patches/patch-lib_rexml_entity.rb new file mode 100644 index 00000000000..6745547f49c --- /dev/null +++ b/lang/ruby18-base/patches/patch-lib_rexml_entity.rb @@ -0,0 +1,22 @@ +$NetBSD: patch-lib_rexml_entity.rb,v 1.1.2.2 2015/02/20 20:18:59 tron Exp $ + +Fix for CVE-2015-1426. + +--- lib/rexml/entity.rb.orig 2009-02-05 00:03:56.000000000 +0000 ++++ lib/rexml/entity.rb +@@ -138,8 +138,15 @@ module REXML + matches = @value.scan(PEREFERENCE_RE) + rv = @value.clone + if @parent ++ sum = 0 + matches.each do |entity_reference| + entity_value = @parent.entity( entity_reference[0] ) ++ if sum + entity_value.bytesize > Document.entity_expansion_text_limit ++ raise "entity expansion has grown too large" ++ else ++ sum += entity_value.bytesize ++ end ++ + rv.gsub!( /%#{entity_reference};/um, entity_value ) + end + end -- cgit v1.2.3