Hello community, here is the log from the commit of package ruby2.5 for openSUSE:Leap:15.2 checked in at 2020-03-23 17:26:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/ruby2.5 (Old) and /work/SRC/openSUSE:Leap:15.2/.ruby2.5.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ruby2.5" Mon Mar 23 17:26:30 2020 rev:43 rq:787296 version:2.5.7 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/ruby2.5/ruby2.5.changes 2020-01-15 15:58:18.747763028 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.ruby2.5.new.3160/ruby2.5.changes 2020-03-23 17:26:33.858155945 +0100 @@ -1,0 +2,37 @@ +Fri Mar 6 14:40:34 UTC 2020 - Marcus Rueckert <mrueck...@suse.de> + +- Fix CVE-2020-8130 (boo# 1164804) for the intree copy of rake: + - add CVE-2020-8130.patch and rake-12.3.0.gem + +------------------------------------------------------------------- +Thu Feb 6 12:35:53 UTC 2020 - Marcus Rueckert <mrueck...@suse.de> + +- remove test files which are not needed at runtime (boo#1162396) + - adds remove-unneeded-files.patch and did_you_mean-1.2.0.gem + +------------------------------------------------------------------- +Tue Oct 8 09:40:27 UTC 2019 - Marcus Rueckert <mrueck...@suse.de> + +- update to 2.5.7 + - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/ + - CVE-2019-16255: A code injection vulnerability of Shell#[] + and Shell#test (boo#1152990) + - CVE-2019-16254: HTTP response splitting in WEBrick + (Additional fix) (boo#1152992) + - CVE-2019-15845: A NUL injection vulnerability of File.fnmatch + and File.fnmatch? (boo#1152994) + - CVE-2019-16201: Regular Expression Denial of Service + vulnerability of WEBrickâs Digest access authentication + (boo#1152995) + - https://www.ruby-lang.org/en/news/2019/08/28/ruby-2-5-6-released/ + - Multiple jQuery vulnerabilities in RDoc (CVE-2012-6708 + CVE-2015-9251) + +------------------------------------------------------------------- +Tue Jul 9 14:16:36 UTC 2019 - Marcus Rueckert <mrueck...@suse.de> + +- fix running tests (boo#1140844) + just passing the DISABLED_TESTS variable is wrong. probably a + relict from calling the test scripts directly. use TESTOPTS now. + +------------------------------------------------------------------- Old: ---- ruby-2.5.5.tar.xz New: ---- CVE-2020-8130.patch did_you_mean-1.2.0.gem rake-12.3.0.gem remove-unneeded-files.patch ruby-2.5.7.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ruby2.5.spec ++++++ --- /var/tmp/diff_new_pack.sSPXmG/_old 2020-03-23 17:26:35.294157076 +0100 +++ /var/tmp/diff_new_pack.sSPXmG/_new 2020-03-23 17:26:35.298157079 +0100 @@ -25,7 +25,7 @@ #### %define patch_level p0 -Version: 2.5.5 +Version: 2.5.7 Release: 0 %define pkg_version %{version} # make the exported API version explicit @@ -125,6 +125,9 @@ # Url: https://www.ruby-lang.org/ Source: https://cache.ruby-lang.org/pub/ruby/2.5/ruby-%{pkg_version}.tar.xz +# the file was created by applying all patches and then running gem build in the gems/did_you_mean-1.2.0 directory +Source1: did_you_mean-1.2.0.gem +Source2: rake-12.3.0.gem # Source3: %{name}.macros Source4: %{name}-default.macros @@ -138,6 +141,10 @@ Patch05: 0005-Include-the-alternative-malloc-header-instead-of-mal.patch Patch06: 0006-Use-PIE-for-the-binaries.patch Patch07: 0007-date-support-for-Reiwa-new-Japanese-era.patch +# this can not be in our backports git as the files are not there yet +Patch08: remove-unneeded-files.patch +Patch09: CVE-2020-8130.patch + # Summary: An Interpreted Object-Oriented Scripting Language License: BSD-2-Clause OR Ruby @@ -294,11 +301,15 @@ %patch05 -p1 %patch06 -p1 %patch07 -p1 +%patch08 -p1 +%patch09 -p1 find sample -type f -print0 | xargs -r0 chmod a-x grep -Erl '^#! */' benchmark bootstraptest ext lib sample test \ | xargs -r perl -p -i -e 's|^#!\s*\S+(\s+.*)?$|#!/usr/bin/ruby%{rb_binary_suffix} $1|' %build +rm -rv gems/did_you_mean-1.2.0/evaluation +cp %{SOURCE1} %{SOURCE2} gems/ # iseq.c needs -fno-strict-aliasing export LANG="en_US.UTF-8" export LC_ALL="en_US.UTF-8" @@ -388,7 +399,7 @@ %if %{with run_tests} %check -DISABLE_TESTS="-x resolv/test_mdns.rb" +DISABLE_TESTS="" %ifarch armv7l armv7hl armv7hnl # test_call_double(DL::TestDL) fails on ARM HardFP # http://bugs.ruby-lang.org/issues/6592 @@ -403,7 +414,7 @@ export OPENSSL_ENABLE_MD5_VERIFY=1 export LD_LIBRARY_PATH="$PWD" # we know some tests will fail when they do not find a /usr/bin/ruby -make check V=1 $DISABLE_TESTS ||: +make check V=1 TESTOPTS="$DISABLE_TESTS" ||: %endif %post -n %{libname} -p /sbin/ldconfig ++++++ CVE-2020-8130.patch ++++++ Index: ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb =================================================================== --- ruby-2.5.7.orig/gems/rake-12.3.0/lib/rake/file_list.rb +++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb @@ -294,7 +294,7 @@ module Rake matched = 0 each do |fn| begin - open(fn, "r", *options) do |inf| + File.open(fn, "r", *options) do |inf| count = 0 inf.each do |line| count += 1 ++++++ remove-unneeded-files.patch ++++++ Index: ruby-2.5.7/gems/did_you_mean-1.2.0/did_you_mean.gemspec =================================================================== --- ruby-2.5.7.orig/gems/did_you_mean-1.2.0/did_you_mean.gemspec +++ ruby-2.5.7/gems/did_you_mean-1.2.0/did_you_mean.gemspec @@ -11,7 +11,7 @@ Gem::Specification.new do |s| s.date = "2017-12-13" s.description = "The gem that has been saving people from typos since 2014.".freeze s.email = ["m...@yukinishijima.net".freeze] - s.files = [".gitignore".freeze, ".ruby-version".freeze, ".travis.yml".freeze, "CHANGELOG.md".freeze, "Gemfile".freeze, "LICENSE.txt".freeze, "README.md".freeze, "Rakefile".freeze, "benchmark/jaro_winkler/memory_usage.rb".freeze, "benchmark/jaro_winkler/speed.rb".freeze, "benchmark/levenshtein/memory_usage.rb".freeze, "benchmark/levenshtein/speed.rb".freeze, "benchmark/memory_usage.rb".freeze, "did_you_mean.gemspec".freeze, "doc/CHANGELOG.md.erb".freeze, "doc/changelog_generator.rb".freeze, "evaluation/calculator.rb".freeze, "evaluation/dictionary_generator.rb".freeze, "evaluation/incorrect_words.yaml".freeze, "lib/did_you_mean.rb".freeze, "lib/did_you_mean/core_ext/name_error.rb".freeze, "lib/did_you_mean/experimental.rb".freeze, "lib/did_you_mean/experimental/initializer_name_correction.rb".freeze, "lib/did_you_mean/experimental/ivar_name_correction.rb".freeze, "lib/did_you_mean/formatters/plain_formatter.rb".freeze, "lib/did_you_mean/formatters/verbose_formatter.rb".freeze, "lib/did_you_mean/jaro_winkler.rb".freeze, "lib/did_you_mean/levenshtein.rb".freeze, "lib/did_you_mean/spell_checker.rb".freeze, "lib/did_you_mean/spell_checkers/key_error_checker.rb".freeze, "lib/did_you_mean/spell_checkers/method_name_checker.rb".freeze, "lib/did_you_mean/spell_checkers/name_error_checkers.rb".freeze, "lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb".freeze, "lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb".freeze, "lib/did_you_mean/spell_checkers/null_checker.rb".freeze, "lib/did_you_mean/verbose.rb".freeze, "lib/did_you_mean/verbose_formatter.rb".freeze, "lib/did_you_mean/version.rb".freeze, "test/core_ext/name_error_extension_test.rb".freeze, "test/edit_distance/jaro_winkler_test.rb".freeze, "test/experimental/initializer_name_correction_test.rb".freeze, "test/experimental/method_name_checker_test.rb".freeze, "test/spell_checker_test.rb".freeze, "test/spell_checking/class_name_check_test.rb".freeze, "test/spell_checking/key_name_check_test.rb".freeze, "test/spell_checking/method_name_check_test.rb".freeze, "test/spell_checking/uncorrectable_name_check_test.rb".freeze, "test/spell_checking/variable_name_check_test.rb".freeze, "test/test_helper.rb".freeze, "test/verbose_formatter_test.rb".freeze] + s.files = [".gitignore".freeze, ".ruby-version".freeze, ".travis.yml".freeze, "CHANGELOG.md".freeze, "Gemfile".freeze, "LICENSE.txt".freeze, "README.md".freeze, "Rakefile".freeze, "benchmark/jaro_winkler/memory_usage.rb".freeze, "benchmark/jaro_winkler/speed.rb".freeze, "benchmark/levenshtein/memory_usage.rb".freeze, "benchmark/levenshtein/speed.rb".freeze, "benchmark/memory_usage.rb".freeze, "did_you_mean.gemspec".freeze, "doc/CHANGELOG.md.erb".freeze, "doc/changelog_generator.rb".freeze, "evaluation/calculator.rb".freeze, "evaluation/dictionary_generator.rb".freeze, "evaluation/incorrect_words.yaml".freeze, "lib/did_you_mean.rb".freeze, "lib/did_you_mean/core_ext/name_error.rb".freeze, "lib/did_you_mean/experimental.rb".freeze, "lib/did_you_mean/experimental/initializer_name_correction.rb".freeze, "lib/did_you_mean/experimental/ivar_name_correction.rb".freeze, "lib/did_you_mean/formatters/plain_formatter.rb".freeze, "lib/did_you_mean/formatters/verbose_formatter.rb".freeze, "lib/did_you_mean/jaro_winkler.rb".freeze, "lib/did_you_mean/levenshtein.rb".freeze, "lib/did_you_mean/spell_checker.rb".freeze, "lib/did_you_mean/spell_checkers/key_error_checker.rb".freeze, "lib/did_you_mean/spell_checkers/method_name_checker.rb".freeze, "lib/did_you_mean/spell_checkers/name_error_checkers.rb".freeze, "lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb".freeze, "lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb".freeze, "lib/did_you_mean/spell_checkers/null_checker.rb".freeze, "lib/did_you_mean/verbose.rb".freeze, "lib/did_you_mean/verbose_formatter.rb".freeze, "lib/did_you_mean/version.rb".freeze, "test/core_ext/name_error_extension_test.rb".freeze, "test/edit_distance/jaro_winkler_test.rb".freeze, "test/experimental/initializer_name_correction_test.rb".freeze, "test/experimental/method_name_checker_test.rb".freeze, "test/spell_checker_test.rb".freeze, "test/spell_checking/class_name_check_test.rb".freeze, "test/spell_checking/key_name_check_test.rb".freeze, "test/spell_checking/method_name_check_test.rb".freeze, "test/spell_checking/uncorrectable_name_check_test.rb".freeze, "test/spell_checking/variable_name_check_test.rb".freeze, "test/test_helper.rb".freeze, "test/verbose_formatter_test.rb".freeze].reject{|path| path.start_with?('evaluation/') } s.homepage = "https://github.com/yuki24/did_you_mean".freeze s.licenses = ["MIT".freeze] s.required_ruby_version = Gem::Requirement.new(">= 2.5.0dev".freeze) ++++++ ruby-2.5.5.tar.xz -> ruby-2.5.7.tar.xz ++++++ /work/SRC/openSUSE:Leap:15.2/ruby2.5/ruby-2.5.5.tar.xz /work/SRC/openSUSE:Leap:15.2/.ruby2.5.new.3160/ruby-2.5.7.tar.xz differ: char 26, line 1