This fixes CVE-2013-4287 and CVE-2013-4363, both for denial of service algorithmic complexity vulnerabilities:
https://github.com/rubygems/rubygems/blob/master/CVE-2013-4287.txt https://github.com/rubygems/rubygems/blob/master/CVE-2013-4363.txt This is a patch for devel/rubygems (for ruby 1.8) and lang/ruby/1.9. lang/ruby/2.0 doesn't need the patch as it was included in the last upstream patch level release. The lang/ruby/1.9 patch has already been applied upstream. I plan on committing this tomorrow unless I hear objections. Thanks, Jeremy Index: lang/ruby/1.9/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.9/Makefile,v retrieving revision 1.41 diff -u -p -r1.41 Makefile --- lang/ruby/1.9/Makefile 25 Nov 2013 14:16:23 -0000 1.41 +++ lang/ruby/1.9/Makefile 1 Dec 2013 23:46:24 -0000 @@ -23,6 +23,8 @@ PKGNAME-ri_docs = ruby-ri_docs-${VERSION PKG_ARCH-ri_docs = * WANTLIB-ri_docs = # empty +REVISION-main = 0 + PKGSPEC-main = ruby->=1.9,<1.10 CONFIGURE_ARGS = --program-suffix=19 \ Index: lang/ruby/1.9/patches/patch-lib_rubygems_version_rb =================================================================== RCS file: lang/ruby/1.9/patches/patch-lib_rubygems_version_rb diff -N lang/ruby/1.9/patches/patch-lib_rubygems_version_rb --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ lang/ruby/1.9/patches/patch-lib_rubygems_version_rb 1 Dec 2013 23:42:43 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ + +Backport fix for CVE-2013-4287 and CVE-2013-4363. + +--- lib/rubygems/version.rb.orig Sun Dec 1 15:40:49 2013 ++++ lib/rubygems/version.rb Sun Dec 1 15:40:51 2013 +@@ -145,8 +145,8 @@ class Gem::Version + + include Comparable + +- VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc: +- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc: ++ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc: ++ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc: + + ## + # A string representation of this Version. Index: devel/ruby-gems/Makefile =================================================================== RCS file: /cvs/ports/devel/ruby-gems/Makefile,v retrieving revision 1.29 diff -u -p -r1.29 Makefile --- devel/ruby-gems/Makefile 20 Mar 2013 19:13:50 -0000 1.29 +++ devel/ruby-gems/Makefile 1 Dec 2013 23:41:57 -0000 @@ -5,7 +5,7 @@ COMMENT= package management framework fo V= 1.8.23 DISTNAME= rubygems-$V PKGNAME= ruby-gems-$V -REVISION= 0 +REVISION= 1 CATEGORIES= devel HOMEPAGE= http://docs.rubygems.org/ Index: devel/ruby-gems/patches/patch-lib_rubygems_version_rb =================================================================== RCS file: devel/ruby-gems/patches/patch-lib_rubygems_version_rb diff -N devel/ruby-gems/patches/patch-lib_rubygems_version_rb --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ devel/ruby-gems/patches/patch-lib_rubygems_version_rb 1 Dec 2013 23:41:39 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ + +Backport fix for CVE-2013-4287 and CVE-2013-4363. + +--- lib/rubygems/version.rb.orig Sun Dec 1 15:40:49 2013 ++++ lib/rubygems/version.rb Sun Dec 1 15:40:51 2013 +@@ -145,8 +145,8 @@ class Gem::Version + + include Comparable + +- VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc: +- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc: ++ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc: ++ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc: + + ## + # A string representation of this Version.