commit ruby for openSUSE:11.3
Hello community,
here is the log from the commit of package ruby for openSUSE:11.3
checked in at Mon Jan 16 01:18:38 CET 2012.
--- old-versions/11.3/UPDATES/all/ruby/ruby.changes 2011-05-12
18:36:28.0 +0200
+++ 11.3/ruby/ruby.changes 2012-01-12 16:53:17.0 +0100
@@ -1,0 +2,59 @@
+Thu Jan 12 15:46:36 UTC 2012 - mrueck...@suse.de
+
+- update to 1.8.7.p357 (bnc#739122)
+ - randomize hash to avoid algorithmic complexity attacks.
+CVE-2011-4815
+ - initialization of hash_seed to be at the beginning of the
+process.
+ - initialize random seed at first.
+ - call OpenSSL::Random.seed at the SecureRandom.random_bytes
+call. insert separators for array join. patch by Masahiro
+Tomita. [ruby-dev:44270]
+ - mkconfig.rb: fix for continued lines. based on a patch from
+Marcus Rueckert at [ruby-core:20420].
+ - Infinity is greater than any bignum number. [ruby-dev:38672]
+ - initialize store->ex_data.sk. [ruby-core:28907]
+[ruby-core:23971] [ruby-core:18121]
+
+---
+Wed Dec 21 16:51:11 UTC 2011 - mrueck...@suse.de
+
+- update to 1.8.7.p352 (Fate #312657) (bnc#704409)
+ - support for openssl compiled without SSLv2
+ - multilib support for tk build
+ - some IPv6 related fixes
+ - zlib fixes
+ - reinitialize PRNG when forking children
+(CVE-2011-2686/CVE-2011-3009)
+ - securerandom fixes (CVE-2011-2705)
+ - uri route_to fixes
+ - fix race condition with variables and autoload
+- drop 1887f60a8540f64f5c7bb14d57c0be70506941b8.patch
+ included upstream
+- drop ruby-1.8.7.p22_tcltk-multilib.patch
+ solved differently upstream
+- switched rb_arch macro to use RUBY_PLATFORM
+- dropped patches:
+ ruby_1.8.6.p36_date_remove_privat.patch
+ ruby-1.8.6.p36_socket_ipv6.patch
+ ruby-1.8.7.p22_lib64.patch
+ ruby-1.8.7.p22_tcltk-multilib.patch
+ ruby-1.8.x_bigdecimal_memory_corruption.patch
+ ruby-1.8.x_exception_tainted_message.patch
+ ruby-1.8.x_fileutils_symlink_race.patch
+ ruby-1.8.x_net_http_close_in_rescue.patch
+ ruby-1.8.x_openssl-1.0.patch
+ ruby-1.8.x_openssl-1.0-tests.patch
+ ruby-1.8.x_webrick_charset_issue.patch
+ ruby-pedantic-headers.diff
+- new patches
+ ruby-1.8.7.p299_lib64.patch
+ ruby-1.8.7.p299_date_remove_privat.patch
+ ruby-1.8.7.p299_pedantic-headers.patch
+ ruby-1.8.x_digest_non_void_return.patch
+ ruby-1.8.x_openssl_branch_update.patch
+ ruby-1.8.x_yaml2byte.patch
+ ruby-1.8.7.p334_remove_zlib_test_params_test.patch
+ ruby-1.8.x_rubylibdir.patch
+
+---
calling whatdependson for 11.3-i586
Old:
ruby-1.8.6.p36_socket_ipv6.patch
ruby-1.8.7-p249.tar.bz2
ruby-1.8.7-p72_topdir.patch
ruby-1.8.7-p72_vendor_specific.patch
ruby-1.8.7.p22_lib64.patch
ruby-1.8.7.p22_tcltk-multilib.patch
ruby-1.8.x_bigdecimal_memory_corruption.patch
ruby-1.8.x_exception_tainted_message.patch
ruby-1.8.x_fileutils_symlink_race.patch
ruby-1.8.x_net_http_close_in_rescue.patch
ruby-1.8.x_openssl-1.0-tests.patch
ruby-1.8.x_openssl-1.0.patch
ruby-1.8.x_webrick_charset_issue.patch
ruby-pedantic-headers.diff
ruby_1.8.6.p36_date_remove_privat.patch
New:
ruby-1.8.7-p357.tar.bz2
ruby-1.8.7.p299_date_remove_privat.patch
ruby-1.8.7.p299_lib64.patch
ruby-1.8.7.p299_pedantic-headers.patch
ruby-1.8.7.p334_remove_zlib_test_params_test.patch
ruby-1.8.7.p72_topdir.patch
ruby-1.8.7.p72_vendor_specific.patch
ruby-1.8.x_openssl_branch_update.patch
ruby-1.8.x_rubylibdir.patch
Other differences:
--
++ ruby.spec ++
--- /var/tmp/diff_new_pack.icJ3Mi/_old 2012-01-16 01:18:18.0 +0100
+++ /var/tmp/diff_new_pack.icJ3Mi/_new 2012-01-16 01:18:18.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package ruby
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,11 +19,11 @@
Name: ruby
-Version:1.8.7.p249
-Release:8.
+Version:1.8.7.p357
+Release:0.
#
%define pkg_version 1.8.7
-%define patch_level p249
+%define patch_level p357
%define rb_arch %(echo %{_target_cpu}-linux | sed -e "s/i686/i586/" -e
"s/hppa2.0/hppa/" -e "s/ppc/powerpc/")
%define rb_ver %(echo %{pkg_version} | sed -e 's/\\\.[0-9]\\\+$//')
#
@@ -32,6 +32,8 @@
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison gdbm-devel gperf graphviz libjpeg-devel openssl-devel
readline-devel tk-devel
+# for openssl testsuite
+BuildRequires: openssl
#define with_bleak_house 1
%if 0%{suse_version} >= 1030
%define use_fdupes 1
@@ -56,23 +58,17 @@
Source:
ftp://ftp.ruby-lang.org/pub/ruby/ruby-
commit ruby for openSUSE:11.3
Hello community,
here is the log from the commit of package ruby for openSUSE:11.3
checked in at Tue May 17 18:53:06 CEST 2011.
--- old-versions/11.3/UPDATES/all/ruby/ruby.changes 2011-03-04
17:29:32.0 +0100
+++ 11.3/ruby/ruby.changes 2011-05-12 18:36:28.0 +0200
@@ -1,0 +2,7 @@
+Thu May 12 16:23:56 UTC 2011 - mrueck...@suse.de
+
+- added ruby-1.8.x_bigdecimal_memory_corruption.patch:
+ dont cast parameter to unsigned int in the alloc and later memset
+ the original value. (bnc#682287) CVE-2011-0188
+
+---
calling whatdependson for 11.3-i586
New:
ruby-1.8.x_bigdecimal_memory_corruption.patch
Other differences:
--
++ ruby.spec ++
--- /var/tmp/diff_new_pack.UCgcWK/_old 2011-05-17 18:51:47.0 +0200
+++ /var/tmp/diff_new_pack.UCgcWK/_new 2011-05-17 18:51:47.0 +0200
@@ -20,7 +20,7 @@
Name: ruby
Version:1.8.7.p249
-Release:8.
+Release:8.
#
%define pkg_version 1.8.7
%define patch_level p249
@@ -72,6 +72,7 @@
Patch14:ruby-1.8.x_webrick_charset_issue.patch
Patch15:ruby-1.8.x_fileutils_symlink_race.patch
Patch16:ruby-1.8.x_net_http_close_in_rescue.patch
+Patch17:ruby-1.8.x_bigdecimal_memory_corruption.patch
# vendor ruby files taken from:
# http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/
Source3:site-specific.rb
@@ -261,6 +262,7 @@
%patch14
%patch15
%patch16
+%patch17
%if 0%{?with_bleak_house}
for patch in valgrind configure gc ; do
patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch
++ ruby-1.8.x_bigdecimal_memory_corruption.patch ++
Index: ext/bigdecimal/bigdecimal.c
===
--- ext/bigdecimal/bigdecimal.c.orig2011-05-10 14:14:48.0 +0200
+++ ext/bigdecimal/bigdecimal.c 2011-05-10 14:18:53.602468960 +0200
@@ -2026,11 +2026,11 @@ static int gnAlloc=0; /* Memory allocati
VP_EXPORT void *
VpMemAlloc(U_LONG mb)
{
-void *p = xmalloc((unsigned int)mb);
+void *p = xmalloc(mb);
if(!p) {
VpException(VP_EXCEPTION_MEMORY,"failed to allocate memory",1);
}
-memset(p,0,mb);
+memset(p, 0, mb);
#ifdef _DEBUG
gnAlloc++; /* Count allocation call */
#endif /* _DEBUG */
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit ruby for openSUSE:11.3
Hello community,
here is the log from the commit of package ruby for openSUSE:11.3
checked in at Fri Mar 4 17:49:45 CET 2011.
--- old-versions/11.3/all/ruby/ruby.changes 2010-07-02 11:50:18.0
+0200
+++ 11.3/ruby/ruby.changes 2011-03-04 17:29:32.0 +0100
@@ -1,0 +2,22 @@
+Fri Mar 4 16:07:00 UTC 2011 - mrueck...@suse.de
+
+- added ruby-1.8.x_net_http_close_in_rescue.patch
+ Dont call close on nil in case of on exception. (bnc#655136)
+
+---
+Thu Mar 3 17:14:51 UTC 2011 - mrueck...@suse.de
+
+- added ruby-1.8.x_exception_tainted_message.patch:
+ Exception#to_s method can be used to trick $SAFE check, which
+ makes a untrusted codes to modify arbitrary strings. (bnc#673750)
+ CVE-2011-1005
+- added ruby-1.8.x_fileutils_symlink_race.patch:
+ A symlink race condition vulnerability was found in
+ FileUtils.remove_entry_secure. The vulnerability allows local
+ users to delete arbitrary files and directories. (bnc#673740)
+ CVE-2011-1004
+- added patch ruby-1.8.x_webrick_charset_issue.patch:
+ fix cross site scripting bug in webrick (bnc#600752)
+ CVE-2010-0541
+
+---
Package does not exist at destination yet. Using Fallback
old-versions/11.3/all/ruby
Destination is old-versions/11.3/UPDATES/all/ruby
calling whatdependson for 11.3-i586
New:
ruby-1.8.x_exception_tainted_message.patch
ruby-1.8.x_fileutils_symlink_race.patch
ruby-1.8.x_net_http_close_in_rescue.patch
ruby-1.8.x_webrick_charset_issue.patch
Other differences:
--
++ ruby.spec ++
--- /var/tmp/diff_new_pack.Fqhemq/_old 2011-03-04 17:49:19.0 +0100
+++ /var/tmp/diff_new_pack.Fqhemq/_new 2011-03-04 17:49:19.0 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package ruby (Version 1.8.7.p249)
+# spec file for package ruby
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
Name: ruby
Version:1.8.7.p249
-Release:5
+Release:8.
#
%define pkg_version 1.8.7
%define patch_level p249
@@ -68,6 +68,10 @@
Patch10:ruby-1.8.x_openssl-1.0.patch
Patch11:ruby-1.8.x_openssl-1.0-tests.patch
Patch12:ruby-1.8.x_yaml2byte.patch
+Patch13:ruby-1.8.x_exception_tainted_message.patch
+Patch14:ruby-1.8.x_webrick_charset_issue.patch
+Patch15:ruby-1.8.x_fileutils_symlink_race.patch
+Patch16:ruby-1.8.x_net_http_close_in_rescue.patch
# vendor ruby files taken from:
# http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/
Source3:site-specific.rb
@@ -253,6 +257,10 @@
%patch10
%patch11
%patch12
+%patch13
+%patch14
+%patch15
+%patch16
%if 0%{?with_bleak_house}
for patch in valgrind configure gc ; do
patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch
++ ruby-1.8.x_exception_tainted_message.patch ++
r30903 | shyouhei | 2011-02-18 12:05:02 +0100 (Fri, 18 Feb 2011) | 9 lines
* error.c (exc_to_s): untainted strings can be tainted via
Exception#to_s, which enables attackers to overwrite sane strings.
Reported by: Yusuke Endoh .
* error.c (name_err_to_s): ditto.
* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
Test for it.
Index: error.c
===
--- error.c (revision 30902)
+++ error.c (revision 30903)
@@ -403,7 +403,6 @@
VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
return mesg;
}
@@ -667,10 +666,9 @@
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
StringValue(str);
if (str != mesg) {
- rb_iv_set(exc, "mesg", mesg = str);
+ OBJ_INFECT(str, mesg);
}
-if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
-return mesg;
+return str;
}
/*
Index: test/ruby/test_exception.rb
===
--- test/ruby/test_exception.rb (revision 30902)
+++ test/ruby/test_exception.rb (revision 30903)
@@ -184,4 +184,26 @@
assert(false)
end
end
+
+ def test_to_s_taintness_propagation
+for exc in [Exception, NameError]
+ m = "abcdefg"
+ e = exc.new(m)
+ e.taint
+ s = e.to_s
+ assert_equal(false, m.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+ assert_equal(false, s.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+end
+
+o = Object.new
+def o.to_str
+ "foo"
+end
+
