commit ruby for openSUSE:11.3
Hello community, here is the log from the commit of package ruby for openSUSE:11.3 checked in at Mon Jan 16 01:18:38 CET 2012. --- old-versions/11.3/UPDATES/all/ruby/ruby.changes 2011-05-12 18:36:28.0 +0200 +++ 11.3/ruby/ruby.changes 2012-01-12 16:53:17.0 +0100 @@ -1,0 +2,59 @@ +Thu Jan 12 15:46:36 UTC 2012 - mrueck...@suse.de + +- update to 1.8.7.p357 (bnc#739122) + - randomize hash to avoid algorithmic complexity attacks. +CVE-2011-4815 + - initialization of hash_seed to be at the beginning of the +process. + - initialize random seed at first. + - call OpenSSL::Random.seed at the SecureRandom.random_bytes +call. insert separators for array join. patch by Masahiro +Tomita. [ruby-dev:44270] + - mkconfig.rb: fix for continued lines. based on a patch from +Marcus Rueckert at [ruby-core:20420]. + - Infinity is greater than any bignum number. [ruby-dev:38672] + - initialize store->ex_data.sk. [ruby-core:28907] +[ruby-core:23971] [ruby-core:18121] + +--- +Wed Dec 21 16:51:11 UTC 2011 - mrueck...@suse.de + +- update to 1.8.7.p352 (Fate #312657) (bnc#704409) + - support for openssl compiled without SSLv2 + - multilib support for tk build + - some IPv6 related fixes + - zlib fixes + - reinitialize PRNG when forking children +(CVE-2011-2686/CVE-2011-3009) + - securerandom fixes (CVE-2011-2705) + - uri route_to fixes + - fix race condition with variables and autoload +- drop 1887f60a8540f64f5c7bb14d57c0be70506941b8.patch + included upstream +- drop ruby-1.8.7.p22_tcltk-multilib.patch + solved differently upstream +- switched rb_arch macro to use RUBY_PLATFORM +- dropped patches: + ruby_1.8.6.p36_date_remove_privat.patch + ruby-1.8.6.p36_socket_ipv6.patch + ruby-1.8.7.p22_lib64.patch + ruby-1.8.7.p22_tcltk-multilib.patch + ruby-1.8.x_bigdecimal_memory_corruption.patch + ruby-1.8.x_exception_tainted_message.patch + ruby-1.8.x_fileutils_symlink_race.patch + ruby-1.8.x_net_http_close_in_rescue.patch + ruby-1.8.x_openssl-1.0.patch + ruby-1.8.x_openssl-1.0-tests.patch + ruby-1.8.x_webrick_charset_issue.patch + ruby-pedantic-headers.diff +- new patches + ruby-1.8.7.p299_lib64.patch + ruby-1.8.7.p299_date_remove_privat.patch + ruby-1.8.7.p299_pedantic-headers.patch + ruby-1.8.x_digest_non_void_return.patch + ruby-1.8.x_openssl_branch_update.patch + ruby-1.8.x_yaml2byte.patch + ruby-1.8.7.p334_remove_zlib_test_params_test.patch + ruby-1.8.x_rubylibdir.patch + +--- calling whatdependson for 11.3-i586 Old: ruby-1.8.6.p36_socket_ipv6.patch ruby-1.8.7-p249.tar.bz2 ruby-1.8.7-p72_topdir.patch ruby-1.8.7-p72_vendor_specific.patch ruby-1.8.7.p22_lib64.patch ruby-1.8.7.p22_tcltk-multilib.patch ruby-1.8.x_bigdecimal_memory_corruption.patch ruby-1.8.x_exception_tainted_message.patch ruby-1.8.x_fileutils_symlink_race.patch ruby-1.8.x_net_http_close_in_rescue.patch ruby-1.8.x_openssl-1.0-tests.patch ruby-1.8.x_openssl-1.0.patch ruby-1.8.x_webrick_charset_issue.patch ruby-pedantic-headers.diff ruby_1.8.6.p36_date_remove_privat.patch New: ruby-1.8.7-p357.tar.bz2 ruby-1.8.7.p299_date_remove_privat.patch ruby-1.8.7.p299_lib64.patch ruby-1.8.7.p299_pedantic-headers.patch ruby-1.8.7.p334_remove_zlib_test_params_test.patch ruby-1.8.7.p72_topdir.patch ruby-1.8.7.p72_vendor_specific.patch ruby-1.8.x_openssl_branch_update.patch ruby-1.8.x_rubylibdir.patch Other differences: -- ++ ruby.spec ++ --- /var/tmp/diff_new_pack.icJ3Mi/_old 2012-01-16 01:18:18.0 +0100 +++ /var/tmp/diff_new_pack.icJ3Mi/_new 2012-01-16 01:18:18.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package ruby # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,11 +19,11 @@ Name: ruby -Version:1.8.7.p249 -Release:8. +Version:1.8.7.p357 +Release:0. # %define pkg_version 1.8.7 -%define patch_level p249 +%define patch_level p357 %define rb_arch %(echo %{_target_cpu}-linux | sed -e "s/i686/i586/" -e "s/hppa2.0/hppa/" -e "s/ppc/powerpc/") %define rb_ver %(echo %{pkg_version} | sed -e 's/\\\.[0-9]\\\+$//') # @@ -32,6 +32,8 @@ # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison gdbm-devel gperf graphviz libjpeg-devel openssl-devel readline-devel tk-devel +# for openssl testsuite +BuildRequires: openssl #define with_bleak_house 1 %if 0%{suse_version} >= 1030 %define use_fdupes 1 @@ -56,23 +58,17 @@ Source: ftp://ftp.ruby-lang.org/pub/ruby/ruby-
commit ruby for openSUSE:11.3
Hello community, here is the log from the commit of package ruby for openSUSE:11.3 checked in at Tue May 17 18:53:06 CEST 2011. --- old-versions/11.3/UPDATES/all/ruby/ruby.changes 2011-03-04 17:29:32.0 +0100 +++ 11.3/ruby/ruby.changes 2011-05-12 18:36:28.0 +0200 @@ -1,0 +2,7 @@ +Thu May 12 16:23:56 UTC 2011 - mrueck...@suse.de + +- added ruby-1.8.x_bigdecimal_memory_corruption.patch: + dont cast parameter to unsigned int in the alloc and later memset + the original value. (bnc#682287) CVE-2011-0188 + +--- calling whatdependson for 11.3-i586 New: ruby-1.8.x_bigdecimal_memory_corruption.patch Other differences: -- ++ ruby.spec ++ --- /var/tmp/diff_new_pack.UCgcWK/_old 2011-05-17 18:51:47.0 +0200 +++ /var/tmp/diff_new_pack.UCgcWK/_new 2011-05-17 18:51:47.0 +0200 @@ -20,7 +20,7 @@ Name: ruby Version:1.8.7.p249 -Release:8. +Release:8. # %define pkg_version 1.8.7 %define patch_level p249 @@ -72,6 +72,7 @@ Patch14:ruby-1.8.x_webrick_charset_issue.patch Patch15:ruby-1.8.x_fileutils_symlink_race.patch Patch16:ruby-1.8.x_net_http_close_in_rescue.patch +Patch17:ruby-1.8.x_bigdecimal_memory_corruption.patch # vendor ruby files taken from: # http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/ Source3:site-specific.rb @@ -261,6 +262,7 @@ %patch14 %patch15 %patch16 +%patch17 %if 0%{?with_bleak_house} for patch in valgrind configure gc ; do patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch ++ ruby-1.8.x_bigdecimal_memory_corruption.patch ++ Index: ext/bigdecimal/bigdecimal.c === --- ext/bigdecimal/bigdecimal.c.orig2011-05-10 14:14:48.0 +0200 +++ ext/bigdecimal/bigdecimal.c 2011-05-10 14:18:53.602468960 +0200 @@ -2026,11 +2026,11 @@ static int gnAlloc=0; /* Memory allocati VP_EXPORT void * VpMemAlloc(U_LONG mb) { -void *p = xmalloc((unsigned int)mb); +void *p = xmalloc(mb); if(!p) { VpException(VP_EXCEPTION_MEMORY,"failed to allocate memory",1); } -memset(p,0,mb); +memset(p, 0, mb); #ifdef _DEBUG gnAlloc++; /* Count allocation call */ #endif /* _DEBUG */ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit ruby for openSUSE:11.3
Hello community, here is the log from the commit of package ruby for openSUSE:11.3 checked in at Fri Mar 4 17:49:45 CET 2011. --- old-versions/11.3/all/ruby/ruby.changes 2010-07-02 11:50:18.0 +0200 +++ 11.3/ruby/ruby.changes 2011-03-04 17:29:32.0 +0100 @@ -1,0 +2,22 @@ +Fri Mar 4 16:07:00 UTC 2011 - mrueck...@suse.de + +- added ruby-1.8.x_net_http_close_in_rescue.patch + Dont call close on nil in case of on exception. (bnc#655136) + +--- +Thu Mar 3 17:14:51 UTC 2011 - mrueck...@suse.de + +- added ruby-1.8.x_exception_tainted_message.patch: + Exception#to_s method can be used to trick $SAFE check, which + makes a untrusted codes to modify arbitrary strings. (bnc#673750) + CVE-2011-1005 +- added ruby-1.8.x_fileutils_symlink_race.patch: + A symlink race condition vulnerability was found in + FileUtils.remove_entry_secure. The vulnerability allows local + users to delete arbitrary files and directories. (bnc#673740) + CVE-2011-1004 +- added patch ruby-1.8.x_webrick_charset_issue.patch: + fix cross site scripting bug in webrick (bnc#600752) + CVE-2010-0541 + +--- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/ruby Destination is old-versions/11.3/UPDATES/all/ruby calling whatdependson for 11.3-i586 New: ruby-1.8.x_exception_tainted_message.patch ruby-1.8.x_fileutils_symlink_race.patch ruby-1.8.x_net_http_close_in_rescue.patch ruby-1.8.x_webrick_charset_issue.patch Other differences: -- ++ ruby.spec ++ --- /var/tmp/diff_new_pack.Fqhemq/_old 2011-03-04 17:49:19.0 +0100 +++ /var/tmp/diff_new_pack.Fqhemq/_new 2011-03-04 17:49:19.0 +0100 @@ -1,7 +1,7 @@ # -# spec file for package ruby (Version 1.8.7.p249) +# spec file for package ruby # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Name: ruby Version:1.8.7.p249 -Release:5 +Release:8. # %define pkg_version 1.8.7 %define patch_level p249 @@ -68,6 +68,10 @@ Patch10:ruby-1.8.x_openssl-1.0.patch Patch11:ruby-1.8.x_openssl-1.0-tests.patch Patch12:ruby-1.8.x_yaml2byte.patch +Patch13:ruby-1.8.x_exception_tainted_message.patch +Patch14:ruby-1.8.x_webrick_charset_issue.patch +Patch15:ruby-1.8.x_fileutils_symlink_race.patch +Patch16:ruby-1.8.x_net_http_close_in_rescue.patch # vendor ruby files taken from: # http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/ Source3:site-specific.rb @@ -253,6 +257,10 @@ %patch10 %patch11 %patch12 +%patch13 +%patch14 +%patch15 +%patch16 %if 0%{?with_bleak_house} for patch in valgrind configure gc ; do patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch ++ ruby-1.8.x_exception_tainted_message.patch ++ r30903 | shyouhei | 2011-02-18 12:05:02 +0100 (Fri, 18 Feb 2011) | 9 lines * error.c (exc_to_s): untainted strings can be tainted via Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh . * error.c (name_err_to_s): ditto. * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for it. Index: error.c === --- error.c (revision 30902) +++ error.c (revision 30903) @@ -403,7 +403,6 @@ VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); -if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); return mesg; } @@ -667,10 +666,9 @@ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); if (str != mesg) { - rb_iv_set(exc, "mesg", mesg = str); + OBJ_INFECT(str, mesg); } -if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); -return mesg; +return str; } /* Index: test/ruby/test_exception.rb === --- test/ruby/test_exception.rb (revision 30902) +++ test/ruby/test_exception.rb (revision 30903) @@ -184,4 +184,26 @@ assert(false) end end + + def test_to_s_taintness_propagation +for exc in [Exception, NameError] + m = "abcdefg" + e = exc.new(m) + e.taint + s = e.to_s + assert_equal(false, m.tainted?, + "#{exc}#to_s should not propagate taintness") + assert_equal(false, s.tainted?, + "#{exc}#to_s should not propagate taintness") +end + +o = Object.new +def o.to_str + "foo" +end +