Date: Wednesday, September 30, 2020 @ 22:12:49 Author: anatolik Revision: 397016
FS#68051: Patch for CVE-2020-25613 Added: ruby/trunk/webrick.patch Modified: ruby/trunk/PKGBUILD ---------------+ PKGBUILD | 10 +++++++--- webrick.patch | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-09-30 20:59:15 UTC (rev 397015) +++ PKGBUILD 2020-09-30 22:12:49 UTC (rev 397016) @@ -5,7 +5,7 @@ pkgname=(ruby ruby-docs) pkgver=2.7.1 -pkgrel=3 +pkgrel=4 arch=(x86_64) url='https://www.ruby-lang.org/en/' license=(BSD custom) @@ -12,13 +12,17 @@ depends=(libxcrypt) makedepends=(gdbm openssl libffi doxygen graphviz libyaml ttf-dejavu tk) options=(!emptydirs) -source=(https://cache.ruby-lang.org/pub/ruby/${pkgver:0:3}/ruby-${pkgver}.tar.xz) -sha512sums=('79f98b1ea98e0b10ec79da1883e8fc84d48ffe5c09ae945cbebde94365e35a589d919aac965f74d70ca7e21370ecee631ac5a8f9c4eac61d62f5aa629f27bf31') +source=(https://cache.ruby-lang.org/pub/ruby/${pkgver:0:3}/ruby-${pkgver}.tar.xz + webrick.patch) # simplified upstream patch https://github.com/ruby/ruby/commit/828c34e58b63d64558ec0f2d1d7ae401c5e6b21f +sha512sums=('79f98b1ea98e0b10ec79da1883e8fc84d48ffe5c09ae945cbebde94365e35a589d919aac965f74d70ca7e21370ecee631ac5a8f9c4eac61d62f5aa629f27bf31' + '60688c02bdbed087dc41613e335abd5602964f13e0cdf900ed2f7a830eb4d10a93396e8ef6e87a5c17aa6c50f63098199aa729302c8e6cf44505eecec2aed9e2') prepare() { cd ruby-${pkgver} # remove bundled gems, we are going to ship them as separate packages rm -rf gems/ + + patch -p1 < ../webrick.patch # FS#68051 CVE-2020-25613 } build() { Added: webrick.patch =================================================================== --- webrick.patch (rev 0) +++ webrick.patch 2020-09-30 22:12:49 UTC (rev 397016) @@ -0,0 +1,40 @@ +From 828c34e58b63d64558ec0f2d1d7ae401c5e6b21f Mon Sep 17 00:00:00 2001 +From: nagachika <[email protected]> +Date: Tue, 29 Sep 2020 22:46:14 +0900 +Subject: [PATCH] merge revision(s) d23d2f3f6fbb5d787b0dd80675c489a692be23e2: + + [ruby/webrick] Make it more strict to interpret some headers + + Some regexps were too tolerant. + + https://github.com/ruby/webrick/commit/8946bb38b4 +--- + lib/webrick/httprequest.rb | 6 +++--- + version.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb +index 87dc879175c0..6af0cee97dbf 100644 +--- a/lib/webrick/httprequest.rb ++++ b/lib/webrick/httprequest.rb +@@ -226,9 +226,9 @@ def parse(socket=nil) + raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." + end + +- if /close/io =~ self["connection"] ++ if /\Aclose\z/io =~ self["connection"] + @keep_alive = false +- elsif /keep-alive/io =~ self["connection"] ++ elsif /\Akeep-alive\z/io =~ self["connection"] + @keep_alive = true + elsif @http_version < "1.1" + @keep_alive = false +@@ -503,7 +503,7 @@ def read_body(socket, block) + return unless socket + if tc = self['transfer-encoding'] + case tc +- when /chunked/io then read_chunked(socket, block) ++ when /\Achunked\z/io then read_chunked(socket, block) + else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." + end + elsif self['content-length'] || @remaining_size
