commit: 68c3ec9a086ae4167307043910a45300c0ae9f2e Author: Hans de Graaff <hans <AT> degraaff <DOT> org> AuthorDate: Sun Jul 23 08:57:10 2017 +0000 Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org> CommitDate: Sun Jul 23 08:57:10 2017 +0000 URL: https://gitweb.gentoo.org/proj/ruby-scripts.git/commit/?id=68c3ec9a
Patch set for 2.3.4-r3 Add patchs for net smtp valition and openssl weak dh. patchsets/patches-2.3.4-r3/001_ia64.patch | 62 ++++++++++++++ patchsets/patches-2.3.4-r3/004_gfbsd7.patch | 37 +++++++++ .../patches-2.3.4-r3/005_no-undefined-ext.patch | 11 +++ .../patches-2.3.4-r3/007-openssl-weakdh.patch | 37 +++++++++ .../patches-2.3.4-r3/008-net-smtp-validation.patch | 39 +++++++++ patchsets/patches-2.3.4-r3/009_no-gems.patch | 95 ++++++++++++++++++++++ 6 files changed, 281 insertions(+) diff --git a/patchsets/patches-2.3.4-r3/001_ia64.patch b/patchsets/patches-2.3.4-r3/001_ia64.patch new file mode 100644 index 0000000..e1e9c89 --- /dev/null +++ b/patchsets/patches-2.3.4-r3/001_ia64.patch @@ -0,0 +1,62 @@ +Bug: https://bugs.gentoo.org/show_bug.cgi?id=561780 + +fix crash on register stack mark/sweep pass + +The crash looks like + + Program received signal SIGSEGV, Segmentation fault. + mark_locations_array (objspace=0x6000000000045db0, x=0x0, n=864692227966763116) at gc.c:3297 + 3297 v = *x; + (gdb) bt + #0 mark_locations_array (objspace=0x6000000000045db0, x=0x0, n=864692227966763116) at gc.c:3297 + #1 0x400000000014a040 in gc_mark_locations (objspace=0x6000000000045db0, start=0x0, end=0x6000080000000368) at gc.c:3310 + #2 0x400000000014b3a0 in mark_current_machine_context (objspace=0x6000000000045db0, th=0x60000000000455b0) at gc.c:3500 + #3 0x400000000014dfe0 in gc_mark_roots (objspace=0x6000000000045db0, full_mark=0, categoryp=0x0) at gc.c:4105 + #4 0x400000000014e6b0 in gc_marks_body (objspace=0x6000000000045db0, full_mark=0) at gc.c:4164 + #5 0x400000000014f260 in gc_marks (objspace=0x6000000000045db0, full_mark=0) at gc.c:4526 + #6 0x40000000001525c0 in garbage_collect_body (objspace=0x6000000000045db0, full_mark=0, immediate_sweep=0, reason=256) at gc.c:5024 + #7 0x400000000013c010 in heap_prepare_freepage (objspace=0x6000000000045db0, heap=0x6000000000045dc0) at gc.c:1219 + #8 0x400000000013c140 in heap_get_freeobj_from_next_freepage (objspace=0x6000000000045db0, heap=0x6000000000045dc0) at gc.c:1237 + #9 0x400000000013c360 in heap_get_freeobj (objspace=0x6000000000045db0, heap=0x6000000000045dc0) at gc.c:1259 + #10 0x400000000013c950 in newobj_of (klass=0, flags=40, v1=0, v2=0, v3=0) at gc.c:1303 + #11 0x400000000013ccc0 in rb_newobj_of (klass=0, flags=40) at gc.c:1356 + #12 0x4000000000163740 in hash_alloc (klass=0) at hash.c:289 + #13 0x4000000000163860 in rb_hash_new () at hash.c:309 + #14 0x400000000050e420 in Init_BareVM () at vm.c:2822 + #15 0x40000000000f6b60 in ruby_setup () at eval.c:54 + #16 0x40000000000f6f50 in ruby_init () at eval.c:75 + #17 0x400000000001b010 in main (argc=9, argv=0x60000fffffffb1d8) at main.c:35 + +The problem here is in call + gc_mark_locations (objspace=0x6000000000045db0, start=0x0, end=0x6000080000000368) at gc.c:3310 +where 'start' (native_main_thread.register_stack_start) +is supposed to be stack start but it's not initialized. + +The initialization of 'native_main_thread.register_stack_start' +is supposed to be done in 'ruby_init_stack()'. + +But code under 'MAINSTACKADDR_AVAILABLE' exits early. +The fix is to move 'register_stack_start' earlier. + +diff --git a/thread_pthread.c b/thread_pthread.c +index c8a7a16..9ad448b 100644 +--- a/thread_pthread.c ++++ b/thread_pthread.c +@@ -722,2 +722,8 @@ ruby_init_stack(volatile VALUE *addr + native_main_thread.id = pthread_self(); ++#ifdef __ia64 ++ if (!native_main_thread.register_stack_start || ++ (VALUE*)bsp < native_main_thread.register_stack_start) { ++ native_main_thread.register_stack_start = (VALUE*)bsp; ++ } ++#endif + #if MAINSTACKADDR_AVAILABLE +@@ -745,8 +751,2 @@ ruby_init_stack(volatile VALUE *addr + #endif +-#ifdef __ia64 +- if (!native_main_thread.register_stack_start || +- (VALUE*)bsp < native_main_thread.register_stack_start) { +- native_main_thread.register_stack_start = (VALUE*)bsp; +- } +-#endif + { diff --git a/patchsets/patches-2.3.4-r3/004_gfbsd7.patch b/patchsets/patches-2.3.4-r3/004_gfbsd7.patch new file mode 100644 index 0000000..fa561b6 --- /dev/null +++ b/patchsets/patches-2.3.4-r3/004_gfbsd7.patch @@ -0,0 +1,37 @@ +--- configure.in.orig 2013-05-05 19:36:02.800254192 +0200 ++++ configure.in 2013-05-05 19:37:56.573346196 +0200 +@@ -2156,7 +2156,7 @@ + fi + + AS_CASE(["$target_os"], +-[linux* | gnu* | k*bsd*-gnu | bsdi* | kopensolaris*-gnu | nacl], [ ++[linux* | gnu* | k*bsd*-gnu | bsdi* | kopensolaris*-gnu | nacl | freebsd* | dragonfly*], [ + if test "$rb_cv_binary_elf" = no; then + with_dln_a_out=yes + else +@@ -2249,7 +2249,7 @@ + [bsdi3*], [ AS_CASE(["$CC"], + [*shlicc*], [ : ${LDSHARED='$(CC) -r'} + rb_cv_dlopen=yes])], +- [linux* | gnu* | k*bsd*-gnu | netbsd* | bsdi* | kopensolaris*-gnu | haiku*], [ ++ [linux* | gnu* | k*bsd*-gnu | netbsd* | bsdi* | kopensolaris*-gnu | haiku* | freebsd7*], [ + : ${LDSHARED='$(CC) -shared'} + if test "$rb_cv_binary_elf" = yes; then + LDFLAGS="$LDFLAGS -Wl,-export-dynamic" +@@ -2262,7 +2262,6 @@ + [freebsd*|dragonfly*], [ + : ${LDSHARED='$(CC) -shared'} + if test "$rb_cv_binary_elf" = yes; then +- LDFLAGS="$LDFLAGS -rdynamic" + DLDFLAGS="$DLDFLAGS "'-Wl,-soname,$@' + else + test "$GCC" = yes && test "$rb_cv_prog_gnu_ld" = yes || LDSHARED='$(LD) -Bshareable' +@@ -2638,7 +2637,7 @@ + [sunos4*], [ + LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR) lib$(RUBY_SO_NAME).so' + ], +- [linux* | gnu* | k*bsd*-gnu | atheos* | kopensolaris*-gnu | haiku*], [ ++ [linux* | gnu* | k*bsd*-gnu | atheos* | kopensolaris*-gnu | haiku* | freebsd7*], [ + LIBRUBY_DLDFLAGS='-Wl,-soname,lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR)'" $LDFLAGS_OPTDIR" + LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR) lib$(RUBY_SO_NAME).so' + if test "$load_relative" = yes; then diff --git a/patchsets/patches-2.3.4-r3/005_no-undefined-ext.patch b/patchsets/patches-2.3.4-r3/005_no-undefined-ext.patch new file mode 100644 index 0000000..f279932 --- /dev/null +++ b/patchsets/patches-2.3.4-r3/005_no-undefined-ext.patch @@ -0,0 +1,11 @@ +--- ruby-1.9.3-preview1.orig/configure.in ++++ ruby-1.9.3-preview1/configure.in +@@ -2038,7 +2038,7 @@ if test "$with_dln_a_out" != yes; then + [linux* | gnu* | k*bsd*-gnu | netbsd* | bsdi* | kopensolaris*-gnu], [ + : ${LDSHARED='$(CC) -shared'} + if test "$rb_cv_binary_elf" = yes; then +- LDFLAGS="$LDFLAGS -Wl,-export-dynamic" ++ LDFLAGS="$LDFLAGS -Wl,-export-dynamic -Wl,--no-undefined" + fi + rb_cv_dlopen=yes], + [interix*], [ : ${LDSHARED='$(CC) -shared'} diff --git a/patchsets/patches-2.3.4-r3/007-openssl-weakdh.patch b/patchsets/patches-2.3.4-r3/007-openssl-weakdh.patch new file mode 100644 index 0000000..ca41065 --- /dev/null +++ b/patchsets/patches-2.3.4-r3/007-openssl-weakdh.patch @@ -0,0 +1,37 @@ +From 6dee08d14f7a8a51691b799592774e805d6f8707 Mon Sep 17 00:00:00 2001 +From: Tony Arcieri <[email protected]> +Date: Thu, 7 Jan 2016 11:02:31 -0800 +Subject: [PATCH] Remove 512-bit DH group + +512-bit DH keys are severely weak and have been implicated in recent attacks: + +https://weakdh.org/ +--- + lib/openssl/pkey.rb | 8 -------- + +diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb +index 3f65adad..89563b65 100644 +--- a/ext/openssl/lib/openssl/pkey.rb ++++ b/ext/openssl/lib/openssl/pkey.rb +@@ -4,13 +4,6 @@ module PKey + if defined?(OpenSSL::PKey::DH) + + class DH +- DEFAULT_512 = new <<-_end_of_pem_ +------BEGIN DH PARAMETERS----- +-MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 +-zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC +------END DH PARAMETERS----- +- _end_of_pem_ +- + DEFAULT_1024 = new <<-_end_of_pem_ + -----BEGIN DH PARAMETERS----- + MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ +@@ -23,7 +16,6 @@ class DH + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| + warn "using default DH parameters." if $VERBOSE + case keylen +- when 512 then OpenSSL::PKey::DH::DEFAULT_512 + when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 + else + nil diff --git a/patchsets/patches-2.3.4-r3/008-net-smtp-validation.patch b/patchsets/patches-2.3.4-r3/008-net-smtp-validation.patch new file mode 100644 index 0000000..0b30c99 --- /dev/null +++ b/patchsets/patches-2.3.4-r3/008-net-smtp-validation.patch @@ -0,0 +1,39 @@ +From 0827a7e52ba3d957a634b063bf5a391239b9ffee Mon Sep 17 00:00:00 2001 +From: shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> +Date: Wed, 8 Jun 2016 07:06:57 +0000 +Subject: [PATCH] * lib/net/smtp.rb (getok, get_response): raise an + ArgumentError when CR or LF is included in a line, because they are not + allowed in RFC5321. + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55324 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/net/smtp.rb | 9 +++++++++ + +diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb +index 250293bdbe21..a7130a593b40 100644 +--- a/lib/net/smtp.rb ++++ b/lib/net/smtp.rb +@@ -926,7 +926,15 @@ def quit + + private + ++ def validate_line(line) ++ # A bare CR or LF is not allowed in RFC5321. ++ if /[\r\n]/ =~ line ++ raise ArgumentError, "A line must not contain CR or LF" ++ end ++ end ++ + def getok(reqline) ++ validate_line reqline + res = critical { + @socket.writeline reqline + recv_response() +@@ -936,6 +944,7 @@ def getok(reqline) + end + + def get_response(reqline) ++ validate_line reqline + @socket.writeline reqline + recv_response() + end diff --git a/patchsets/patches-2.3.4-r3/009_no-gems.patch b/patchsets/patches-2.3.4-r3/009_no-gems.patch new file mode 100644 index 0000000..2da6b7d --- /dev/null +++ b/patchsets/patches-2.3.4-r3/009_no-gems.patch @@ -0,0 +1,95 @@ +--- tool/rbinstall.rb.~1~ 2017-03-27 17:18:38.000000000 +0200 ++++ tool/rbinstall.rb 2017-03-30 07:38:53.437332083 +0200 +@@ -696,90 +696,11 @@ + # :startdoc: + + install?(:ext, :comm, :gem) do +- gem_dir = Gem.default_dir +- directories = Gem.ensure_gem_subdirectories(gem_dir, :mode => $dir_mode) +- prepare "default gems", gem_dir, directories +- +- spec_dir = File.join(gem_dir, directories.grep(/^spec/)[0]) +- default_spec_dir = "#{spec_dir}/default" +- makedirs(default_spec_dir) +- +- gems = {} +- +- Dir.glob(srcdir+"/{lib,ext}/**/*.gemspec").each do |src| +- specgen = RbInstall::Specs::Reader.new(src) +- gems[specgen.gemspec.name] ||= specgen +- end +- +- gems.sort.each do |name, specgen| +- gemspec = specgen.gemspec +- full_name = "#{gemspec.name}-#{gemspec.version}" +- +- puts "#{" "*30}#{gemspec.name} #{gemspec.version}" +- gemspec_path = File.join(default_spec_dir, "#{full_name}.gemspec") +- open_for_install(gemspec_path, $data_mode) do +- specgen.spec_source +- end +- +- unless gemspec.executables.empty? then +- bin_dir = File.join(gem_dir, 'gems', full_name, 'bin') +- makedirs(bin_dir) +- +- execs = gemspec.executables.map {|exec| File.join(srcdir, 'bin', exec)} +- install(execs, bin_dir, :mode => $script_mode) +- end +- end ++ # gems are unbundled in Gentoo + end + + install?(:ext, :comm, :gem) do +- gem_dir = Gem.default_dir +- directories = Gem.ensure_gem_subdirectories(gem_dir, :mode => $dir_mode) +- prepare "bundle gems", gem_dir, directories +- install_dir = with_destdir(gem_dir) +- installed_gems = {} +- options = { +- :install_dir => install_dir, +- :bin_dir => with_destdir(bindir), +- :domain => :local, +- :ignore_dependencies => true, +- :dir_mode => $dir_mode, +- :data_mode => $data_mode, +- :prog_mode => $prog_mode, +- :wrappers => true, +- :format_executable => true, +- } +- Gem::Specification.each_spec([srcdir+'/gems/*']) do |spec| +- ins = RbInstall::UnpackedInstaller.new(spec, options) +- puts "#{" "*30}#{spec.name} #{spec.version}" +- ins.install +- File.chmod($data_mode, File.join(install_dir, "specifications", "#{spec.full_name}.gemspec")) +- installed_gems[spec.full_name] = true +- end +- installed_gems, gems = Dir.glob(srcdir+'/gems/*.gem').partition {|gem| installed_gems.key?(File.basename(gem, '.gem'))} +- unless installed_gems.empty? +- install installed_gems, gem_dir+"/cache" +- end +- next if gems.empty? +- if defined?(Zlib) +- Gem.instance_variable_set(:@ruby, with_destdir(File.join(bindir, ruby_install_name))) +- gems.each do |gem| +- begin +- File.umask(022) +- Gem.install(gem, Gem::Requirement.default, options) +- ensure +- File.umask(0222) +- end +- gemname = File.basename(gem) +- puts "#{" "*30}#{gemname}" +- end +- # fix directory permissions +- # TODO: Gem.install should accept :dir_mode option or something +- File.chmod($dir_mode, *Dir.glob(install_dir+"/**/")) +- # fix .gemspec permissions +- File.chmod($data_mode, *Dir.glob(install_dir+"/specifications/*.gemspec")) +- else +- puts "skip installing bundle gems because of lacking zlib" +- end ++ # gems are unbundled in Gentoo + end + + parse_args()
