Hello community, here is the log from the commit of package ruby20.3338 for openSUSE:13.1:Update checked in at 2015-01-02 09:32:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/ruby20.3338 (Old) and /work/SRC/openSUSE:13.1:Update/.ruby20.3338.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ruby20.3338" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.ruby20.3338.new/ruby20.changes 2015-01-02 09:32:43.000000000 +0100 @@ -0,0 +1,154 @@ +------------------------------------------------------------------- +Thu Dec 18 17:34:24 UTC 2014 - [email protected] + +- fix CVE-2014-8090: ruby: Another Denial Of Service XML Expansion + (bnc#905326) + + CVE-2014-8090.patch: contains the patch + +- fix CVE-2014-8080: ruby: ruby19: Denial Of Service XML Expansion + (bnc#902851) + + CVE-2014-8080.patch: contains the patch + +- Enable tests to run during the build. This way we can compare + the results on different builds. + +------------------------------------------------------------------- +Thu Mar 27 09:24:05 UTC 2014 - [email protected] + +- pkg_config: Do not replace $LDFLAGS with $libs (bnc#870546) + * fixes building of gems with native extensions such as Nokogiri + * pkg_config_ldflags_fix.patch + +------------------------------------------------------------------- +Fri Jan 10 09:50:26 UTC 2014 - [email protected] + +- RubyGems: fix build info file location (bnc#858100) + * makes "bundle install" work + * rubygems_fix_build_info_location.patch + +------------------------------------------------------------------- +Sat Nov 23 18:48:02 UTC 2013 - [email protected] + +- fix CVE-2013-4164: heap overflow in float point parsing (bnc#851803) + The file CVE-2013-4164.patch contains the patch + +------------------------------------------------------------------- +Mon Oct 21 15:14:27 UTC 2013 - [email protected] + +- fix CVE-2013-4287 CVE-2013-4363: ruby19: Algorithmic complexity vulnerability (bnc#837457) + The file CVE-2013-4287-4363.patch contains the patch + +------------------------------------------------------------------- +Thu Jul 18 08:43:59 UTC 2013 - [email protected] + +- adding vm_debug.h to the extra header list (needed for perftools.rb) + +------------------------------------------------------------------- +Sat Jun 29 04:26:18 UTC 2013 - [email protected] + +- update to p247 + * This release includes a security fix about bundled OpenSSL. + Hostname check bypassing vulnerability in SSL client (CVE-2013-4073) + + * Updated to rubygems 2.0.3. See + http://rubygems.rubyforge.org/rubygems-update/History_txt.html#label-2.0.3+%2F+2012-03-1 + for release notes. + + #8040 change priority between keyword arguments and mandatory arguments. + #8416 super does not forward either named or anonymous ** + #8463 Proc auto-splat bug with named arguments + #8424 fix infinite loop when stack overflow with TH_PUSH_TAG() + #8436 __dir__ not working in eval with binding + #8489 Tracepoint API: B_RETURN_EVENT not triggered when “next” used + #8341 block_given? (and the actual block) persist between calls to a proc created from a method (using method().to_proc()). + #8531 block_given? (and the actual block) persist between calls to a proc created by Symbol#to_proc. + +------------------------------------------------------------------- +Fri Jun 14 14:40:43 UTC 2013 - [email protected] + +- remove vim and ca-certificates from buildrequires again, were removed + from ruby19 already before 12.3 and came back + +------------------------------------------------------------------- +Tue Jun 4 05:51:46 UTC 2013 - [email protected] + +- update to p195 + Core - prepend + + #7841 Module#prepend now detect cyclic prepend. + #7843 removing prepended methods causes exceptions. + #8357 Module#prepend breaks Module's comparison operators. + #7983 Module#prepend can't override Fixnum's operator methods. + #8005 methods made private/protected after definition become uncallable on prepended class. + #8025 Module#included_modules include classes when prepended. + + Core - keyword arguments + + #7922 unnamed keyword rest argument cause SyntaxError. + #7942 support define method only receive keyword arguments without paren. + #8008 fix a bug in super with keyword arguments. + #8236 fix a treatment of rest arguments and keyword arguments through `super'. + #8260 non-symbol key should not treated as keyword arguments. + + Core - refinements + + #7925 fix a bug of refinements with a method call super in a block. + + Core - GC + + #8092 improve accuracy of GC.stat[:heap_live_num] + #8146 avoid unnecessary heap growth. + #8145 fix unlimited memory growth with large values of RUBY_FREE_MIN. + + Core - Regexp + + #7972 Regexp POSIX space class is location sensitive. + #7974 Regexp case-insensitive group doesn't work. + #8023 Regexp lookbehind assertion fails with /m mode enabled + #8001 Regexp \Z matches where it shouldn't + + Core - other + + #8063 fix a potential memory violation and avoid abort on the environment _FORTIFY_SOURCE=2 (ex. Ubuntu). + #8175 ARGF#skip doesn't work as documented. + #8069 File.expand_path('something', '~') now support home path on Windows. + #8220 fix a Segmentation fault when defined? (). + #8367 fix a regression in defined?(super). + #8283 Dir.glob doesn't recurse hidden directories. + #8165 fix a bug of multiple require with non-ascii file path. + #8290 fix an incompatible String#inspect behavior with NUL character. + #8360 fix a Segmentation fault of Thread#join(Float::INFINITY) on some platforms. + + RubyGems + + Bundled RubyGems version is updated to 2.0.2+ + #7698 fix an rubygems' incompatibility about installation of extension libraries. + #8019 fix a bug of gem list --remote doesn't work. + + Libraries + + #7911 File.fnmatch with US-ASCII pattern and UTF-8 path raise an exception. + #8240 fix a bug about OpenSSL::SSL::SSLSocket breaks other connections or files on GC. + #8183 CGI.unescapeHTML can't decode Numeric Character References with uppercase (&#Xnnnn). + + Build/Platform specific + + #7830 fix build failure with compiler warning. + #7950 fix a build failure on mswin/VC with --with-static-linked-ext. + +Removed thread_pthread.c-ruby_init_stack-ignore-STACK_END_ADDRESS.patch, which is from upstream +Removed ruby-sort-rdoc-output.patch which was never useful + +------------------------------------------------------------------- +Sat Apr 27 17:02:22 UTC 2013 - [email protected] + +- refresh buildroot patch + +------------------------------------------------------------------- +Tue Mar 5 00:14:14 CET 2013 - [email protected] + +- new package forked from ruby19 - update to 2.0.0 p0 + - patches disabled for now + New: ---- CVE-2013-4164.patch CVE-2013-4287-4363.patch CVE-2014-8080.patch CVE-2014-8090.patch pkg_config_ldflags_fix.patch ruby-1.9.2p290_tcl_no_stupid_rpaths.patch ruby-2.0.0-p247.tar.bz2 ruby19-export_init_prelude.patch ruby20-rpmlintrc ruby20.changes ruby20.macros ruby20.spec rubygems-1.5.0_buildroot.patch rubygems_fix_build_info_location.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ruby20.spec ++++++ # # spec file for package ruby20 # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: ruby20 %define patch_level p247 Version: 2.0.0.%{patch_level} Release: 0 # %define pkg_version 2.0.0 # keep in sync with macro file! %define rb_binary_suffix 2.0 %define rb_ver 2.0.0 %define rb_arch %(echo %{_target_cpu}-linux | sed -e "s/ppc/powerpc/") %define rb_libdir %{_libdir}/ruby/%{rb_ver}/ %define rb_archdir %{_libdir}/ruby/%{rb_ver}/%{rb_arch} # keep in sync with macro file! # # from valgrind.spec %ifarch %ix86 x86_64 ppc ppc64 %define use_valgrind 1 %endif %define run_tests 1 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gdbm-devel BuildRequires: libffi-devel BuildRequires: libyaml-devel BuildRequires: ncurses-devel BuildRequires: openssl-devel BuildRequires: pkg-config BuildRequires: readline-devel BuildRequires: tk-devel BuildRequires: zlib-devel # this requires is needed as distros older than 11.3 have a buildignore on freetype2, without this the detection of the tk extension fails BuildRequires: freetype2-devel %if 0%{?suse_version} > 1010 BuildRequires: xorg-x11-libX11-devel %else BuildRequires: xorg-x11-devel %endif %if 0%{?use_valgrind} %if 0%{?suse_version} > 1020 BuildRequires: valgrind-devel %else BuildRequires: valgrind %endif %endif Provides: rubygem-rake = 0.9.2.2 Provides: ruby(abi) = %{rb_ver} # Url: http://www.ruby-lang.org/ Source: ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-%{pkg_version}-%{patch_level}.tar.bz2 Source6: ruby20.macros Patch0: rubygems-1.5.0_buildroot.patch Patch1: ruby-1.9.2p290_tcl_no_stupid_rpaths.patch Patch2: CVE-2013-4287-4363.patch Patch3: CVE-2013-4164.patch Patch4: rubygems_fix_build_info_location.patch Patch5: pkg_config_ldflags_fix.patch Patch6: CVE-2014-8080.patch Patch7: CVE-2014-8090.patch # Summary: An Interpreted Object-Oriented Scripting Language License: BSD-2-Clause or Ruby Group: Development/Languages/Ruby %description Ruby is an interpreted scripting language for quick and easy object-oriented programming. It has many features for processing text files and performing system management tasks (as in Perl). It is simple, straight-forward, and extensible. * Ruby features: - Simple Syntax - *Normal* Object-Oriented features (class, method calls, for example) - *Advanced* Object-Oriented features(Mix-in, Singleton-method, for example) - Operator Overloading - Exception Handling - Iterators and Closures - Garbage Collection - Dynamic Loading of Object Files (on some architectures) - Highly Portable (works on many UNIX machines; DOS, Windows, Mac, BeOS, and more) %package devel Summary: Development files to link against Ruby Group: Development/Languages/Ruby Requires: %{name} = %{version} Provides: rubygems20 = 1.3.7 Provides: rubygems20_with_buildroot_patch Requires: ruby-common %description devel Development files to link against Ruby. %package devel-extra Summary: Special development files of ruby, normally not installed Group: Development/Languages/Ruby Requires: %{name}-devel = %{version} %description devel-extra Development files to link against Ruby. %package tk Summary: TCL/TK bindings for Ruby Group: Development/Languages/Ruby Requires: %{name} = %{version} %description tk TCL/TK bindings for Ruby %package doc-ri Summary: Ruby Interactive Documentation Group: Development/Languages/Ruby Requires: %{name} = %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif %description doc-ri This package contains the RI docs for ruby %package doc-html Summary: This package contains the HTML docs for ruby Group: Development/Languages/Ruby Requires: %{name} = %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif %description doc-html This package contains the HTML docs for ruby %package examples Summary: Example scripts for ruby Group: Development/Languages/Ruby Requires: %{name} = %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif %description examples Example scripts for ruby %package test-suite Requires: %{name} = %{version} Summary: An Interpreted Object-Oriented Scripting Language Group: Development/Languages/Ruby %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif %description test-suite Ruby is an interpreted scripting language for quick and easy object-oriented programming. It has many features for processing text files and performing system management tasks (as in Perl). It is simple, straight-forward, and extensible. * Ruby features: - Simple Syntax - *Normal* Object-Oriented features (class, method calls, for example) - *Advanced* Object-Oriented features(Mix-in, Singleton-method, for example) - Operator Overloading - Exception Handling - Iterators and Closures - Garbage Collection - Dynamic Loading of Object Files (on some architectures) - Highly Portable (works on many UNIX machines; DOS, Windows, Mac, BeOS, and more) %prep %setup -q -n ruby-%{pkg_version}-%{patch_level} %patch0 %patch1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 find sample -type f -print0 | xargs -r0 chmod a-x grep -Erl '^#! */' benchmark bootstraptest ext lib sample test \ | xargs -r perl -p -i -e 's|^#!\s*\S+(\s+.*)?$|#!/usr/bin/ruby2.0$1|' %build %configure \ --program-suffix=%{rb_binary_suffix} \ --with-soname=ruby%{rb_binary_suffix} \ --target=%{_target_platform} \ %if 0%{?use_valgrind} --with-valgrind \ %endif --with-mantype=man \ --enable-shared \ --disable-static \ --disable-rpath %{__make} all V=1 %install %makeinstall V=1 %{__install} -D -m 0644 %{S:6} %{buildroot}/etc/rpm/macros.ruby20 echo "%defattr(-,root,root,-)" > devel-extra-excludes echo "%defattr(-,root,root,-)" > devel-extra-list for i in iseq.h insns.inc insns_info.inc revision.h version.h thread_pthread.h \ ruby_atomic.h method.h id.h vm_core.h vm_opts.h node.h eval_intern.h vm_debug.h; do install -m 644 $i %{buildroot}%{_includedir}/ruby-%{rb_ver}/ echo "%exclude %{_includedir}/ruby-%{rb_ver}/$i" >> devel-extra-excludes echo "%{_includedir}/ruby-%{rb_ver}/$i" >> devel-extra-list done %if 0%{?run_tests} %check export LD_LIBRARY_PATH="$PWD" # we know some tests will fail when they do not find a /usr/bin/ruby make check V=1 ||: %endif %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files %defattr(-,root,root,-) %config(noreplace) /etc/rpm/macros.ruby20 %{_bindir}/erb%{rb_binary_suffix} %{_bindir}/gem%{rb_binary_suffix} %{_bindir}/irb%{rb_binary_suffix} %{_bindir}/rake%{rb_binary_suffix} %{_bindir}/rdoc%{rb_binary_suffix} %{_bindir}/ri%{rb_binary_suffix} %{_bindir}/ruby%{rb_binary_suffix} %{_bindir}/testrb%{rb_binary_suffix} %{_libdir}/libruby%{rb_binary_suffix}.so.2.0* %{_libdir}/ruby/ %exclude %{rb_libdir}/multi-tk.rb %exclude %{rb_libdir}/remote-tk.rb %exclude %{rb_libdir}/tcltk.rb %exclude %{rb_libdir}/tk*.rb %exclude %{rb_libdir}/tk/ %exclude %{rb_libdir}/tkextlib/ %exclude %{rb_archdir}/tcltklib.so %exclude %{rb_archdir}/tkutil.so %{_mandir}/man1/ri%{rb_binary_suffix}.1* %{_mandir}/man1/irb%{rb_binary_suffix}.1* %{_mandir}/man1/erb%{rb_binary_suffix}.1* %{_mandir}/man1/rake%{rb_binary_suffix}.1* %{_mandir}/man1/ruby%{rb_binary_suffix}.1* %doc ChangeLog COPYING COPYING.ja GPL KNOWNBUGS.rb LEGAL NEWS README README.EXT README.EXT.ja README.ja doc/* sample/ %files devel -f devel-extra-excludes %defattr(-,root,root,-) %{_includedir}/ruby-%{rb_ver} %{_libdir}/libruby%{rb_binary_suffix}.so %{_libdir}/libruby%{rb_binary_suffix}-static.a %{_libdir}/pkgconfig/ruby-2.0.pc %files devel-extra -f devel-extra-list %files tk %defattr(-,root,root,-) %{rb_libdir}/multi-tk.rb %{rb_libdir}/remote-tk.rb %{rb_libdir}/tcltk.rb %{rb_libdir}/tk*.rb %{rb_libdir}/tk/ %{rb_libdir}/tkextlib/ %{rb_archdir}/tcltklib.so %{rb_archdir}/tkutil.so %files doc-ri %defattr(-,root,root,-) %dir %{_datadir}/ri/ %{_datadir}/ri/%{rb_ver}/ %changelog ++++++ CVE-2013-4164.patch ++++++ diff -Naur a/ChangeLog b/ChangeLog --- a/ChangeLog 2013-06-27 13:11:11.000000000 +0200 +++ b/ChangeLog 2013-11-23 19:43:53.298338061 +0100 @@ -1,3 +1,8 @@ +Fri Nov 22 12:46:08 2013 Nobuyoshi Nakada <[email protected]> + + * util.c (ruby_strtod): ignore too long fraction part, which does not + affect the result. + Thu Jun 27 20:10:56 2013 CHIKANAGA Tomoyuki <[email protected]> * ext/openssl/lib/openssl/ssl.rb (verify_certificate_identity): fix diff -Naur a/test/ruby/test_float.rb b/test/ruby/test_float.rb --- a/test/ruby/test_float.rb 2012-11-07 08:03:53.000000000 +0100 +++ b/test/ruby/test_float.rb 2013-11-23 19:43:53.298338061 +0100 @@ -613,4 +613,10 @@ # always not flonum assert_raise(TypeError) { a = Float::INFINITY; def a.foo; end } end + + def test_long_string + assert_separately([], <<-'end;') + assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) + end; + end end diff -Naur a/util.c b/util.c --- a/util.c 2012-05-17 04:48:59.000000000 +0200 +++ b/util.c 2013-11-23 19:43:53.299338061 +0100 @@ -715,6 +715,11 @@ #else #define MALLOC malloc #endif +#ifdef FREE +extern void FREE(void*); +#else +#define FREE free +#endif #ifndef Omit_Private_Memory #ifndef PRIVATE_MEM @@ -1005,7 +1010,7 @@ #endif ACQUIRE_DTOA_LOCK(0); - if ((rv = freelist[k]) != 0) { + if (k <= Kmax && (rv = freelist[k]) != 0) { freelist[k] = rv->next; } else { @@ -1015,7 +1020,7 @@ #else len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) /sizeof(double); - if (pmem_next - private_mem + len <= PRIVATE_mem) { + if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { rv = (Bigint*)pmem_next; pmem_next += len; } @@ -1034,6 +1039,10 @@ Bfree(Bigint *v) { if (v) { + if (v->k > Kmax) { + FREE(v); + return; + } ACQUIRE_DTOA_LOCK(0); v->next = freelist[v->k]; freelist[v->k] = v; @@ -2097,6 +2106,7 @@ for (; c >= '0' && c <= '9'; c = *++s) { have_dig: nz++; + if (nf > DBL_DIG * 4) continue; if (c -= '0') { nf += nz; for (i = 1; i < nz; i++) ++++++ CVE-2013-4287-4363.patch ++++++ diff -Naur a/lib/rubygems/version.rb b/lib/rubygems/version.rb --- a/lib/rubygems/version.rb 2013-10-21 16:53:11.442939806 +0200 +++ b/lib/rubygems/version.rb 2013-10-21 17:20:41.741034852 +0200 @@ -148,7 +148,7 @@ # FIX: These are only used once, in .correct?. Do they deserve to be # constants? VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc: - ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc: + ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc: ## # A string representation of this Version. diff -Naur a/test/rubygems/test_gem_requirement.rb b/test/rubygems/test_gem_requirement.rb --- a/test/rubygems/test_gem_requirement.rb 2013-10-21 16:53:11.412939804 +0200 +++ b/test/rubygems/test_gem_requirement.rb 2013-10-21 17:21:57.796039232 +0200 @@ -47,18 +47,23 @@ end def test_parse_bad - e = assert_raises Gem::Requirement::BadRequirementError do - Gem::Requirement.parse nil + [ + nil, + '', + '! 1', + '= junk', + '1..2', + ].each do |bad| + e = assert_raises Gem::Requirement::BadRequirementError do + Gem::Requirement.parse bad + end + assert_equal 'Illformed requirement [""]', e.message end - assert_equal 'Illformed requirement [nil]', e.message - e = assert_raises Gem::Requirement::BadRequirementError do Gem::Requirement.parse "" end - assert_equal 'Illformed requirement [""]', e.message - assert_equal Gem::Requirement::BadRequirementError.superclass, ArgumentError end diff -Naur a/test/rubygems/test_gem_version.rb b/test/rubygems/test_gem_version.rb --- a/test/rubygems/test_gem_version.rb 2013-10-21 16:53:11.412939804 +0200 +++ b/test/rubygems/test_gem_version.rb 2013-10-21 17:20:41.741034852 +0200 @@ -67,12 +67,17 @@ end def test_initialize_bad - ["junk", "1.0\n2.0"].each do |bad| - e = assert_raises ArgumentError do + %W[ + junk + 1.0\n2.0 + 1..2 + 1.2\ 3.4 + ].each do |bad| + e = assert_raises ArgumentError, bad do Gem::Version.new bad end - assert_equal "Malformed version number string #{bad}", e.message + assert_equal "Malformed version number string #{bad}", e.message, bad end end ++++++ CVE-2014-8080.patch ++++++ diff -Naur a/lib/rexml/entity.rb b/lib/rexml/entity.rb --- a/lib/rexml/entity.rb 2010-03-20 04:30:59.000000000 +0100 +++ b/lib/rexml/entity.rb 2014-12-18 18:17:52.905688800 +0100 @@ -138,8 +138,14 @@ matches = @value.scan(PEREFERENCE_RE) rv = @value.clone if @parent + sum = 0 matches.each do |entity_reference| entity_value = @parent.entity( entity_reference[0] ) + if sum + entity_value.bytesize > Document.entity_expansion_text_limit + raise "entity expansion has grown too large" + else + sum += entity_value.bytesize + end rv.gsub!( /%#{entity_reference.join};/um, entity_value ) end end diff -Naur a/test/rexml/test_document.rb b/test/rexml/test_document.rb --- a/test/rexml/test_document.rb 2012-11-03 06:42:40.000000000 +0100 +++ b/test/rexml/test_document.rb 2014-12-18 18:17:52.905688800 +0100 @@ -47,6 +47,20 @@ </member> EOF + XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF +<!DOCTYPE root [ + <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM."> + <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;"> + <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;"> + <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;"> + <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;"> + <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;"> + <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;"> + <!ENTITY test "test %g;"> ++]> +<cd></cd> +EOF + XML_WITH_4_ENTITY_EXPANSION = <<EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE member [ @@ -83,6 +97,19 @@ end ensure REXML::Document.entity_expansion_limit = 10000 + end + + def test_entity_expansion_limit_for_parameter_entity + assert_raise(REXML::ParseException) do + REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY) + end + REXML::Document.entity_expansion_limit = 100 + assert_equal(100, REXML::Document.entity_expansion_limit) + assert_raise(REXML::ParseException) do + REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY) + end + ensure + REXML::Document.entity_expansion_limit = 10000 end def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source diff -Naur a/test/rexml/test_entity.rb b/test/rexml/test_entity.rb --- a/test/rexml/test_entity.rb 2013-02-22 11:22:20.000000000 +0100 +++ b/test/rexml/test_entity.rb 2014-12-18 18:17:52.906688800 +0100 @@ -122,6 +122,22 @@ end end + def test_entity_string_limit_for_parameter_entity + template = '<!DOCTYPE bomb [ <!ENTITY % a "^" > <!ENTITY bomb "$" > ]><root/>' + len = 5120 # 5k per entity + template.sub!(/\^/, "B" * len) + + # 10k is OK + entities = '%a;' * 2 # 5k entity * 2 = 10k + REXML::Document.new(template.sub(/\$/, entities)) + + # above 10k explodes + entities = '%a;' * 3 # 5k entity * 2 = 15k + assert_raises(REXML::ParseException) do + REXML::Document.new(template.sub(/\$/, entities)) + end + end + def test_raw source = '<!DOCTYPE foo [ <!ENTITY ent "replace"> ++++++ CVE-2014-8090.patch ++++++ diff -Naur a/lib/rexml/document.rb b/lib/rexml/document.rb --- a/lib/rexml/document.rb 2013-03-26 18:54:43.000000000 +0100 +++ b/lib/rexml/document.rb 2014-12-18 18:18:34.365691188 +0100 @@ -278,6 +278,10 @@ end end + def document + self + end + private def build( source ) Parsers::TreeParser.new( source, self ).parse diff -Naur a/lib/rexml/entity.rb b/lib/rexml/entity.rb --- a/lib/rexml/entity.rb 2014-12-18 18:18:23.830690581 +0100 +++ b/lib/rexml/entity.rb 2014-12-18 18:18:34.365691188 +0100 @@ -157,6 +157,7 @@ # This is a set of entity constants -- the ones defined in the XML # specification. These are +gt+, +lt+, +amp+, +quot+ and +apos+. + # CAUTION: these entities does not have parent and document module EntityConst # +>+ GT = Entity.new( 'gt', '>' ) diff -Naur a/test/rexml/test_document.rb b/test/rexml/test_document.rb --- a/test/rexml/test_document.rb 2014-12-18 18:18:23.830690581 +0100 +++ b/test/rexml/test_document.rb 2014-12-18 18:19:16.391693608 +0100 @@ -47,6 +47,22 @@ </member> EOF + XML_WITH_NESTED_EMPTY_ENTITY = <<EOF +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE member [ + <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> + <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;"> + <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;"> + <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;"> + <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;"> + <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;"> + <!ENTITY g ""> +]> +<member> +&a; +</member> +EOF + XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF <!DOCTYPE root [ <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM."> @@ -57,7 +73,21 @@ <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;"> <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;"> <!ENTITY test "test %g;"> -+]> +]> +<cd></cd> +EOF + + XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY = <<EOF +<!DOCTYPE root [ + <!ENTITY % a ""> + <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;"> + <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;"> + <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;"> + <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;"> + <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;"> + <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;"> + <!ENTITY test "test %g;"> +]> <cd></cd> EOF @@ -87,6 +117,18 @@ end assert_equal(101, doc.entity_expansion_count) + doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY) + assert_raise(RuntimeError) do + doc.root.children.first.value + end + REXML::Document.entity_expansion_limit = 100 + assert_equal(100, REXML::Document.entity_expansion_limit) + doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY) + assert_raise(RuntimeError) do + doc.root.children.first.value + end + assert_equal(101, doc.entity_expansion_count) + REXML::Document.entity_expansion_limit = 4 doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION) assert_equal("\na\na a\n<\n", doc.root.children.first.value) @@ -95,6 +137,15 @@ assert_raise(RuntimeError) do doc.root.children.first.value end + + assert_raise(REXML::ParseException) do + REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY) + end + REXML::Document.entity_expansion_limit = 100 + assert_equal(100, REXML::Document.entity_expansion_limit) + assert_raise(REXML::ParseException) do + REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY) + end ensure REXML::Document.entity_expansion_limit = 10000 end ++++++ pkg_config_ldflags_fix.patch ++++++ From: David Majda <[email protected]> Date: Wed, 27 Mar 2014 10:16:13 +0100 References: bnc#870546 Upstream: merged Subject: pkg_config: Do not replace $LDFLAGS with $libs This is a backport of upstream patch: https://bugs.ruby-lang.org/attachments/download/3769/b.patch See the upstream bug report for more details: https://bugs.ruby-lang.org/issues/8595 The patch is needed because the bug broke correct building of gems with native extensions such as Nokogiri in openSUSE 13.1. It is fixed in the latest Ruby 2.0.0 (p451) and 2.1.1. diff --git a/lib/mkmf.rb b/lib/mkmf.rb index 146225d..8179974 100644 --- a/lib/mkmf.rb +++ b/lib/mkmf.rb @@ -1709,12 +1709,13 @@ # default to package specific config command, as a last resort. get = proc {|opt| `#{pkgconfig} --#{opt}`.strip} end + orig_ldflags = $LDFLAGS if get and try_ldflags(ldflags = get['libs']) cflags = get['cflags'] libs = get['libs-only-l'] ldflags = (Shellwords.shellwords(ldflags) - Shellwords.shellwords(libs)).quote.join(" ") $CFLAGS += " " << cflags - $LDFLAGS += " " << ldflags + $LDFLAGS = [orig_ldflags, ldflags].join(' ') $libs += " " << libs Logging::message "package configuration for %s\n", pkg Logging::message "cflags: %s\nldflags: %s\nlibs: %s\n\n", ++++++ ruby-1.9.2p290_tcl_no_stupid_rpaths.patch ++++++ Index: ext/tk/extconf.rb =================================================================== --- ext/tk/extconf.rb.orig +++ ext/tk/extconf.rb @@ -215,9 +215,7 @@ def get_shlib_path_head else [ - '/opt', '/pkg', '/share', - '/usr/local/opt', '/usr/local/pkg', '/usr/local/share', '/usr/local', - '/usr/opt', '/usr/pkg', '/usr/share', '/usr/contrib', '/usr' + '/usr' ].each{|dir| next unless File.directory?(dir) ++++++ ruby19-export_init_prelude.patch ++++++ Index: ruby-1.9.3-p194/include/ruby/ruby.h =================================================================== --- ruby-1.9.3-p194.orig/include/ruby/ruby.h +++ ruby-1.9.3-p194/include/ruby/ruby.h @@ -1225,6 +1225,7 @@ void ruby_init_stack(volatile VALUE*); VALUE variable_in_this_stack_frame; \ ruby_init_stack(&variable_in_this_stack_frame); void ruby_init(void); +void ruby_init_prelude(void); void *ruby_options(int, char**); int ruby_run_node(void *); int ruby_exec_node(void *); Index: ruby-1.9.3-p194/ruby.c =================================================================== --- ruby-1.9.3-p194.orig/ruby.c +++ ruby-1.9.3-p194/ruby.c @@ -1091,7 +1091,7 @@ proc_options(long argc, char **argv, str return argc0 - argc; } -static void +void ruby_init_prelude(void) { Init_prelude(); ++++++ ruby20-rpmlintrc ++++++ addFilter("files-duplicate /usr/share/ri/.*") addFilter("unexpanded-macro /usr/share/ri/.*") ++++++ ruby20.macros ++++++ %rb20_binary /usr/bin/ruby2.0 %rb20_arch %(%{rb20_binary} -e 'print RUBY_PLATFORM') %rb20_ver %(%{rb20_binary} -r rbconfig -e 'print RbConfig::CONFIG["ruby_version"]') # #rb20_dir %{_libdir}/ruby/ #rb20_libdir %{_libdir}/ruby/%{rb20_ver}/ #rb20_archdir %{_libdir}/ruby/%{rb20_ver}/%{rb20_arch} # #rb20_sitedir %{_libdir}/ruby/site_ruby #rb20_sitelib %{rb20_sitedir}/%{rb20_ver} #rb20_sitearch %{rb20_sitedir}/%{rb20_ver}/%{rb20_arch} # #rb20_vendordir %{_libdir}/ruby/vendor_ruby #rb20_vendorlib %{rb20_vendordir}/%{rb20_ver} #rb20_vendorarch %{rb20_vendordir}/%{rb20_ver}/%{rb20_arch} ## Base # "rubylibprefix"=>"/usr/lib64/ruby", %rb20_dir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["rubylibprefix"]' ) # "rubylibdir" =>"/usr/lib64/ruby/1.9.1", %rb20_libdir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["rubylibdir"]' ) # "archdir" =>"/usr/lib64/ruby/1.9.1/x86_64-linux", %rb20_archdir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["archdir"]' ) ## Site # "sitedir" =>"/usr/lib64/ruby/site_ruby", %rb20_sitedir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["sitedir"]' ) # "sitelibdir" =>"/usr/lib64/ruby/site_ruby/1.9.1", %rb20_sitelibdir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["sitelibdir"]' ) # "sitearchdir" =>"/usr/lib64/ruby/site_ruby/1.9.1/x86_64-linux", %rb20_sitearchdir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["sitearchdir"]' ) ## Vendor # "vendordir" =>"/usr/lib64/ruby/vendor_ruby", %rb20_vendordir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["vendordir"]' ) # "vendorlibdir" =>"/usr/lib64/ruby/vendor_ruby/1.9.1", %rb20_vendorlibdir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["vendorlibdir"]' ) # "vendorarchdir" =>"/usr/lib64/ruby/vendor_ruby/1.9.1/x86_64-linux", %rb20_vendorarchdir %(%{rb20_binary} -rrbconfig -e 'puts RbConfig::CONFIG["vendorarchdir"]' ) %gem20_install /usr/lib/rpm/gem_install_wrapper.sh %gem20_cleanup /usr/bin/gem_build_cleanup %{buildroot}%{_libdir}/ruby/gems/%{rb20_ver}/gems/%{mod_name}-%{version}/ %rubygems19_requires() \ %if 0%{?suse_version} > 1100 \ %{requires_ge ruby20} \ %else \ %{requires_eq ruby20} \ %endif ++++++ rubygems-1.5.0_buildroot.patch ++++++ Index: lib/rubygems/dependency_installer.rb =================================================================== --- lib/rubygems/dependency_installer.rb.orig +++ lib/rubygems/dependency_installer.rb @@ -58,6 +58,7 @@ class Gem::DependencyInstaller def initialize(options = {}) @install_dir = options[:install_dir] || Gem.dir + @build_root = options[:build_root] if options[:install_dir] then # HACK shouldn't change the global settings, needed for -i behavior @@ -353,6 +354,7 @@ class Gem::DependencyInstaller :format_executable => @format_executable, :ignore_dependencies => @ignore_dependencies, :install_dir => @install_dir, + :build_root => @build_root, :security_policy => @security_policy, :user_install => @user_install, :wrappers => @wrappers, Index: lib/rubygems/installer.rb =================================================================== --- lib/rubygems/installer.rb.orig +++ lib/rubygems/installer.rb @@ -555,8 +555,17 @@ class Gem::Installer # (or use) a new bin dir under the gem_home. @bin_dir = options[:bin_dir] || Gem.bindir(gem_home) @development = options[:development] + @build_root = options[:build_root] @build_args = options[:build_args] || Gem::Command.build_args + + unless @build_root.nil? + require 'pathname' + @build_root = Pathname.new(@build_root).expand_path + @bin_dir = File.join(@build_root, options[:bin_dir] || Gem.bindir(@gem_home)) + @gem_home = File.join(@build_root,@gem_home) + alert_warning "You build with buildroot.\n Build root: #{@build_root}\n Bin dir: #{@bin_dir}\n Gem home: #{@gem_home}" + end end # DOC: Missing docs or :nodoc:. Index: lib/rubygems/install_update_options.rb =================================================================== --- lib/rubygems/install_update_options.rb.orig +++ lib/rubygems/install_update_options.rb @@ -56,6 +56,12 @@ module Gem::InstallUpdateOptions end end + add_option(:"Install/Update", '--build-root DIR', + 'Temporary installation root. Useful for building', + 'packages. Do not use this when installing remote gems.') do |value, options| + options[:build_root] = File.expand_path(value) + end + add_option(:"Install/Update", '-N', '--no-document', 'Disable documentation generation') do |value, options| options[:document] = [] ++++++ rubygems_fix_build_info_location.patch ++++++ From: David Majda <[email protected]> Date: Fri, 10 Jan 2014 09:35:17 +0100 References: bnc#858100 Upstream: merged Subject: RubyGems: Fix build info file location Gem::Specification#build_info_file didn't respect the :install_dir option and saved the build info file into a wrong lovation during gem installation. This caused permission problems when installing gems using Bundler, making it pretty much useless. This fix is a backport from upstream: https://github.com/rubygems/rubygems/commit/26f8ed4aa7f1ac965aec8f5721ec97e84eca6043 The upstream fix is already included in RubyGems 2.0.4. diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb index 4a41891..25438f9 100644 --- a/lib/rubygems/installer.rb +++ b/lib/rubygems/installer.rb @@ -773,7 +773,13 @@ def pre_install_checks def write_build_info_file return if @build_args.empty? - open spec.build_info_file, 'w' do |io| + build_info_dir = File.join gem_home, 'build_info' + + FileUtils.mkdir_p build_info_dir + + build_info_file = File.join build_info_dir, "#{spec.full_name}.info" + + open build_info_file, 'w' do |io| @build_args.each do |arg| io.puts arg end diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb index 0f9bfef..4778b8e 100644 --- a/test/rubygems/test_gem_installer.rb +++ b/test/rubygems/test_gem_installer.rb @@ -1364,6 +1364,20 @@ def test_write_build_args_empty refute_path_exists @spec.build_info_file end + def test_write_build_info_file_install_dir + installer = Gem::Installer.new @gem, :install_dir => "#{@gemhome}2" + + installer.build_args = %w[ + --with-libyaml-dir /usr/local/Cellar/libyaml/0.1.4 + ] + + installer.write_build_info_file + + refute_path_exists @spec.build_info_file + assert_path_exists \ + File.join("#{@gemhome}2", 'build_info', "#{@spec.full_name}.info") + end + def test_write_cache_file cache_file = File.join @gemhome, 'cache', @spec.file_name gem = File.join @gemhome, @spec.file_name -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
