This updates ruby 1.9, 2.0, and 2.1 to the current version, fixing CVE 2014-8080: Denial of Service XML Expansion
https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/ Release announcements: https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-1-4-released/ https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-0-0-p594-is-released/ https://www.ruby-lang.org/en/news/2014/10/27/ruby-1-9-3-p550-is-released/ Also, the openssl extension default options/ciphers have been updated: https://www.ruby-lang.org/en/news/2014/10/27/changing-default-settings-of-ext-openssl/ I'm not sure how much the openssl extension default changes affect OpenBSD, considering that we already disabled or removed many of the vulnerable defaults. As ruby 1.8 is no longer supported upstream, there is no release for it. However, the 1.9 REXML patch backports simply to 1.8 and I've tested to confirm it fixes the issue. I do not plan to backport the openssl extension default changes to 1.8. Unfortunately, for ruby 2.0 and 2.1, this is a major library bump as they added a member to a struct. Tested on amd64 and partially on i386. I'll try to do a bulk of the ruby ports before I commit this to ensure no breakage. Unless I hear otherwise, I plan to commit this patch this weekend. Thanks, Jeremy Index: 1.8/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.8/Makefile,v retrieving revision 1.31 diff -u -p -r1.31 Makefile --- 1.8/Makefile 15 Oct 2014 02:06:35 -0000 1.31 +++ 1.8/Makefile 29 Oct 2014 00:49:16 -0000 @@ -20,7 +20,7 @@ PKGNAME-ri_docs= ruby-ri_docs-${VERSION} PKG_ARCH-ri_docs= * PKGSPEC-main= ruby->=1.8,<1.9 -REVISION-main= 1 +REVISION-main= 2 CONFIGURE_ARGS= --program-suffix=18 \ --enable-ipv6 \ Index: 1.8/patches/patch-lib_rexml_entity_rb =================================================================== RCS file: 1.8/patches/patch-lib_rexml_entity_rb diff -N 1.8/patches/patch-lib_rexml_entity_rb --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ 1.8/patches/patch-lib_rexml_entity_rb 29 Oct 2014 00:50:09 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ + +Backport security fix for CVE-2014-8080: Denial of Service XML Expansion. + +--- lib/rexml/entity.rb.orig Wed Feb 4 16:03:56 2009 ++++ lib/rexml/entity.rb Tue Oct 28 17:48:54 2014 +@@ -138,8 +138,14 @@ module REXML + matches = @value.scan(PEREFERENCE_RE) + rv = @value.clone + if @parent ++ sum = 0 + matches.each do |entity_reference| + entity_value = @parent.entity( entity_reference[0] ) ++ if sum + entity_value.bytesize > Document.entity_expansion_text_limit ++ raise "entity expansion has grown too large" ++ else ++ sum += entity_value.bytesize ++ end + rv.gsub!( /%#{entity_reference};/um, entity_value ) + end + end Index: 1.9/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.9/Makefile,v retrieving revision 1.46 diff -u -p -r1.46 Makefile --- 1.9/Makefile 15 Oct 2014 02:06:35 -0000 1.46 +++ 1.9/Makefile 27 Oct 2014 15:23:00 -0000 @@ -9,7 +9,7 @@ COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby VERSION = 1.9.3 -PATCHLEVEL = 545 +PATCHLEVEL = 550 RUBYLIBREV = 1.9.1 SHARED_LIBS = ruby19 1.1 @@ -18,7 +18,6 @@ PKGNAME-gdbm = ruby-gdbm-${VERSION}.${P PKGNAME-dbm = ruby-dbm-${VERSION}.${PATCHLEVEL} PKGNAME-tk = ruby-tk-${VERSION}.${PATCHLEVEL} PKGNAME-ri_docs = ruby-ri_docs-${VERSION}.${PATCHLEVEL} -REVISION-main = 1 PKG_ARCH-ri_docs = * WANTLIB-ri_docs = # empty Index: 1.9/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/1.9/distinfo,v retrieving revision 1.16 diff -u -p -r1.16 distinfo --- 1.9/distinfo 11 Mar 2014 20:07:07 -0000 1.16 +++ 1.9/distinfo 27 Oct 2014 15:23:12 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-1.9.3-p545.tar.gz) = BfsA69N074AEdetAtx68QswYwfYfSIXBFzfzENPSMRE= -SIZE (ruby-1.9.3-p545.tar.gz) = 12582277 +SHA256 (ruby-1.9.3-p550.tar.gz) = 1s8AjZ86mu7S7wRCjxnWbiiu2KcUVvftumhifTMCzWs= +SIZE (ruby-1.9.3-p550.tar.gz) = 12605180 Index: 2.0/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- 2.0/Makefile 15 Oct 2014 02:06:35 -0000 1.15 +++ 2.0/Makefile 27 Oct 2014 15:36:13 -0000 @@ -6,16 +6,15 @@ COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby VERSION = 2.0.0 -PATCHLEVEL = 576 +PATCHLEVEL = 594 RUBYLIBREV = 2.0 DISTNAME = ruby-${VERSION}-p${PATCHLEVEL} -SHARED_LIBS = ruby20 0.1 +SHARED_LIBS = ruby20 1.0 PKGNAME-main = ruby-${VERSION}.${PATCHLEVEL} PKGNAME-gdbm = ruby20-gdbm-${VERSION}.${PATCHLEVEL} PKGNAME-tk = ruby20-tk-${VERSION}.${PATCHLEVEL} PKGNAME-ri_docs = ruby20-ri_docs-${VERSION}.${PATCHLEVEL} -REVISION-main = 0 PKG_ARCH-ri_docs = * WANTLIB-ri_docs = # empty Index: 2.0/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/distinfo,v retrieving revision 1.7 diff -u -p -r1.7 distinfo --- 2.0/distinfo 22 Sep 2014 15:14:48 -0000 1.7 +++ 2.0/distinfo 27 Oct 2014 15:25:54 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.0.0-p576.tar.gz) = n1pZPYF2jIVhVb5rLS41e5YbXEPgS6VMHuURmH+sK2Y= -SIZE (ruby-2.0.0-p576.tar.gz) = 13610215 +SHA256 (ruby-2.0.0-p594.tar.gz) = 7lFd17F828EGOWzUMvVmK7C1r8BQREaRdZFKq2Xzxuc= +SIZE (ruby-2.0.0-p594.tar.gz) = 13606970 Index: 2.0/patches/patch-compile_c =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/patches/patch-compile_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-compile_c --- 2.0/patches/patch-compile_c 12 Feb 2014 22:41:43 -0000 1.1 +++ 2.0/patches/patch-compile_c 28 Oct 2014 03:08:46 -0000 @@ -2,9 +2,9 @@ $OpenBSD: patch-compile_c,v 1.1 2014/02/ Disable peephole optimizer on sparc64, since it occasionally segfaults. ---- compile.c.orig Fri Jan 11 09:13:17 2013 -+++ compile.c Thu Jan 9 22:31:36 2014 -@@ -1706,6 +1706,9 @@ static int +--- compile.c.orig Sun Aug 31 00:55:32 2014 ++++ compile.c Mon Oct 27 20:08:11 2014 +@@ -1770,6 +1770,9 @@ static int iseq_peephole_optimize(rb_iseq_t *iseq, LINK_ELEMENT *list, const int do_tailcallopt) { INSN *iobj = (INSN *)list; Index: 2.0/patches/patch-configure =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/patches/patch-configure,v retrieving revision 1.3 diff -u -p -r1.3 patch-configure --- 2.0/patches/patch-configure 21 Jan 2014 10:06:07 -0000 1.3 +++ 2.0/patches/patch-configure 28 Oct 2014 03:08:46 -0000 @@ -5,9 +5,9 @@ Fix so name, checking for DOT and DOXYGE Override the arch setting to remove OpenBSD version from it, so ports don't have to be bumped when OpenBSD version changes. ---- configure.orig Fri Nov 22 05:23:39 2013 -+++ configure Tue Jan 21 09:54:37 2014 -@@ -17000,13 +17000,13 @@ fi +--- configure.orig Mon Oct 27 04:31:14 2014 ++++ configure Mon Oct 27 20:08:11 2014 +@@ -17178,13 +17178,13 @@ fi if test x"$enable_pthread" = xyes; then for pthread_lib in thr pthread pthreads c c_r root; do as_ac_Lib=`$as_echo "ac_cv_lib_$pthread_lib''_pthread_kill" | $as_tr_sh` @@ -24,7 +24,7 @@ so ports don't have to be bumped when Op cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -@@ -18290,7 +18290,7 @@ esac +@@ -18468,7 +18468,7 @@ esac openbsd*) : SOLIBS='$(LIBS)' @@ -33,7 +33,7 @@ so ports don't have to be bumped when Op ;; #( solaris*) : -@@ -19521,7 +19521,10 @@ _ACEOF +@@ -19699,7 +19699,10 @@ _ACEOF _ACEOF else Index: 2.0/patches/patch-test_rexml_test_document_rb =================================================================== RCS file: 2.0/patches/patch-test_rexml_test_document_rb diff -N 2.0/patches/patch-test_rexml_test_document_rb --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ 2.0/patches/patch-test_rexml_test_document_rb 28 Oct 2014 03:09:08 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ + +Fix error in backported patch. + +--- test/rexml/test_document.rb.orig Mon Oct 27 20:08:32 2014 ++++ test/rexml/test_document.rb Mon Oct 27 20:08:41 2014 +@@ -57,7 +57,7 @@ EOF + <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;"> + <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;"> + <!ENTITY test "test %g;"> +-+]> ++]> + <cd></cd> + EOF + Index: 2.1/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/Makefile,v retrieving revision 1.9 diff -u -p -r1.9 Makefile --- 2.1/Makefile 15 Oct 2014 02:06:36 -0000 1.9 +++ 2.1/Makefile 27 Oct 2014 16:04:40 -0000 @@ -9,16 +9,15 @@ COMMENT-gdbm = gdbm interface for ruby COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby -VERSION = 2.1.3 +VERSION = 2.1.4 RUBYLIBREV = 2.1 DISTNAME = ruby-${VERSION} -SHARED_LIBS = ruby21 0.0 +SHARED_LIBS = ruby21 1.0 PKGNAME-main = ruby-${VERSION} PKGNAME-gdbm = ruby21-gdbm-${VERSION} PKGNAME-tk = ruby21-tk-${VERSION} PKGNAME-ri_docs = ruby21-ri_docs-${VERSION} -REVISION-main = 0 PKG_ARCH-ri_docs = * WANTLIB-ri_docs = # empty @@ -87,7 +86,7 @@ ALL_TARGET += rdoc INSTALL_TARGET += install-doc .endif -SUBST_VARS += RUBYLIBREV +SUBST_VARS += VERSION RUBYLIBREV TEST_DEPENDS = ${FULLPKGNAME-main}:${BUILD_PKGPATH} Index: 2.1/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/distinfo,v retrieving revision 1.4 diff -u -p -r1.4 distinfo --- 2.1/distinfo 22 Sep 2014 15:15:41 -0000 1.4 +++ 2.1/distinfo 27 Oct 2014 15:33:17 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.1.3.tar.gz) = CBi+t7EM6aBYzSHYXP4dzSM+mLc0LTLppdS+vpg0fwE= -SIZE (ruby-2.1.3.tar.gz) = 15129183 +SHA256 (ruby-2.1.4.tar.gz) = v5lSzes6DGpaJ3Rcm0wOXiZOkrZpsrCO+zY/UVZUkgQ= +SIZE (ruby-2.1.4.tar.gz) = 15127418 Index: 2.1/patches/patch-configure =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/patches/patch-configure,v retrieving revision 1.2 diff -u -p -r1.2 patch-configure --- 2.1/patches/patch-configure 22 Sep 2014 15:15:41 -0000 1.2 +++ 2.1/patches/patch-configure 27 Oct 2014 15:37:48 -0000 @@ -5,8 +5,6 @@ Fix so name, checking for DOT and DOXYGE Override the arch setting to remove OpenBSD version from it, so ports don't have to be bumped when OpenBSD version changes. -Remove invalid shell syntax, fixed upstream in r45715. - --- configure.orig Thu Sep 18 10:04:39 2014 +++ configure Fri Sep 19 09:12:21 2014 @@ -21056,7 +21056,7 @@ esac @@ -18,17 +16,6 @@ Remove invalid shell syntax, fixed upstr ;; #( solaris*) : -@@ -21538,8 +21538,8 @@ if test x$setjmp_prefix = xsig; then - else - unset setjmp_sigmask - fi --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${setjmp_prefix}setjmp${setjmp_suffix}${setjmp_cast:+($setjmp_cast)}" >&5 --$as_echo "${setjmp_prefix}setjmp${setjmp_suffix}${setjmp_cast:+($setjmp_cast)}" >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${setjmp_prefix}setjmp${setjmp_suffix}" >&5 -+$as_echo "${setjmp_prefix}setjmp${setjmp_suffix}" >&6; } - cat >>confdefs.h <<_ACEOF - #define RUBY_SETJMP(env) ${setjmp_prefix}setjmp${setjmp_suffix}($setjmp_cast(env)${setjmp_sigmask+,0}) - _ACEOF @@ -22300,7 +22300,10 @@ _ACEOF _ACEOF Index: 2.1/pkg/PLIST-main =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/pkg/PLIST-main,v retrieving revision 1.4 diff -u -p -r1.4 PLIST-main --- 2.1/pkg/PLIST-main 22 Sep 2014 15:15:41 -0000 1.4 +++ 2.1/pkg/PLIST-main 27 Oct 2014 16:05:01 -0000 @@ -1039,9 +1039,9 @@ lib/ruby/gems/${RUBYLIBREV}/gems/rdoc-4. lib/ruby/gems/${RUBYLIBREV}/gems/rdoc-4.1.0/bin/ lib/ruby/gems/${RUBYLIBREV}/gems/rdoc-4.1.0/bin/rdoc lib/ruby/gems/${RUBYLIBREV}/gems/rdoc-4.1.0/bin/ri -lib/ruby/gems/${RUBYLIBREV}/gems/test-unit-${RUBYLIBREV}.3.0/ -lib/ruby/gems/${RUBYLIBREV}/gems/test-unit-${RUBYLIBREV}.3.0/bin/ -lib/ruby/gems/${RUBYLIBREV}/gems/test-unit-${RUBYLIBREV}.3.0/bin/testrb +lib/ruby/gems/${RUBYLIBREV}/gems/test-unit-${VERSION}.0/ +lib/ruby/gems/${RUBYLIBREV}/gems/test-unit-${VERSION}.0/bin/ +lib/ruby/gems/${RUBYLIBREV}/gems/test-unit-${VERSION}.0/bin/testrb lib/ruby/gems/${RUBYLIBREV}/specifications/ lib/ruby/gems/${RUBYLIBREV}/specifications/default/ lib/ruby/gems/${RUBYLIBREV}/specifications/default/bigdecimal-1.2.4.gemspec @@ -1051,7 +1051,7 @@ lib/ruby/gems/${RUBYLIBREV}/specificatio lib/ruby/gems/${RUBYLIBREV}/specifications/default/psych-2.0.5.gemspec lib/ruby/gems/${RUBYLIBREV}/specifications/default/rake-10.1.0.gemspec lib/ruby/gems/${RUBYLIBREV}/specifications/default/rdoc-4.1.0.gemspec -lib/ruby/gems/${RUBYLIBREV}/specifications/default/test-unit-${RUBYLIBREV}.3.0.gemspec +lib/ruby/gems/${RUBYLIBREV}/specifications/default/test-unit-${VERSION}.0.gemspec lib/ruby/site_ruby/ lib/ruby/site_ruby/${RUBYLIBREV}/ lib/ruby/site_ruby/${RUBYLIBREV}/${SUB}/
