Three new ruby releases today to fix CVE-2015-7551: Unsafe tainted
string usage in Fiddle and DL. Details at
https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
Ruby 2.0.0 is out of general support, so the only patch included is the
security patch. There are a few other improvements to Ruby 2.1 and 2.2
that have been backported from trunk. Both Ruby 2.1.8 and 2.2.4 include
a new non-static function in the shared lib, so I'm bumping the lib
minor on both to be safe. Both Ruby 2.1 and 2.2 include one of our local
patches, so a couple patch files can be dropped for each.
I've backported a fix for DL to ruby 1.8, and manually tested it to make
sure it works. Fiddle wasn't added to ruby until 1.9, so we don't need
to worry about that.
This vulnerability is not likely to affect many projects. It's a rare ruby
project that uses taint checking/$SAFE >= 0, and DL/Fiddle use is not
that common either, so I'm guessing the combination is quite rare.
Tested on amd64, compiles on i386. Will be committing in a couple days
unless I hear objections.
Thanks,
Jeremy
Index: 1.8/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/1.8/Makefile,v
retrieving revision 1.36
diff -u -p -r1.36 Makefile
--- 1.8/Makefile 15 Apr 2015 21:58:16 -0000 1.36
+++ 1.8/Makefile 16 Dec 2015 17:13:04 -0000
@@ -20,7 +20,7 @@ PKGNAME-ri_docs= ruby-ri_docs-${VERSION}
PKG_ARCH-ri_docs= *
PKGSPEC-main= ruby->=1.8,<1.9
-REVISION-main= 4
+REVISION-main= 5
REVISION-ri_docs= 0
CONFIGURE_ARGS= --program-suffix=18 \
Index: 1.8/patches/patch-ext_dl_handle_c
===================================================================
RCS file: 1.8/patches/patch-ext_dl_handle_c
diff -N 1.8/patches/patch-ext_dl_handle_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 1.8/patches/patch-ext_dl_handle_c 16 Dec 2015 17:12:54 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+
+Backport fix for CVE-2009-5147 and CVE-2015-7551 from r23405.
+
+--- ext/dl/handle.c.orig Wed Dec 16 09:07:34 2015
++++ ext/dl/handle.c Wed Dec 16 09:11:33 2015
+@@ -5,6 +5,8 @@
+ #include <ruby.h>
+ #include "dl.h"
+
++#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v),
RSTRING_PTR(v))
++
+ VALUE rb_cDLHandle;
+
+ void
+@@ -52,11 +54,11 @@ rb_dlhandle_initialize(int argc, VALUE argv[], VALUE s
+
+ switch (rb_scan_args(argc, argv, "11", &lib, &flag)) {
+ case 1:
+- clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib);
+ cflag = RTLD_LAZY | RTLD_GLOBAL;
+ break;
+ case 2:
+- clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib);
+ cflag = NUM2INT(flag);
+ break;
+ default:
Index: 2.0/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/2.0/Makefile,v
retrieving revision 1.23
diff -u -p -r1.23 Makefile
--- 2.0/Makefile 22 Aug 2015 15:13:05 -0000 1.23
+++ 2.0/Makefile 16 Dec 2015 16:37:19 -0000
@@ -6,7 +6,7 @@ COMMENT-tk = tk interface for ruby
COMMENT-ri_docs = ri documentation files for ruby
VERSION = 2.0.0
-PATCHLEVEL = 647
+PATCHLEVEL = 648
RUBYLIBREV = 2.0
DISTNAME = ruby-${VERSION}-p${PATCHLEVEL}
Index: 2.0/distinfo
===================================================================
RCS file: /cvs/ports/lang/ruby/2.0/distinfo,v
retrieving revision 1.12
diff -u -p -r1.12 distinfo
--- 2.0/distinfo 22 Aug 2015 15:13:05 -0000 1.12
+++ 2.0/distinfo 16 Dec 2015 16:38:28 -0000
@@ -1,2 +1,2 @@
-SHA256 (ruby-2.0.0-p647.tar.gz) = yIqvW07HLiy30pD/hU8E0TWTn2E09RcAKp1l1fxeW+w=
-SIZE (ruby-2.0.0-p647.tar.gz) = 13621258
+SHA256 (ruby-2.0.0-p648.tar.gz) = hpC9a0lJwzOzkZdVxOSIhdv+1v0FX+nviZML3g0jdvg=
+SIZE (ruby-2.0.0-p648.tar.gz) = 13622628
Index: 2.1/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/2.1/Makefile,v
retrieving revision 1.16
diff -u -p -r1.16 Makefile
--- 2.1/Makefile 22 Aug 2015 15:13:41 -0000 1.16
+++ 2.1/Makefile 16 Dec 2015 16:45:52 -0000
@@ -7,11 +7,11 @@ COMMENT-gdbm = gdbm interface for ruby
COMMENT-tk = tk interface for ruby
COMMENT-ri_docs = ri documentation files for ruby
-VERSION = 2.1.7
+VERSION = 2.1.8
RUBYLIBREV = 2.1
DISTNAME = ruby-${VERSION}
-SHARED_LIBS = ruby21 1.1
+SHARED_LIBS = ruby21 1.2
PKGNAME-main = ruby-${VERSION}
PKGNAME-gdbm = ruby21-gdbm-${VERSION}
PKGNAME-tk = ruby21-tk-${VERSION}
Index: 2.1/distinfo
===================================================================
RCS file: /cvs/ports/lang/ruby/2.1/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- 2.1/distinfo 22 Aug 2015 15:13:41 -0000 1.8
+++ 2.1/distinfo 16 Dec 2015 16:46:52 -0000
@@ -1,2 +1,2 @@
-SHA256 (ruby-2.1.7.tar.gz) = 9ZwVlqw5zH5gEm59NpjBn0gvBAYGdP3+ASThdSum3YE=
-SIZE (ruby-2.1.7.tar.gz) = 15151458
+SHA256 (ruby-2.1.8.tar.gz) = r9gyuNXssuPhR37GqUCP35iY7nPkxd8XorLLNr0cNV0=
+SIZE (ruby-2.1.8.tar.gz) = 15154017
Index: 2.1/patches/patch-ext_openssl_extconf_rb
===================================================================
RCS file: 2.1/patches/patch-ext_openssl_extconf_rb
diff -N 2.1/patches/patch-ext_openssl_extconf_rb
--- 2.1/patches/patch-ext_openssl_extconf_rb 27 Aug 2015 15:55:04 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,13 +0,0 @@
-$OpenBSD: patch-ext_openssl_extconf_rb,v 1.1 2015/08/27 15:55:04 kili Exp $
---- ext/openssl/extconf.rb.orig Mon Oct 28 07:32:24 2013
-+++ ext/openssl/extconf.rb Thu Aug 27 17:21:59 2015
-@@ -103,6 +103,9 @@ have_func("OPENSSL_cleanse")
- have_func("SSLv2_method")
- have_func("SSLv2_server_method")
- have_func("SSLv2_client_method")
-+have_func("SSLv3_method")
-+have_func("SSLv3_server_method")
-+have_func("SSLv3_client_method")
- have_func("TLSv1_1_method")
- have_func("TLSv1_1_server_method")
- have_func("TLSv1_1_client_method")
Index: 2.1/patches/patch-ext_openssl_ossl_ssl_c
===================================================================
RCS file: 2.1/patches/patch-ext_openssl_ossl_ssl_c
diff -N 2.1/patches/patch-ext_openssl_ossl_ssl_c
--- 2.1/patches/patch-ext_openssl_ossl_ssl_c 27 Aug 2015 15:55:04 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,16 +0,0 @@
-$OpenBSD: patch-ext_openssl_ossl_ssl_c,v 1.1 2015/08/27 15:55:04 kili Exp $
---- ext/openssl/ossl_ssl.c.orig Mon Jan 27 08:47:11 2014
-+++ ext/openssl/ossl_ssl.c Thu Aug 27 17:22:10 2015
-@@ -134,9 +134,12 @@ struct {
- OSSL_SSL_METHOD_ENTRY(SSLv2_server),
- OSSL_SSL_METHOD_ENTRY(SSLv2_client),
- #endif
-+#if defined(HAVE_SSLV3_METHOD) && defined(HAVE_SSLV3_SERVER_METHOD) && \
-+ defined(HAVE_SSLV3_CLIENT_METHOD)
- OSSL_SSL_METHOD_ENTRY(SSLv3),
- OSSL_SSL_METHOD_ENTRY(SSLv3_server),
- OSSL_SSL_METHOD_ENTRY(SSLv3_client),
-+#endif
- OSSL_SSL_METHOD_ENTRY(SSLv23),
- OSSL_SSL_METHOD_ENTRY(SSLv23_server),
- OSSL_SSL_METHOD_ENTRY(SSLv23_client),
Index: 2.2/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/2.2/Makefile,v
retrieving revision 1.7
diff -u -p -r1.7 Makefile
--- 2.2/Makefile 4 Dec 2015 20:47:53 -0000 1.7
+++ 2.2/Makefile 16 Dec 2015 17:28:53 -0000
@@ -8,11 +8,11 @@ COMMENT-gdbm = gdbm interface for ruby
COMMENT-tk = tk interface for ruby
COMMENT-ri_docs = ri documentation files for ruby
-VERSION = 2.2.3
+VERSION = 2.2.4
RUBYLIBREV = 2.2
DISTNAME = ruby-${VERSION}
-SHARED_LIBS = ruby22 1.0
+SHARED_LIBS = ruby22 1.1
PKGNAME-main = ruby-${VERSION}
PKGNAME-gdbm = ruby22-gdbm-${VERSION}
PKGNAME-tk = ruby22-tk-${VERSION}
Index: 2.2/distinfo
===================================================================
RCS file: /cvs/ports/lang/ruby/2.2/distinfo,v
retrieving revision 1.4
diff -u -p -r1.4 distinfo
--- 2.2/distinfo 22 Aug 2015 15:14:14 -0000 1.4
+++ 2.2/distinfo 16 Dec 2015 16:57:21 -0000
@@ -1,2 +1,2 @@
-SHA256 (ruby-2.2.3.tar.gz) = 33lfL5mGB0WkFgkqQASwFsz3fouC3slWsSDxi9xx7c4=
-SIZE (ruby-2.2.3.tar.gz) = 16626772
+SHA256 (ruby-2.2.4.tar.gz) = tu/1aLSOD9p25aNjMxdd8EmyBOkSF6oyplFTzAzct2E=
+SIZE (ruby-2.2.4.tar.gz) = 16638151
Index: 2.2/patches/patch-ext_openssl_extconf_rb
===================================================================
RCS file: 2.2/patches/patch-ext_openssl_extconf_rb
diff -N 2.2/patches/patch-ext_openssl_extconf_rb
--- 2.2/patches/patch-ext_openssl_extconf_rb 27 Aug 2015 15:55:04 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,13 +0,0 @@
-$OpenBSD: patch-ext_openssl_extconf_rb,v 1.1 2015/08/27 15:55:04 kili Exp $
---- ext/openssl/extconf.rb.orig Mon Oct 28 07:32:24 2013
-+++ ext/openssl/extconf.rb Thu Aug 27 15:41:31 2015
-@@ -103,6 +103,9 @@ have_func("OPENSSL_cleanse")
- have_func("SSLv2_method")
- have_func("SSLv2_server_method")
- have_func("SSLv2_client_method")
-+have_func("SSLv3_method")
-+have_func("SSLv3_server_method")
-+have_func("SSLv3_client_method")
- have_func("TLSv1_1_method")
- have_func("TLSv1_1_server_method")
- have_func("TLSv1_1_client_method")
Index: 2.2/patches/patch-ext_openssl_ossl_ssl_c
===================================================================
RCS file: 2.2/patches/patch-ext_openssl_ossl_ssl_c
diff -N 2.2/patches/patch-ext_openssl_ossl_ssl_c
--- 2.2/patches/patch-ext_openssl_ossl_ssl_c 27 Aug 2015 15:55:04 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,16 +0,0 @@
-$OpenBSD: patch-ext_openssl_ossl_ssl_c,v 1.1 2015/08/27 15:55:04 kili Exp $
---- ext/openssl/ossl_ssl.c.orig Fri Dec 12 22:58:34 2014
-+++ ext/openssl/ossl_ssl.c Thu Aug 27 15:42:58 2015
-@@ -138,9 +138,12 @@ static const struct {
- OSSL_SSL_METHOD_ENTRY(SSLv2_server),
- OSSL_SSL_METHOD_ENTRY(SSLv2_client),
- #endif
-+#if defined(HAVE_SSLV3_METHOD) && defined(HAVE_SSLV3_SERVER_METHOD) && \
-+ defined(HAVE_SSLV3_CLIENT_METHOD)
- OSSL_SSL_METHOD_ENTRY(SSLv3),
- OSSL_SSL_METHOD_ENTRY(SSLv3_server),
- OSSL_SSL_METHOD_ENTRY(SSLv3_client),
-+#endif
- OSSL_SSL_METHOD_ENTRY(SSLv23),
- OSSL_SSL_METHOD_ENTRY(SSLv23_server),
- OSSL_SSL_METHOD_ENTRY(SSLv23_client),
