Three new ruby releases today to fix CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL. Details at https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
Ruby 2.0.0 is out of general support, so the only patch included is the security patch. There are a few other improvements to Ruby 2.1 and 2.2 that have been backported from trunk. Both Ruby 2.1.8 and 2.2.4 include a new non-static function in the shared lib, so I'm bumping the lib minor on both to be safe. Both Ruby 2.1 and 2.2 include one of our local patches, so a couple patch files can be dropped for each. I've backported a fix for DL to ruby 1.8, and manually tested it to make sure it works. Fiddle wasn't added to ruby until 1.9, so we don't need to worry about that. This vulnerability is not likely to affect many projects. It's a rare ruby project that uses taint checking/$SAFE >= 0, and DL/Fiddle use is not that common either, so I'm guessing the combination is quite rare. Tested on amd64, compiles on i386. Will be committing in a couple days unless I hear objections. Thanks, Jeremy Index: 1.8/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.8/Makefile,v retrieving revision 1.36 diff -u -p -r1.36 Makefile --- 1.8/Makefile 15 Apr 2015 21:58:16 -0000 1.36 +++ 1.8/Makefile 16 Dec 2015 17:13:04 -0000 @@ -20,7 +20,7 @@ PKGNAME-ri_docs= ruby-ri_docs-${VERSION} PKG_ARCH-ri_docs= * PKGSPEC-main= ruby->=1.8,<1.9 -REVISION-main= 4 +REVISION-main= 5 REVISION-ri_docs= 0 CONFIGURE_ARGS= --program-suffix=18 \ Index: 1.8/patches/patch-ext_dl_handle_c =================================================================== RCS file: 1.8/patches/patch-ext_dl_handle_c diff -N 1.8/patches/patch-ext_dl_handle_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ 1.8/patches/patch-ext_dl_handle_c 16 Dec 2015 17:12:54 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ + +Backport fix for CVE-2009-5147 and CVE-2015-7551 from r23405. + +--- ext/dl/handle.c.orig Wed Dec 16 09:07:34 2015 ++++ ext/dl/handle.c Wed Dec 16 09:11:33 2015 +@@ -5,6 +5,8 @@ + #include <ruby.h> + #include "dl.h" + ++#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v), RSTRING_PTR(v)) ++ + VALUE rb_cDLHandle; + + void +@@ -52,11 +54,11 @@ rb_dlhandle_initialize(int argc, VALUE argv[], VALUE s + + switch (rb_scan_args(argc, argv, "11", &lib, &flag)) { + case 1: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 2: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = NUM2INT(flag); + break; + default: Index: 2.0/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/Makefile,v retrieving revision 1.23 diff -u -p -r1.23 Makefile --- 2.0/Makefile 22 Aug 2015 15:13:05 -0000 1.23 +++ 2.0/Makefile 16 Dec 2015 16:37:19 -0000 @@ -6,7 +6,7 @@ COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby VERSION = 2.0.0 -PATCHLEVEL = 647 +PATCHLEVEL = 648 RUBYLIBREV = 2.0 DISTNAME = ruby-${VERSION}-p${PATCHLEVEL} Index: 2.0/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/distinfo,v retrieving revision 1.12 diff -u -p -r1.12 distinfo --- 2.0/distinfo 22 Aug 2015 15:13:05 -0000 1.12 +++ 2.0/distinfo 16 Dec 2015 16:38:28 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.0.0-p647.tar.gz) = yIqvW07HLiy30pD/hU8E0TWTn2E09RcAKp1l1fxeW+w= -SIZE (ruby-2.0.0-p647.tar.gz) = 13621258 +SHA256 (ruby-2.0.0-p648.tar.gz) = hpC9a0lJwzOzkZdVxOSIhdv+1v0FX+nviZML3g0jdvg= +SIZE (ruby-2.0.0-p648.tar.gz) = 13622628 Index: 2.1/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/Makefile,v retrieving revision 1.16 diff -u -p -r1.16 Makefile --- 2.1/Makefile 22 Aug 2015 15:13:41 -0000 1.16 +++ 2.1/Makefile 16 Dec 2015 16:45:52 -0000 @@ -7,11 +7,11 @@ COMMENT-gdbm = gdbm interface for ruby COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby -VERSION = 2.1.7 +VERSION = 2.1.8 RUBYLIBREV = 2.1 DISTNAME = ruby-${VERSION} -SHARED_LIBS = ruby21 1.1 +SHARED_LIBS = ruby21 1.2 PKGNAME-main = ruby-${VERSION} PKGNAME-gdbm = ruby21-gdbm-${VERSION} PKGNAME-tk = ruby21-tk-${VERSION} Index: 2.1/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/distinfo,v retrieving revision 1.8 diff -u -p -r1.8 distinfo --- 2.1/distinfo 22 Aug 2015 15:13:41 -0000 1.8 +++ 2.1/distinfo 16 Dec 2015 16:46:52 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.1.7.tar.gz) = 9ZwVlqw5zH5gEm59NpjBn0gvBAYGdP3+ASThdSum3YE= -SIZE (ruby-2.1.7.tar.gz) = 15151458 +SHA256 (ruby-2.1.8.tar.gz) = r9gyuNXssuPhR37GqUCP35iY7nPkxd8XorLLNr0cNV0= +SIZE (ruby-2.1.8.tar.gz) = 15154017 Index: 2.1/patches/patch-ext_openssl_extconf_rb =================================================================== RCS file: 2.1/patches/patch-ext_openssl_extconf_rb diff -N 2.1/patches/patch-ext_openssl_extconf_rb --- 2.1/patches/patch-ext_openssl_extconf_rb 27 Aug 2015 15:55:04 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,13 +0,0 @@ -$OpenBSD: patch-ext_openssl_extconf_rb,v 1.1 2015/08/27 15:55:04 kili Exp $ ---- ext/openssl/extconf.rb.orig Mon Oct 28 07:32:24 2013 -+++ ext/openssl/extconf.rb Thu Aug 27 17:21:59 2015 -@@ -103,6 +103,9 @@ have_func("OPENSSL_cleanse") - have_func("SSLv2_method") - have_func("SSLv2_server_method") - have_func("SSLv2_client_method") -+have_func("SSLv3_method") -+have_func("SSLv3_server_method") -+have_func("SSLv3_client_method") - have_func("TLSv1_1_method") - have_func("TLSv1_1_server_method") - have_func("TLSv1_1_client_method") Index: 2.1/patches/patch-ext_openssl_ossl_ssl_c =================================================================== RCS file: 2.1/patches/patch-ext_openssl_ossl_ssl_c diff -N 2.1/patches/patch-ext_openssl_ossl_ssl_c --- 2.1/patches/patch-ext_openssl_ossl_ssl_c 27 Aug 2015 15:55:04 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-ext_openssl_ossl_ssl_c,v 1.1 2015/08/27 15:55:04 kili Exp $ ---- ext/openssl/ossl_ssl.c.orig Mon Jan 27 08:47:11 2014 -+++ ext/openssl/ossl_ssl.c Thu Aug 27 17:22:10 2015 -@@ -134,9 +134,12 @@ struct { - OSSL_SSL_METHOD_ENTRY(SSLv2_server), - OSSL_SSL_METHOD_ENTRY(SSLv2_client), - #endif -+#if defined(HAVE_SSLV3_METHOD) && defined(HAVE_SSLV3_SERVER_METHOD) && \ -+ defined(HAVE_SSLV3_CLIENT_METHOD) - OSSL_SSL_METHOD_ENTRY(SSLv3), - OSSL_SSL_METHOD_ENTRY(SSLv3_server), - OSSL_SSL_METHOD_ENTRY(SSLv3_client), -+#endif - OSSL_SSL_METHOD_ENTRY(SSLv23), - OSSL_SSL_METHOD_ENTRY(SSLv23_server), - OSSL_SSL_METHOD_ENTRY(SSLv23_client), Index: 2.2/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.2/Makefile,v retrieving revision 1.7 diff -u -p -r1.7 Makefile --- 2.2/Makefile 4 Dec 2015 20:47:53 -0000 1.7 +++ 2.2/Makefile 16 Dec 2015 17:28:53 -0000 @@ -8,11 +8,11 @@ COMMENT-gdbm = gdbm interface for ruby COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby -VERSION = 2.2.3 +VERSION = 2.2.4 RUBYLIBREV = 2.2 DISTNAME = ruby-${VERSION} -SHARED_LIBS = ruby22 1.0 +SHARED_LIBS = ruby22 1.1 PKGNAME-main = ruby-${VERSION} PKGNAME-gdbm = ruby22-gdbm-${VERSION} PKGNAME-tk = ruby22-tk-${VERSION} Index: 2.2/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.2/distinfo,v retrieving revision 1.4 diff -u -p -r1.4 distinfo --- 2.2/distinfo 22 Aug 2015 15:14:14 -0000 1.4 +++ 2.2/distinfo 16 Dec 2015 16:57:21 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.2.3.tar.gz) = 33lfL5mGB0WkFgkqQASwFsz3fouC3slWsSDxi9xx7c4= -SIZE (ruby-2.2.3.tar.gz) = 16626772 +SHA256 (ruby-2.2.4.tar.gz) = tu/1aLSOD9p25aNjMxdd8EmyBOkSF6oyplFTzAzct2E= +SIZE (ruby-2.2.4.tar.gz) = 16638151 Index: 2.2/patches/patch-ext_openssl_extconf_rb =================================================================== RCS file: 2.2/patches/patch-ext_openssl_extconf_rb diff -N 2.2/patches/patch-ext_openssl_extconf_rb --- 2.2/patches/patch-ext_openssl_extconf_rb 27 Aug 2015 15:55:04 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,13 +0,0 @@ -$OpenBSD: patch-ext_openssl_extconf_rb,v 1.1 2015/08/27 15:55:04 kili Exp $ ---- ext/openssl/extconf.rb.orig Mon Oct 28 07:32:24 2013 -+++ ext/openssl/extconf.rb Thu Aug 27 15:41:31 2015 -@@ -103,6 +103,9 @@ have_func("OPENSSL_cleanse") - have_func("SSLv2_method") - have_func("SSLv2_server_method") - have_func("SSLv2_client_method") -+have_func("SSLv3_method") -+have_func("SSLv3_server_method") -+have_func("SSLv3_client_method") - have_func("TLSv1_1_method") - have_func("TLSv1_1_server_method") - have_func("TLSv1_1_client_method") Index: 2.2/patches/patch-ext_openssl_ossl_ssl_c =================================================================== RCS file: 2.2/patches/patch-ext_openssl_ossl_ssl_c diff -N 2.2/patches/patch-ext_openssl_ossl_ssl_c --- 2.2/patches/patch-ext_openssl_ossl_ssl_c 27 Aug 2015 15:55:04 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-ext_openssl_ossl_ssl_c,v 1.1 2015/08/27 15:55:04 kili Exp $ ---- ext/openssl/ossl_ssl.c.orig Fri Dec 12 22:58:34 2014 -+++ ext/openssl/ossl_ssl.c Thu Aug 27 15:42:58 2015 -@@ -138,9 +138,12 @@ static const struct { - OSSL_SSL_METHOD_ENTRY(SSLv2_server), - OSSL_SSL_METHOD_ENTRY(SSLv2_client), - #endif -+#if defined(HAVE_SSLV3_METHOD) && defined(HAVE_SSLV3_SERVER_METHOD) && \ -+ defined(HAVE_SSLV3_CLIENT_METHOD) - OSSL_SSL_METHOD_ENTRY(SSLv3), - OSSL_SSL_METHOD_ENTRY(SSLv3_server), - OSSL_SSL_METHOD_ENTRY(SSLv3_client), -+#endif - OSSL_SSL_METHOD_ENTRY(SSLv23), - OSSL_SSL_METHOD_ENTRY(SSLv23_server), - OSSL_SSL_METHOD_ENTRY(SSLv23_client),