diff options
| -rw-r--r-- | Mk/bsd.ruby.mk | 6 | ||||
| -rw-r--r-- | lang/ruby19/distinfo | 4 | ||||
| -rw-r--r-- | lang/ruby20/distinfo | 4 | ||||
| -rw-r--r-- | lang/ruby20/files/patch-cont.c | 22 | ||||
| -rw-r--r-- | lang/ruby20/files/patch-lib_mkmf.rb | 14 | ||||
| -rw-r--r-- | lang/ruby20/files/patch-lib_uri_generic.rb | 13 | ||||
| -rw-r--r-- | security/vuxml/vuln.xml | 37 |
7 files changed, 69 insertions, 31 deletions
diff --git a/Mk/bsd.ruby.mk b/Mk/bsd.ruby.mk index 106315302ad8..0d781384cdf7 100644 --- a/Mk/bsd.ruby.mk +++ b/Mk/bsd.ruby.mk @@ -179,7 +179,7 @@ RUBY?= ${LOCALBASE}/bin/${RUBY_NAME} RUBY_RELVERSION= 1.9.3 RUBY_PORTREVISION= 0 RUBY_PORTEPOCH= 1 -RUBY_PATCHLEVEL= 448 +RUBY_PATCHLEVEL= 484 RUBY_VERSION?= ${RUBY_RELVERSION}.${RUBY_PATCHLEVEL} RUBY_DISTVERSION?= ${RUBY_RELVERSION}-p${RUBY_PATCHLEVEL} @@ -204,9 +204,9 @@ RUBY20= "@comment " # Ruby 2.0 # RUBY_RELVERSION= 2.0.0 -RUBY_PORTREVISION= 1 +RUBY_PORTREVISION= 0 RUBY_PORTEPOCH= 1 -RUBY_PATCHLEVEL= 195 +RUBY_PATCHLEVEL= 353 RUBY_VERSION?= ${RUBY_RELVERSION}.${RUBY_PATCHLEVEL} RUBY_DISTVERSION?= ${RUBY_RELVERSION}-p${RUBY_PATCHLEVEL} diff --git a/lang/ruby19/distinfo b/lang/ruby19/distinfo index f7d834e5a887..d8d9d178b4ea 100644 --- a/lang/ruby19/distinfo +++ b/lang/ruby19/distinfo @@ -1,2 +1,2 @@ -SHA256 (ruby/ruby-1.9.3-p448.tar.bz2) = a7372230357bfff8e4525fb8019046da521561fe66b02c25d8efc10c9877bc91 -SIZE (ruby/ruby-1.9.3-p448.tar.bz2) = 10052488 +SHA256 (ruby/ruby-1.9.3-p484.tar.bz2) = 0fdc6e860d0023ba7b94c7a0cf1f7d32908b65b526246de9dfd5bb39d0d7922b +SIZE (ruby/ruby-1.9.3-p484.tar.bz2) = 10041514 diff --git a/lang/ruby20/distinfo b/lang/ruby20/distinfo index 5d0e1e65ab0e..49b4c7f3a17d 100644 --- a/lang/ruby20/distinfo +++ b/lang/ruby20/distinfo @@ -1,2 +1,2 @@ -SHA256 (ruby/ruby-2.0.0-p195.tar.bz2) = 0be32aef7a7ab6e3708cc1d65cd3e0a99fa801597194bbedd5799c11d652eb5b -SIZE (ruby/ruby-2.0.0-p195.tar.bz2) = 10807456 +SHA256 (ruby/ruby-2.0.0-p353.tar.bz2) = 3de4e4d9aff4682fa4f8ed2b70bd0d746fae17452fc3d3a8e8f505ead9105ad9 +SIZE (ruby/ruby-2.0.0-p353.tar.bz2) = 10730412 diff --git a/lang/ruby20/files/patch-cont.c b/lang/ruby20/files/patch-cont.c index 4a8f446a912e..a5555ab1799c 100644 --- a/lang/ruby20/files/patch-cont.c +++ b/lang/ruby20/files/patch-cont.c @@ -1,11 +1,11 @@ ---- cont.c.orig 2013-01-30 04:17:59.000000000 +0000 -+++ cont.c 2013-02-17 21:39:30.712834241 +0000 -@@ -15,7 +15,7 @@ - #include "gc.h" - #include "eval_intern.h" - --#if ((defined(_WIN32) && _WIN32_WINNT >= 0x0400) || (defined(HAVE_GETCONTEXT) && defined(HAVE_SETCONTEXT))) && !defined(__NetBSD__) && !defined(__sun) && !defined(__ia64) && !defined(FIBER_USE_NATIVE) -+#if ((defined(_WIN32) && _WIN32_WINNT >= 0x0400) || (defined(HAVE_GETCONTEXT) && defined(HAVE_SETCONTEXT))) && !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__sun) && !defined(__ia64) && !defined(FIBER_USE_NATIVE) - #define FIBER_USE_NATIVE 1 - - /* FIBER_USE_NATIVE enables Fiber performance improvement using system +--- cont.c.orig 2013-10-09 15:37:54.000000000 +0000 ++++ cont.c 2013-11-22 15:05:19.138396780 +0000 +@@ -44,6 +44,8 @@ + /* At least, Linux/ia64's getcontext(3) doesn't save register window. + */ + # define FIBER_USE_NATIVE 0 ++# elif defined(__FreeBSD__) ++# define FIBER_USE_NATIVE 0 + # elif defined(__GNU__) + /* GNU/Hurd doesn't fully support getcontext, setcontext, makecontext + * and swapcontext functions. Disabling their usage till support is diff --git a/lang/ruby20/files/patch-lib_mkmf.rb b/lang/ruby20/files/patch-lib_mkmf.rb index 7fa9ffbd948c..dd2bb418ed6c 100644 --- a/lang/ruby20/files/patch-lib_mkmf.rb +++ b/lang/ruby20/files/patch-lib_mkmf.rb @@ -1,11 +1,11 @@ ---- lib/mkmf.rb.orig 2012-11-28 04:19:49.000000000 -0800 -+++ lib/mkmf.rb 2012-12-03 23:18:58.000000000 -0800 -@@ -204,7 +204,7 @@ - $extmk &&= true - if not $extmk and File.exist?(RbConfig::CONFIG["rubyhdrdir"] + "/ruby/ruby.h") - $hdrdir = CONFIG["rubyhdrdir"] +--- lib/mkmf.rb.orig 2013-06-26 07:03:38.000000000 -0700 ++++ lib/mkmf.rb 2013-07-03 17:43:05.000000000 -0700 +@@ -226,7 +226,7 @@ + end + $extmk ||= false + if not $extmk and File.exist?(($hdrdir = RbConfig::CONFIG["rubyhdrdir"]) + "/ruby/ruby.h") - $topdir = $hdrdir + $topdir = $hdrdir + "/" + "#{CONFIG['arch']}/ruby/" $top_srcdir = $hdrdir - $arch_hdrdir = "$(hdrdir)/$(arch)" + $arch_hdrdir = RbConfig::CONFIG["rubyarchhdrdir"] elsif File.exist?(($hdrdir = ($top_srcdir ||= topdir) + "/include") + "/ruby.h") diff --git a/lang/ruby20/files/patch-lib_uri_generic.rb b/lang/ruby20/files/patch-lib_uri_generic.rb index 74c04fa79553..d52defa07016 100644 --- a/lang/ruby20/files/patch-lib_uri_generic.rb +++ b/lang/ruby20/files/patch-lib_uri_generic.rb @@ -1,19 +1,20 @@ ---- lib/uri/generic.rb.orig 2009-06-18 16:47:45.000000000 +0400 -+++ lib/uri/generic.rb 2009-06-18 16:48:54.000000000 +0400 -@@ -1032,7 +1032,15 @@ - end +--- lib/uri/generic.rb.orig 2012-07-20 01:56:21.000000000 +0000 ++++ lib/uri/generic.rb 2013-11-21 20:50:14.143925606 +0000 +@@ -1482,6 +1482,17 @@ end -- str << path_query + str << path_query + path = path_query + + # + # Add URI delimiter if the path misses it (like as in FTP) + # + if not path.empty? and not str.empty? and path[0, 1] != '/' -+ path = '/' + path ++ path = '/' + path + end + str << path ++ end ++ if @fragment end if @fragment diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 5f021a59c711..087bb78cda46 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,43 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="cc9043cf-7f7a-426e-b2cc-8d1980618113"> + <topic>ruby -- Heap Overflow in Floating Point Parsing</topic> + <affects> + <package> + <name>ruby19</name> + <range><lt>1.9.3.484,1</lt></range> + </package> + <package> + <name>ruby20</name> + <range><lt>2.0.0.353,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Ruby developers report:</p> + <blockquote cite="https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/"> + <p>Any time a string is converted to a floating point value, a + specially crafted string can cause a heap overflow. This can lead + to a denial of service attack via segmentation faults and possibly + arbitrary code execution. Any program that converts input of + unknown origin to floating point values (especially common when + accepting JSON) are vulnerable. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/</url> + <url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/</url> + <cvename>CVE-2013-4164</cvename> + </references> + <dates> + <discovery>2013-11-22</discovery> + <entry>2013-11-23</entry> + </dates> + </vuln> + <vuln vid="479efd57-516e-11e3-9b62-000c292e4fd8"> <topic>samba -- Private key in key.pem world readable</topic> <affects> |