From 0ce3eec117f3dc9f402d94b7e1fe4fe294be4fc5 Mon Sep 17 00:00:00 2001
From: Akira TAGOH <tagoh@fedoraproject.org>
Date: Oct 10 2007 01:05:17 +0000
Subject: - New upstream release.

- ruby-r12567.patch: removed.
- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is
    insufficient verification of SSL certificate.

---

diff --git a/.cvsignore b/.cvsignore
index 2239a68..99e711a 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -14,3 +14,4 @@ ruby-1.8.5-p2.tar.gz
 ruby-1.8.5-p12.tar.gz
 ruby-1.8.6.tar.bz2
 ruby-1.8.6-p36.tar.bz2
+ruby-1.8.6-p110.tar.bz2
diff --git a/ruby-1.8.6-CVE-2007-5162.patch b/ruby-1.8.6-CVE-2007-5162.patch
new file mode 100644
index 0000000..d4e4d68
--- /dev/null
+++ b/ruby-1.8.6-CVE-2007-5162.patch
@@ -0,0 +1,99 @@
+diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb
+--- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb	2007-02-13 08:01:19.000000000 +0900
++++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb	2007-10-04 22:38:48.000000000 +0900
+@@ -88,7 +88,7 @@
+             end
+           }
+         end
+-        raise SSLError, "hostname not match"
++        raise SSLError, "hostname not match with the server certificate"
+       end
+     end
+ 
+diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb
+--- ruby-1.8.6-p110.orig/lib/net/http.rb	2007-02-13 08:01:19.000000000 +0900
++++ ruby-1.8.6-p110/lib/net/http.rb	2007-10-04 22:41:34.000000000 +0900
+@@ -470,6 +470,7 @@
+       @debug_output = nil
+       @use_ssl = false
+       @ssl_context = nil
++      @enable_post_connection_check = true
+     end
+ 
+     def inspect
+@@ -526,6 +527,9 @@
+       false   # redefined in net/https
+     end
+ 
++    # specify enabling SSL server certificate and hostname checking.
++    attr_accessor :enable_post_connection_check
++
+     # Opens TCP connection and HTTP session.
+     # 
+     # When this method is called with block, gives a HTTP object
+@@ -584,6 +588,14 @@
+           HTTPResponse.read_new(@socket).value
+         end
+         s.connect
++        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
++          begin
++           s.post_connection_check(@address)
++          rescue OpenSSL::SSL::SSLError => ex
++           raise ex if @enable_post_connection_check
++           warn ex.message
++          end
++        end
+       end
+       on_connect
+     end
+diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb
+--- ruby-1.8.6-p110.orig/lib/open-uri.rb	2007-02-13 08:01:19.000000000 +0900
++++ ruby-1.8.6-p110/lib/open-uri.rb	2007-10-04 22:42:18.000000000 +0900
+@@ -229,6 +229,7 @@
+     if target.class == URI::HTTPS
+       require 'net/https'
+       http.use_ssl = true
++      http.enable_post_connection_check = true
+       http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+       store = OpenSSL::X509::Store.new
+       store.set_default_paths
+@@ -240,16 +241,6 @@
+ 
+     resp = nil
+     http.start {
+-      if target.class == URI::HTTPS
+-        # xxx: information hiding violation
+-        sock = http.instance_variable_get(:@socket)
+-        if sock.respond_to?(:io)
+-          sock = sock.io # 1.9
+-        else
+-          sock = sock.instance_variable_get(:@socket) # 1.8
+-        end
+-        sock.post_connection_check(target_host)
+-      end
+       req = Net::HTTP::Get.new(request_uri, header)
+       if options.include? :http_basic_authentication
+         user, pass = options[:http_basic_authentication]
+diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h
+--- ruby-1.8.6-p110.orig/version.h	2007-09-23 09:01:50.000000000 +0900
++++ ruby-1.8.6-p110/version.h	2007-10-04 22:42:37.000000000 +0900
+@@ -1,15 +1,15 @@
+ #define RUBY_VERSION "1.8.6"
+-#define RUBY_RELEASE_DATE "2007-09-23"
++#define RUBY_RELEASE_DATE "2007-09-24"
+ #define RUBY_VERSION_CODE 186
+-#define RUBY_RELEASE_CODE 20070923
+-#define RUBY_PATCHLEVEL 110
++#define RUBY_RELEASE_CODE 20070924
++#define RUBY_PATCHLEVEL 111
+ 
+ #define RUBY_VERSION_MAJOR 1
+ #define RUBY_VERSION_MINOR 8
+ #define RUBY_VERSION_TEENY 6
+ #define RUBY_RELEASE_YEAR 2007
+ #define RUBY_RELEASE_MONTH 9
+-#define RUBY_RELEASE_DAY 23
++#define RUBY_RELEASE_DAY 24
+ 
+ #ifdef RUBY_EXTERN
+ RUBY_EXTERN const char ruby_version[];
diff --git a/ruby-r12567.patch b/ruby-r12567.patch
deleted file mode 100644
index 0a15fc9..0000000
--- a/ruby-r12567.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Mon Jun 18 11:29:49 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>
-
-	* intern.h, ext/thread/thread.c: moved prototype of rb_thread_status()
-	  to get rid of error in C++.  [ruby-list:43615]
-
-Index: intern.h
-===================================================================
---- intern.h	(リビジョン 12566)
-+++ intern.h	(リビジョン 12567)
-@@ -204,7 +204,6 @@
- void rb_thread_polling _((void));
- void rb_thread_sleep _((int));
- void rb_thread_sleep_forever _((void));
--enum rb_thread_status rb_thread_status _((VALUE));
- VALUE rb_thread_stop _((void));
- VALUE rb_thread_wakeup _((VALUE));
- VALUE rb_thread_wakeup_alive _((VALUE));
-Index: ext/thread/thread.c
-===================================================================
---- ext/thread/thread.c	(リビジョン 12566)
-+++ ext/thread/thread.c	(リビジョン 12567)
-@@ -14,6 +14,8 @@
- #include <rubysig.h>
- #include <node.h>
- 
-+enum rb_thread_status rb_thread_status _((VALUE));
-+
- static VALUE rb_cMutex;
- static VALUE rb_cConditionVariable;
- static VALUE rb_cQueue;
diff --git a/ruby.spec b/ruby.spec
index 1b97c49..08eb877 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -1,7 +1,7 @@
 %define manver		1.4.6
 %define	rubyxver	1.8
 %define	rubyver		1.8.6
-%define _patchlevel	36
+%define _patchlevel	110
 %define dotpatchlevel	%{?_patchlevel:.%{_patchlevel}}
 %define patchlevel	%{?_patchlevel:-p%{_patchlevel}}
 %define	sitedir		%{_libdir}/ruby/site_ruby
@@ -11,7 +11,7 @@
 
 Name:		ruby
 Version:	%{rubyver}%{?dotpatchlevel}
-Release:	4%{?dist}
+Release:	1%{?dist}
 License:	Ruby or GPL+
 URL:		http://www.ruby-lang.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -36,7 +36,7 @@ Patch20:	ruby-rubyprefix.patch
 Patch21:	ruby-deprecated-sitelib-search-path.patch
 Patch22:	ruby-deprecated-search-path.patch
 Patch23:	ruby-multilib.patch
-Patch24:	ruby-r12567.patch
+Patch24:	ruby-1.8.6-CVE-2007-5162.patch
 
 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@@ -153,7 +153,7 @@ pushd %{name}-%{rubyver}%{?patchlevel}
 %patch22 -p1
 %patch23 -p1
 %endif
-%patch24 -p0
+%patch24 -p1
 popd
 
 %build
@@ -471,6 +471,12 @@ rm -rf tmp-ruby-docs
 %endif
 
 %changelog
+* Wed Oct 10 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.110-1
+- New upstream release.
+  - ruby-r12567.patch: removed.
+- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is
+  insufficient verification of SSL certificate.
+
 * Thu Aug 23 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.36-4
 - Rebuild
 
diff --git a/sources b/sources
index 96dd4cd..effd85c 100644
--- a/sources
+++ b/sources
@@ -3,3 +3,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75  ruby-refm-rdp-1.8.1-ja-html.tar.gz
 7f3e181c0be9a1579e43a5a8b26372d6  rubyfaq-990927.tar.bz2
 8aa2e2da327dc43ff6e46e634eb657b6  rubyfaq-jp-990927.tar.bz2
 eb7f25818cb6993839b38d1f21bd4ea1  ruby-1.8.6-p36.tar.bz2
+39cbf0cc610e636983cb3311bef3f2d0  ruby-1.8.6-p110.tar.bz2