From 1bc9eed0b551de877546a18cdfd411f6771d79cd Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Oct 04 2007 14:09:49 +0000 Subject: - New upstream release. - ruby-r12567.patch: removed. - ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is insufficient verification of SSL certificate. (#313791) --- diff --git a/.cvsignore b/.cvsignore index 2239a68..99e711a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -14,3 +14,4 @@ ruby-1.8.5-p2.tar.gz ruby-1.8.5-p12.tar.gz ruby-1.8.6.tar.bz2 ruby-1.8.6-p36.tar.bz2 +ruby-1.8.6-p110.tar.bz2 diff --git a/ruby-1.8.6-CVE-2007-5162.patch b/ruby-1.8.6-CVE-2007-5162.patch new file mode 100644 index 0000000..d4e4d68 --- /dev/null +++ b/ruby-1.8.6-CVE-2007-5162.patch @@ -0,0 +1,99 @@ +diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb +--- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb 2007-02-13 08:01:19.000000000 +0900 ++++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb 2007-10-04 22:38:48.000000000 +0900 +@@ -88,7 +88,7 @@ + end + } + end +- raise SSLError, "hostname not match" ++ raise SSLError, "hostname not match with the server certificate" + end + end + +diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb +--- ruby-1.8.6-p110.orig/lib/net/http.rb 2007-02-13 08:01:19.000000000 +0900 ++++ ruby-1.8.6-p110/lib/net/http.rb 2007-10-04 22:41:34.000000000 +0900 +@@ -470,6 +470,7 @@ + @debug_output = nil + @use_ssl = false + @ssl_context = nil ++ @enable_post_connection_check = true + end + + def inspect +@@ -526,6 +527,9 @@ + false # redefined in net/https + end + ++ # specify enabling SSL server certificate and hostname checking. ++ attr_accessor :enable_post_connection_check ++ + # Opens TCP connection and HTTP session. + # + # When this method is called with block, gives a HTTP object +@@ -584,6 +588,14 @@ + HTTPResponse.read_new(@socket).value + end + s.connect ++ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE ++ begin ++ s.post_connection_check(@address) ++ rescue OpenSSL::SSL::SSLError => ex ++ raise ex if @enable_post_connection_check ++ warn ex.message ++ end ++ end + end + on_connect + end +diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb +--- ruby-1.8.6-p110.orig/lib/open-uri.rb 2007-02-13 08:01:19.000000000 +0900 ++++ ruby-1.8.6-p110/lib/open-uri.rb 2007-10-04 22:42:18.000000000 +0900 +@@ -229,6 +229,7 @@ + if target.class == URI::HTTPS + require 'net/https' + http.use_ssl = true ++ http.enable_post_connection_check = true + http.verify_mode = OpenSSL::SSL::VERIFY_PEER + store = OpenSSL::X509::Store.new + store.set_default_paths +@@ -240,16 +241,6 @@ + + resp = nil + http.start { +- if target.class == URI::HTTPS +- # xxx: information hiding violation +- sock = http.instance_variable_get(:@socket) +- if sock.respond_to?(:io) +- sock = sock.io # 1.9 +- else +- sock = sock.instance_variable_get(:@socket) # 1.8 +- end +- sock.post_connection_check(target_host) +- end + req = Net::HTTP::Get.new(request_uri, header) + if options.include? :http_basic_authentication + user, pass = options[:http_basic_authentication] +diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h +--- ruby-1.8.6-p110.orig/version.h 2007-09-23 09:01:50.000000000 +0900 ++++ ruby-1.8.6-p110/version.h 2007-10-04 22:42:37.000000000 +0900 +@@ -1,15 +1,15 @@ + #define RUBY_VERSION "1.8.6" +-#define RUBY_RELEASE_DATE "2007-09-23" ++#define RUBY_RELEASE_DATE "2007-09-24" + #define RUBY_VERSION_CODE 186 +-#define RUBY_RELEASE_CODE 20070923 +-#define RUBY_PATCHLEVEL 110 ++#define RUBY_RELEASE_CODE 20070924 ++#define RUBY_PATCHLEVEL 111 + + #define RUBY_VERSION_MAJOR 1 + #define RUBY_VERSION_MINOR 8 + #define RUBY_VERSION_TEENY 6 + #define RUBY_RELEASE_YEAR 2007 + #define RUBY_RELEASE_MONTH 9 +-#define RUBY_RELEASE_DAY 23 ++#define RUBY_RELEASE_DAY 24 + + #ifdef RUBY_EXTERN + RUBY_EXTERN const char ruby_version[]; diff --git a/ruby-deprecated-search-path.patch b/ruby-deprecated-search-path.patch index 3b937b2..aead58e 100644 --- a/ruby-deprecated-search-path.patch +++ b/ruby-deprecated-search-path.patch @@ -24,28 +24,28 @@ diff -ruN ruby-1.8.4.orig/ruby.c ruby-1.8.4/ruby.c @@ -292,11 +292,17 @@ #endif - ruby_incpush(RUBY_RELATIVE(RUBY_SITE_LIB2)); + incpush(RUBY_RELATIVE(RUBY_SITE_LIB2)); +#ifdef RUBY_DEPRECATED_SITE_LIB -+ ruby_incpush(RUBY_RELATIVE(RUBY_DEPRECATED_SITE_LIB2)); ++ incpush(RUBY_RELATIVE(RUBY_DEPRECATED_SITE_LIB2)); +#endif #ifdef RUBY_SITE_THIN_ARCHLIB - ruby_incpush(RUBY_RELATIVE(RUBY_SITE_THIN_ARCHLIB)); + incpush(RUBY_RELATIVE(RUBY_SITE_THIN_ARCHLIB)); #endif - ruby_incpush(RUBY_RELATIVE(RUBY_SITE_ARCHLIB)); - ruby_incpush(RUBY_RELATIVE(RUBY_SITE_LIB)); + incpush(RUBY_RELATIVE(RUBY_SITE_ARCHLIB)); + incpush(RUBY_RELATIVE(RUBY_SITE_LIB)); +#ifdef RUBY_DEPRECATED_SITE_LIB -+ ruby_incpush(RUBY_RELATIVE(RUBY_DEPRECATED_SITE_LIB)); ++ incpush(RUBY_RELATIVE(RUBY_DEPRECATED_SITE_LIB)); +#endif #ifdef RUBY_DEPRECATED_OLD_SITE_LIB2 - ruby_incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_LIB2)); + incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_LIB2)); #endif @@ -308,6 +314,9 @@ #endif - ruby_incpush(RUBY_RELATIVE(RUBY_LIB)); + incpush(RUBY_RELATIVE(RUBY_LIB)); +#ifdef RUBY_DEPRECATED_LIB -+ ruby_incpush(RUBY_RELATIVE(RUBY_DEPRECATED_LIB)); ++ incpush(RUBY_RELATIVE(RUBY_DEPRECATED_LIB)); +#endif #ifdef RUBY_THIN_ARCHLIB - ruby_incpush(RUBY_RELATIVE(RUBY_THIN_ARCHLIB)); + incpush(RUBY_RELATIVE(RUBY_THIN_ARCHLIB)); #endif diff --git a/ruby-deprecated-sitelib-search-path.patch b/ruby-deprecated-sitelib-search-path.patch index ce5f2ab..5711727 100644 --- a/ruby-deprecated-sitelib-search-path.patch +++ b/ruby-deprecated-sitelib-search-path.patch @@ -23,17 +23,17 @@ diff -ruN ruby-1.8.4.orig/ruby.c ruby-1.8.4/ruby.c +++ ruby-1.8.4/ruby.c 2006-06-07 15:56:14.000000000 +0900 @@ -297,6 +297,15 @@ #endif - ruby_incpush(RUBY_RELATIVE(RUBY_SITE_ARCHLIB)); - ruby_incpush(RUBY_RELATIVE(RUBY_SITE_LIB)); + incpush(RUBY_RELATIVE(RUBY_SITE_ARCHLIB)); + incpush(RUBY_RELATIVE(RUBY_SITE_LIB)); +#ifdef RUBY_DEPRECATED_OLD_SITE_LIB2 -+ ruby_incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_LIB2)); ++ incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_LIB2)); +#endif +#ifdef RUBY_DEPRECATED_OLD_SITE_ARCHLIB -+ ruby_incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_ARCHLIB)); ++ incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_ARCHLIB)); +#endif +#ifdef RUBY_DEPRECATED_OLD_SITE_LIB -+ ruby_incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_LIB)); ++ incpush(RUBY_RELATIVE(RUBY_DEPRECATED_OLD_SITE_LIB)); +#endif - ruby_incpush(RUBY_RELATIVE(RUBY_LIB)); + incpush(RUBY_RELATIVE(RUBY_LIB)); #ifdef RUBY_THIN_ARCHLIB diff --git a/ruby-r12567.patch b/ruby-r12567.patch deleted file mode 100644 index 0a15fc9..0000000 --- a/ruby-r12567.patch +++ /dev/null @@ -1,30 +0,0 @@ -Mon Jun 18 11:29:49 2007 Nobuyoshi Nakada - - * intern.h, ext/thread/thread.c: moved prototype of rb_thread_status() - to get rid of error in C++. [ruby-list:43615] - -Index: intern.h -=================================================================== ---- intern.h (リビジョン 12566) -+++ intern.h (リビジョン 12567) -@@ -204,7 +204,6 @@ - void rb_thread_polling _((void)); - void rb_thread_sleep _((int)); - void rb_thread_sleep_forever _((void)); --enum rb_thread_status rb_thread_status _((VALUE)); - VALUE rb_thread_stop _((void)); - VALUE rb_thread_wakeup _((VALUE)); - VALUE rb_thread_wakeup_alive _((VALUE)); -Index: ext/thread/thread.c -=================================================================== ---- ext/thread/thread.c (リビジョン 12566) -+++ ext/thread/thread.c (リビジョン 12567) -@@ -14,6 +14,8 @@ - #include - #include - -+enum rb_thread_status rb_thread_status _((VALUE)); -+ - static VALUE rb_cMutex; - static VALUE rb_cConditionVariable; - static VALUE rb_cQueue; diff --git a/ruby.spec b/ruby.spec index 56aaa09..bcb94a6 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %define manver 1.4.6 %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 36 +%define _patchlevel 110 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define sitedir %{_libdir}/ruby/site_ruby @@ -11,8 +11,8 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 3%{?dist} -License: Ruby License/GPL - see COPYING +Release: 1%{?dist} +License: Ruby or GPL+ URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: readline readline-devel ncurses ncurses-devel gdbm gdbm-devel glibc-devel tcl-devel tk-devel libX11-devel autoconf gcc unzip openssl-devel db4-devel byacc @@ -36,7 +36,7 @@ Patch20: ruby-rubyprefix.patch Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch -Patch24: ruby-r12567.patch +Patch24: ruby-1.8.6-CVE-2007-5162.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -153,7 +153,7 @@ pushd %{name}-%{rubyver}%{?patchlevel} %patch22 -p1 %patch23 -p1 %endif -%patch24 -p0 +%patch24 -p1 popd %build @@ -471,6 +471,12 @@ rm -rf tmp-ruby-docs %endif %changelog +* Thu Oct 4 2007 Akira TAGOH - 1.8.6.110-1 +- New upstream release. + - ruby-r12567.patch: removed. +- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is + insufficient verification of SSL certificate. (#313791) + * Mon Jul 25 2007 Akira TAGOH - 1.8.6.36-3 - ruby-r12567.patch: backport patch from upstream svn to get rid of the unnecessary declarations. (#245446) diff --git a/sources b/sources index 96dd4cd..2e7c5e8 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 7f3e181c0be9a1579e43a5a8b26372d6 rubyfaq-990927.tar.bz2 8aa2e2da327dc43ff6e46e634eb657b6 rubyfaq-jp-990927.tar.bz2 -eb7f25818cb6993839b38d1f21bd4ea1 ruby-1.8.6-p36.tar.bz2 +39cbf0cc610e636983cb3311bef3f2d0 ruby-1.8.6-p110.tar.bz2