From eac4c415ba6b6ed3a6bad631d1bd43cb93f24155 Mon Sep 17 00:00:00 2001 From: Vít Ondruch Date: Nov 27 2013 15:07:24 +0000 Subject: Update to Ruby 2.0.0-p353. - Allow MD5 in OpenSSL for tests. - Fix heap overflow in floating point parsing (CVE-2013-4164). --- diff --git a/.gitignore b/.gitignore index b883574..552398f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ ruby-rev415a3ef9ab82c65a7abc-ext_tk.tar.gz /ruby-2.0.0-p0.tar.gz /ruby-2.0.0-p195.tar.bz2 /ruby-2.0.0-p247.tar.bz2 +/ruby-2.0.0-p353.tar.bz2 diff --git a/ruby-2.0.0-p195-Fix-build-against-OpenSSL-with-enabled-ECC-curves.patch b/ruby-2.0.0-p195-Fix-build-against-OpenSSL-with-enabled-ECC-curves.patch deleted file mode 100644 index 461b787..0000000 --- a/ruby-2.0.0-p195-Fix-build-against-OpenSSL-with-enabled-ECC-curves.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 5617aafa2d44d0a4bc811830e225463abd01b2b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?V=C3=ADt=20Ondruch?= -Date: Tue, 21 May 2013 10:01:33 +0200 -Subject: [PATCH] Fix build against OpenSSL with enabled ECC curves. - ---- - ext/openssl/ossl_pkey_ec.c | 4 ++++ - test/openssl/test_pkey_ec.rb | 26 +++++++++++++------------- - 2 files changed, 17 insertions(+), 13 deletions(-) - -diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c -index 8e6d88f..29e28ca 100644 ---- a/ext/openssl/ossl_pkey_ec.c -+++ b/ext/openssl/ossl_pkey_ec.c -@@ -762,8 +762,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - method = EC_GFp_mont_method(); - } else if (id == s_GFp_nist) { - method = EC_GFp_nist_method(); -+#if !defined(OPENSSL_NO_EC2M) - } else if (id == s_GF2m_simple) { - method = EC_GF2m_simple_method(); -+#endif - } - - if (method) { -@@ -817,8 +819,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - - if (id == s_GFp) { - new_curve = EC_GROUP_new_curve_GFp; -+#if !defined(OPENSSL_NO_EC2M) - } else if (id == s_GF2m) { - new_curve = EC_GROUP_new_curve_GF2m; -+#endif - } else { - ossl_raise(rb_eArgError, "unknown symbol, must be :GFp or :GF2m"); - } -diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb -index f151335..56f3ff7 100644 ---- a/test/openssl/test_pkey_ec.rb -+++ b/test/openssl/test_pkey_ec.rb -@@ -7,28 +7,28 @@ class OpenSSL::TestEC < Test::Unit::TestCase - @data1 = 'foo' - @data2 = 'bar' * 1000 # data too long for DSA sig - -- @group1 = OpenSSL::PKey::EC::Group.new('secp112r1') -- @group2 = OpenSSL::PKey::EC::Group.new('sect163k1') -- @group3 = OpenSSL::PKey::EC::Group.new('prime256v1') -+ @groups = [] -+ @keys = [] - -- @key1 = OpenSSL::PKey::EC.new -- @key1.group = @group1 -- @key1.generate_key -+ OpenSSL::PKey::EC.builtin_curves.each do |curve, comment| -+ group = OpenSSL::PKey::EC::Group.new(curve) - -- @key2 = OpenSSL::PKey::EC.new(@group2.curve_name) -- @key2.generate_key -+ key = OpenSSL::PKey::EC.new(group) -+ key.generate_key - -- @key3 = OpenSSL::PKey::EC.new(@group3) -- @key3.generate_key -- -- @groups = [@group1, @group2, @group3] -- @keys = [@key1, @key2, @key3] -+ @groups << group -+ @keys << key -+ end - end - - def compare_keys(k1, k2) - assert_equal(k1.to_pem, k2.to_pem) - end - -+ def test_builtin_curves -+ assert(!OpenSSL::PKey::EC.builtin_curves.empty?) -+ end -+ - def test_curve_names - @groups.each_with_index do |group, idx| - key = @keys[idx] --- -1.8.2.1 - diff --git a/ruby.spec b/ruby.spec index 9aea8a4..6a6bb46 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %global major_version 2 %global minor_version 0 %global teeny_version 0 -%global patch_level 247 +%global patch_level 353 %global major_minor_version %{major_version}.%{minor_version} @@ -26,7 +26,7 @@ %endif -%global release 15 +%global release 16 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} %global rubygems_version 2.0.3 @@ -139,11 +139,6 @@ Patch13: rubygems-2.0.0-Do-not-modify-global-Specification.dirs-during-insta.pat # This prevents issues, when ruby configuration specifies --with-ruby-version=''. # https://github.com/rubygems/rubygems/pull/455 Patch14: rubygems-2.0.0-Fixes-for-empty-ruby-version.patch -# Although this does not directly affects Fedora ATM, it might be issue when -# rebuilding package on different platform (RHEL7). Please keep the patch until -# it is resolved in upstream. -# https://bugs.ruby-lang.org/issues/8384 -Patch15: ruby-2.0.0-p195-Fix-build-against-OpenSSL-with-enabled-ECC-curves.patch # Adds aarch64 support. # http://bugs.ruby-lang.org/issues/8331 # https://bugzilla.redhat.com/show_bug.cgi?id=926463 @@ -424,7 +419,6 @@ Tcl/Tk interface for the object-oriented scripting language Ruby. %patch12 -p1 %patch13 -p1 %patch14 -p1 -%patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 @@ -600,7 +594,9 @@ DISABLE_TESTS="-x test_dl2.rb $DISABLE_TESTS" # the test suite). touch abrt.rb -make check TESTS="-v $DISABLE_TESTS" +# Allow MD5 in OpenSSL. +# https://bugs.ruby-lang.org/issues/9154 +OPENSSL_ENABLE_MD5_VERIFY=1 make check TESTS="-v $DISABLE_TESTS" %post libs -p /sbin/ldconfig @@ -893,6 +889,11 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Mon Nov 25 2013 Vít Ondruch - 2.0.0.353-16 +- Update to Ruby 2.0.0-p353. +- Allow MD5 in OpenSSL for tests. +- Fix heap overflow in floating point parsing (CVE-2013-4164). + * Tue Jul 30 2013 Vít Ondruch - 2.0.0.247-15 - Move Psych symlinks to vendor dir, to prevent F18 -> F19 upgrade issues (rhbz#988490). diff --git a/rubygems-2.0.0-Do-not-modify-global-Specification.dirs-during-insta.patch b/rubygems-2.0.0-Do-not-modify-global-Specification.dirs-during-insta.patch index 607e028..98013a7 100644 --- a/rubygems-2.0.0-Do-not-modify-global-Specification.dirs-during-insta.patch +++ b/rubygems-2.0.0-Do-not-modify-global-Specification.dirs-during-insta.patch @@ -44,7 +44,7 @@ diff --git a/lib/rubygems/dependency_installer.rb b/lib/rubygems/dependency_inst index dffa8df..841f26a 100644 --- a/lib/rubygems/dependency_installer.rb +++ b/lib/rubygems/dependency_installer.rb -@@ -57,17 +57,14 @@ class Gem::DependencyInstaller +@@ -57,16 +57,14 @@ class Gem::DependencyInstaller # :build_args:: See Gem::Installer::new def initialize(options = {}) @@ -54,7 +54,6 @@ index dffa8df..841f26a 100644 - # HACK shouldn't change the global settings, needed for -i behavior - # maybe move to the install command? See also github #442 - Gem::Specification.dirs = @install_dir -- Gem.ensure_gem_subdirectories @install_dir + Gem.ensure_gem_subdirectories options[:install_dir] end diff --git a/rubygems-2.0.0-Fixes-for-empty-ruby-version.patch b/rubygems-2.0.0-Fixes-for-empty-ruby-version.patch index e443a46..365dc7b 100644 --- a/rubygems-2.0.0-Fixes-for-empty-ruby-version.patch +++ b/rubygems-2.0.0-Fixes-for-empty-ruby-version.patch @@ -1,7 +1,7 @@ From c9b2eff36728266052ccfff54d3ac0a0624fd0f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Thu, 14 Feb 2013 11:50:41 +0100 -Subject: [PATCH 1/2] Use File.join insteado of manual path creation. +Subject: [PATCH] Use File.join insteado of manual path creation. This prevents issues, when File.join in #new_default_spec removes superfluous slashes while they are kept in expected paths. E.g. the test @@ -32,50 +32,3 @@ index 60df53f..35c9631 100644 -- 1.8.1.2 - -From b022cef7b2e6c2d138388a6c2db02cca8c408cc6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?V=C3=ADt=20Ondruch?= -Date: Thu, 14 Feb 2013 13:35:20 +0100 -Subject: [PATCH 2/2] Do not add last slash to Gem.user_dir if ruby_version - string is empty. - ---- - lib/rubygems/defaults.rb | 4 +++- - test/rubygems/test_gem.rb | 6 ++++-- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/lib/rubygems/defaults.rb b/lib/rubygems/defaults.rb -index ea84e5c..05c35bb 100644 ---- a/lib/rubygems/defaults.rb -+++ b/lib/rubygems/defaults.rb -@@ -54,7 +54,9 @@ module Gem - # Path for gems in the user's home directory - - def self.user_dir -- File.join Gem.user_home, '.gem', ruby_engine, ConfigMap[:ruby_version] -+ parts = [Gem.user_home, '.gem', ruby_engine] -+ parts << ConfigMap[:ruby_version] unless ConfigMap[:ruby_version].empty? -+ File.join parts - end - - ## -diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb -index bf77009..9ee78f7 100644 ---- a/test/rubygems/test_gem.rb -+++ b/test/rubygems/test_gem.rb -@@ -1198,8 +1198,10 @@ class TestGem < Gem::TestCase - end - - def test_self_user_dir -- assert_equal File.join(@userhome, '.gem', Gem.ruby_engine, -- Gem::ConfigMap[:ruby_version]), Gem.user_dir -+ parts = [@userhome, '.gem', Gem.ruby_engine] -+ parts << Gem::ConfigMap[:ruby_version] unless Gem::ConfigMap[:ruby_version].empty? -+ -+ assert_equal File.join(parts), Gem.user_dir - end - - def test_self_user_home --- -1.8.1.2 - diff --git a/sources b/sources index 44c414b..0c071c1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -60913f3eec0c4071f44df42600be2604 ruby-2.0.0-p247.tar.bz2 +20eb8f067d20f6b76b7e16cce2a85a55 ruby-2.0.0-p353.tar.bz2