From f0df5e45d506204e2f550b4825b122429edb1261 Mon Sep 17 00:00:00 2001
From: Akira TAGOH <tagoh@fedoraproject.org>
Date: Jul 20 2006 11:06:45 +0000
Subject: - security fixes.

- ruby-1.8.4-fix-insecure-dir-operation.patch:
- ruby-1.8.4-fix-insecure-regexp-modification.patch: fixed the insecure
    operations in the certain safe-level restrictions. (#199538)
- ruby-1.8.4-fix-alias-safe-level.patch: fixed to not bypass the certain
    safe-level restrictions. (#199543)

---

diff --git a/ruby-1.8.4-fix-alias-safe-level.patch b/ruby-1.8.4-fix-alias-safe-level.patch
new file mode 100644
index 0000000..e95d784
--- /dev/null
+++ b/ruby-1.8.4-fix-alias-safe-level.patch
@@ -0,0 +1,36 @@
+diff -ruN ruby-1.8.4.orig/eval.c ruby-1.8.4/eval.c
+--- ruby-1.8.4.orig/eval.c	2005-12-20 22:41:47.000000000 +0900
++++ ruby-1.8.4/eval.c	2006-07-20 18:33:50.000000000 +0900
+@@ -2097,7 +2097,8 @@
+ 	}
+     }
+     st_insert(RCLASS(klass)->m_tbl, name,
+-      (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), orig->nd_noex));
++	     (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin),
++				   NOEX_WITH_SAFE(orig->nd_noex)));
+     if (singleton) {
+ 	rb_funcall(singleton, singleton_added, 1, ID2SYM(name));
+     }
+@@ -5638,6 +5639,11 @@
+     TMP_PROTECT;
+     volatile int safe = -1;
+ 
++    if (NOEX_SAFE(flags) > ruby_safe_level &&
++       !(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) {
++       rb_raise(rb_eSecurityError, "calling insecure method: %s",
++		rb_id2name(id));
++    }
+     switch (ruby_iter->iter) {
+       case ITER_PRE:
+       case ITER_PAS:
+@@ -5742,10 +5748,6 @@
+ 	    b2 = body = body->nd_next;
+ 
+ 	    if (NOEX_SAFE(flags) > ruby_safe_level) {
+-		if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) {
+-		    rb_raise(rb_eSecurityError, "calling insecure method: %s",
+-			     rb_id2name(id));
+-		}
+ 		safe = ruby_safe_level;
+ 		ruby_safe_level = NOEX_SAFE(flags);
+ 	    }
diff --git a/ruby-1.8.4-fix-insecure-dir-operation.patch b/ruby-1.8.4-fix-insecure-dir-operation.patch
new file mode 100644
index 0000000..492aff4
--- /dev/null
+++ b/ruby-1.8.4-fix-insecure-dir-operation.patch
@@ -0,0 +1,31 @@
+diff -ruN ruby-1.8.4.orig/dir.c ruby-1.8.4/dir.c
+--- ruby-1.8.4.orig/dir.c	2005-09-14 22:40:58.000000000 +0900
++++ ruby-1.8.4/dir.c	2006-07-19 22:14:05.000000000 +0900
+@@ -325,7 +325,17 @@
+     rb_raise(rb_eIOError, "closed directory");
+ }
+ 
++static void
++dir_check(dir)
++    VALUE dir;
++{
++    if (!OBJ_TAINTED(dir) && rb_safe_level() >= 4)
++       rb_raise(rb_eSecurityError, "Insecure: operation on untainted Dir");
++    rb_check_frozen(dir);
++}
++
+ #define GetDIR(obj, dirp) do {\
++    dir_check(dir);\
+     Data_Get_Struct(obj, struct dir_data, dirp);\
+     if (dirp->dir == NULL) dir_closed();\
+ } while (0)
+@@ -536,6 +546,9 @@
+ {
+     struct dir_data *dirp;
+ 
++    if (rb_safe_level() >= 4 && !OBJ_TAINTED(dir)) {
++       rb_raise(rb_eSecurityError, "Insecure: can't close");
++    }
+     GetDIR(dir, dirp);
+     closedir(dirp->dir);
+     dirp->dir = NULL;
diff --git a/ruby-1.8.4-fix-insecure-regexp-modification.patch b/ruby-1.8.4-fix-insecure-regexp-modification.patch
new file mode 100644
index 0000000..26c24e3
--- /dev/null
+++ b/ruby-1.8.4-fix-insecure-regexp-modification.patch
@@ -0,0 +1,66 @@
+diff -ruN ruby-1.8.4.orig/re.c ruby-1.8.4/re.c
+--- ruby-1.8.4.orig/re.c	2005-12-13 12:27:51.000000000 +0900
++++ ruby-1.8.4/re.c	2006-07-19 18:07:59.000000000 +0900
+@@ -70,10 +70,11 @@
+ #endif
+ 
+ int
+-rb_memcicmp(p1, p2, len)
+-    char *p1, *p2;
++rb_memcicmp(x, y, len)
++    const void *x, *y;
+     long len;
+ {
++    const unsigned char *p1 = x, *p2 = y;
+     int tmp;
+ 
+     while (len--) {
+@@ -85,7 +86,7 @@
+ 
+ int
+ rb_memcmp(p1, p2, len)
+-    char *p1, *p2;
++    const void *p1, *p2;
+     long len;
+ {
+     if (!ruby_ignorecase) {
+@@ -96,11 +97,11 @@
+ 
+ long
+ rb_memsearch(x0, m, y0, n)
+-    char *x0, *y0;
++    const void *x0, *y0;
+     long m, n;
+ {
+-    unsigned char *x = (unsigned char *)x0, *y = (unsigned char *)y0;
+-    unsigned char *s, *e;
++    const unsigned char *x = (unsigned char *)x0, *y = (unsigned char *)y0;
++    const unsigned char *s, *e;
+     long i;
+     int d;
+     unsigned long hx, hy;
+@@ -1332,6 +1333,8 @@
+ {
+     struct RRegexp *re = RREGEXP(obj);
+ 
++    if (!OBJ_TAINTED(obj) && rb_safe_level() >= 4)
++       rb_raise(rb_eSecurityError, "Insecure: can't modify regexp");
+     if (re->ptr) re_free_pattern(re->ptr);
+     if (re->str) free(re->str);
+     re->ptr = 0;
+diff -ruN ruby-1.8.4.orig/intern.h ruby-1.8.4/intern.h
+--- ruby-1.8.4.orig/intern.h	2006-07-19 18:13:49.000000000 +0900
++++ ruby-1.8.4/intern.h	2006-07-19 18:20:34.000000000 +0900
+@@ -353,9 +353,9 @@
+ VALUE rb_range_beg_len _((VALUE, long*, long*, long, int));
+ VALUE rb_length_by_each _((VALUE));
+ /* re.c */
+-int rb_memcmp _((char*,char*,long));
+-int rb_memcicmp _((char*,char*,long));
+-long rb_memsearch _((char*,long,char*,long));
++int rb_memcmp _((const void*,const void*,long));
++int rb_memcicmp _((const void*,const void*,long));
++long rb_memsearch _((const void*,long,const void*,long));
+ VALUE rb_reg_nth_defined _((int, VALUE));
+ VALUE rb_reg_nth_match _((int, VALUE));
+ VALUE rb_reg_last_match _((VALUE));
diff --git a/ruby-fix-autoconf-magic-code.patch b/ruby-fix-autoconf-magic-code.patch
new file mode 100644
index 0000000..58ac75f
--- /dev/null
+++ b/ruby-fix-autoconf-magic-code.patch
@@ -0,0 +1,11 @@
+diff -ruN ruby-1.8.4.orig/mkconfig.rb ruby-1.8.4/mkconfig.rb
+--- ruby-1.8.4.orig/mkconfig.rb	2006-07-19 20:39:48.000000000 +0900
++++ ruby-1.8.4/mkconfig.rb	2006-07-19 20:40:12.000000000 +0900
+@@ -37,6 +37,7 @@
+ has_version = false
+ File.foreach "config.status" do |line|
+   next if /^#/ =~ line
++  line.gsub!(/\|#_!!_#\|/, '')
+   if /^s[%,]@program_transform_name@[%,]s,(.*)/ =~ line
+     next if $install_name
+     ptn = $1.sub(/\$\$/, '$').split(/,/)	#'
diff --git a/ruby.spec b/ruby.spec
index 8387a4c..4f6bfb5 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -5,10 +5,10 @@
 
 Name:		ruby
 Version:	1.8.4
-Release:	10.fc6.1
+Release:	11%{?dist}
 License:	Ruby License/GPL - see COPYING
 URL:		http://www.ruby-lang.org/
-BuildRoot:	%{_tmppath}/%{name}-%{version}-root
+BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	readline readline-devel ncurses ncurses-devel gdbm gdbm-devel glibc-devel tcl-devel tk-devel libX11-devel autoconf gcc unzip openssl-devel db4-devel byacc
 %ifnarch ppc64
 BuildRequires:	emacs
@@ -27,12 +27,16 @@ Source10:	ruby-mode-init.el
 
 Patch1:		ruby-1.8.2-deadcode.patch
 Patch2:		ruby-1.8.4-no-eaccess.patch
-Patch3:		ruby-rubyprefix.patch
-Patch4:		ruby-deprecated-sitelib-search-path.patch
-Patch5:		ruby-deprecated-search-path.patch
-Patch6:		ruby-multilib.patch
-Patch7:		ruby-tcltk-multilib.patch
-Patch8:		ruby-1.8.4-64bit-pack.patch
+Patch3:		ruby-1.8.4-64bit-pack.patch
+Patch4:		ruby-1.8.4-fix-insecure-dir-operation.patch
+Patch5:		ruby-1.8.4-fix-insecure-regexp-modification.patch
+Patch6:		ruby-1.8.4-fix-alias-safe-level.patch
+Patch20:	ruby-rubyprefix.patch
+Patch21:	ruby-deprecated-sitelib-search-path.patch
+Patch22:	ruby-deprecated-search-path.patch
+Patch23:	ruby-multilib.patch
+Patch24:	ruby-tcltk-multilib.patch
+Patch25:	ruby-fix-autoconf-magic-code.patch
 
 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@@ -146,12 +150,16 @@ pushd %{name}-%{version}
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-%ifarch ppc64 s390x sparc64 x86_64
 %patch5 -p1
 %patch6 -p1
-%patch7 -p1
-%patch8 -p1
+%patch20 -p1
+%patch21 -p1
+%ifarch ppc64 s390x sparc64 x86_64
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
 %endif
+%patch25 -p1
 popd
 
 %build
@@ -190,7 +198,7 @@ make test
 popd
 
 %install
-[ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT
+rm -rf $RPM_BUILD_ROOT
 
 %ifnarch ppc64
 %{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/emacs/site-lisp/ruby-mode
@@ -367,7 +375,7 @@ cat <<__EOF__ >> ruby-libs.files
 __EOF__
 
 %clean
-[ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT
+rm -rf $RPM_BUILD_ROOT
 rm -f *.files
 rm -rf tmp-ruby-docs
 
@@ -446,6 +454,14 @@ rm -rf tmp-ruby-docs
 %endif
 
 %changelog
+* Thu Jul 20 2006 Akira TAGOH <tagoh@redhat.com> - 1.8.4-11
+- security fixes.
+  - ruby-1.8.4-fix-insecure-dir-operation.patch:
+  - ruby-1.8.4-fix-insecure-regexp-modification.patch: fixed the insecure
+    operations in the certain safe-level restrictions. (#199538)
+  - ruby-1.8.4-fix-alias-safe-level.patch: fixed to not bypass the certain
+    safe-level restrictions. (#199543)
+
 * Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.8.4-10.fc6.1
 - rebuild