[pkgsrc/trunk]: pkgsrc/lang/ruby18-base Add fix for http://cve.mitre.org/cgi-...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/lang/ruby18-base Add fix for http://cve.mitre.org/cgi-...
From: taca <taca%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 06:36:02 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/613d7a1e4fce
branches:  trunk
changeset: 547200:613d7a1e4fce
user:      taca <taca%pkgsrc.org@localhost>
date:      Sun Sep 14 05:17:18 2008 +0000

description:
Add fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790
(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
from ruby_1_8 branch.

Bump PKGREVISION.

diffstat:

 lang/ruby18-base/Makefile         |   3 +-
 lang/ruby18-base/distinfo         |   4 ++-
 lang/ruby18-base/patches/patch-dg |  43 +++++++++++++++++++++++++++++++++++++++
 lang/ruby18-base/patches/patch-dh |  15 +++++++++++++
 4 files changed, 63 insertions(+), 2 deletions(-)

diffs (95 lines):

diff -r 6f46cd0a85af -r 613d7a1e4fce lang/ruby18-base/Makefile
--- a/lang/ruby18-base/Makefile Sat Sep 13 21:19:34 2008 +0000
+++ b/lang/ruby18-base/Makefile Sun Sep 14 05:17:18 2008 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.46 2008/08/08 12:42:44 taca Exp $
+# $NetBSD: Makefile,v 1.47 2008/09/14 05:17:18 taca Exp $
 #
 
 DISTNAME=      ${RUBY_DISTNAME}
 PKGNAME=       ${RUBY_PKGPREFIX}-base-${RUBY_VERSION_SUFFIX}
+PKGREVISION=   1
 CATEGORIES=    lang ruby
 MASTER_SITES=  ${MASTER_SITE_RUBY}
 #PKGREVISION=
diff -r 6f46cd0a85af -r 613d7a1e4fce lang/ruby18-base/distinfo
--- a/lang/ruby18-base/distinfo Sat Sep 13 21:19:34 2008 +0000
+++ b/lang/ruby18-base/distinfo Sun Sep 14 05:17:18 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.33 2008/08/11 06:58:33 taca Exp $
+$NetBSD: distinfo,v 1.34 2008/09/14 05:17:18 taca Exp $
 
 SHA1 (ruby-1.8.7-p72.tar.bz2) = 462e990a724580e4dfeeac5a271b93f6cfcbf5c7
 RMD160 (ruby-1.8.7-p72.tar.bz2) = 07bf0d6987ba111aed988093c569fb66ba54891b
@@ -6,3 +6,5 @@
 SHA1 (patch-aa) = 59f4462dada7e7b00c7a773c8a95454f3dc4f994
 SHA1 (patch-ab) = 239872c5faf95c05d2a94fe5f40af5b8541423c7
 SHA1 (patch-ac) = eb4dd068729ba2a2c7d4d659f6bcdb1410227f3b
+SHA1 (patch-dg) = 6c92da2111af7dd09d9cc28d1d82612ead14283e
+SHA1 (patch-dh) = ac637345ee171892b551f34d0deb65f238060c7c
diff -r 6f46cd0a85af -r 613d7a1e4fce lang/ruby18-base/patches/patch-dg
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/ruby18-base/patches/patch-dg Sun Sep 14 05:17:18 2008 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-dg,v 1.5 2008/09/14 05:17:18 taca Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790.
+(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
+
+--- lib/rexml/document.rb.orig 2008-06-06 17:05:24.000000000 +0900
++++ lib/rexml/document.rb
+@@ -32,6 +32,7 @@ module REXML
+         # @param context if supplied, contains the context of the document;
+         # this should be a Hash.
+               def initialize( source = nil, context = {} )
++      @entity_expansion_count = 0
+                       super()
+                       @context = context
+                       return if source.nil?
+@@ -200,6 +201,27 @@ module REXML
+                       Parsers::StreamParser.new( source, listener ).parse
+               end
+ 
++    @@entity_expansion_limit = 10_000
++
++    # Set the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_limit=( val )
++      @@entity_expansion_limit = val
++    end
++
++    # Get the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_limit
++      return @@entity_expansion_limit
++    end
++
++    attr_reader :entity_expansion_count
++    
++    def record_entity_expansion
++      @entity_expansion_count += 1
++      if @entity_expansion_count > @@entity_expansion_limit
++        raise "number of entity expansions exceeded, processing aborted."
++      end
++    end
++
+               private
+               def build( source )
+       Parsers::TreeParser.new( source, self ).parse
diff -r 6f46cd0a85af -r 613d7a1e4fce lang/ruby18-base/patches/patch-dh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/ruby18-base/patches/patch-dh Sun Sep 14 05:17:18 2008 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-dh,v 1.3 2008/09/14 05:17:18 taca Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790.
+(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
+
+--- lib/rexml/entity.rb.orig   2008-04-18 16:22:13.000000000 +0900
++++ lib/rexml/entity.rb
+@@ -73,6 +73,7 @@ module REXML
+               # all entities -- both %ent; and &ent; entities.  This differs from
+               # +value()+ in that +value+ only replaces %ent; entities.
+               def unnormalized
++                        document.record_entity_expansion
+                       v = value()
+                       return nil if v.nil?
+                       @unnormalized = Text::unnormalize(v, parent)

Prev by Date: [pkgsrc/trunk]: pkgsrc/devel/monotone Add a test target.
Next by Date: [pkgsrc/trunk]: pkgsrc Added audio/ampache version 3.4.3
Previous by Thread: [pkgsrc/trunk]: pkgsrc/devel/monotone Add a test target.
Next by Thread: [pkgsrc/trunk]: pkgsrc Added audio/ampache version 3.4.3
Indexes:

Home | Main Index | Thread Index | Old Index