[pkgsrc/pkgsrc-2008Q2]: pkgsrc/lang/ruby18-base Pullup ticket #2528 - request...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/e33fa8104b19
branches:  pkgsrc-2008Q2
changeset: 544323:e33fa8104b19
user:      tron <tron%pkgsrc.org@localhost>
date:      Wed Sep 17 10:41:37 2008 +0000

description:
Pullup ticket #2528 - requested by taca
ruby18-base: security patch

Revisions pulled up:
- lang/ruby18-base/Makefile             1.47
- lang/ruby18-base/distinfo             1.34
- lang/ruby18-base/patches/patch-dg     1.5
- lang/ruby18-base/patches/patch-dh     1.3
---
Module Name:    pkgsrc
Committed By:   taca
Date:           Sun Sep 14 05:17:18 UTC 2008

Modified Files:
        pkgsrc/lang/ruby18-base: Makefile distinfo
Added Files:
        pkgsrc/lang/ruby18-base/patches: patch-dg patch-dh

Log Message:
Add fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790
(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
from ruby_1_8 branch.

Bump PKGREVISION.

diffstat:

 lang/ruby18-base/Makefile         |   3 +-
 lang/ruby18-base/distinfo         |   4 ++-
 lang/ruby18-base/patches/patch-dg |  43 +++++++++++++++++++++++++++++++++++++++
 lang/ruby18-base/patches/patch-dh |  15 +++++++++++++
 4 files changed, 63 insertions(+), 2 deletions(-)

diffs (95 lines):

diff -r 1c37f305cbb5 -r e33fa8104b19 lang/ruby18-base/Makefile
--- a/lang/ruby18-base/Makefile Wed Sep 17 09:41:40 2008 +0000
+++ b/lang/ruby18-base/Makefile Wed Sep 17 10:41:37 2008 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.45.4.1 2008/08/08 14:37:50 ghen Exp $
+# $NetBSD: Makefile,v 1.45.4.2 2008/09/17 10:41:37 tron Exp $
 #
 
 DISTNAME=      ${RUBY_DISTNAME}
 PKGNAME=       ${RUBY_PKGPREFIX}-base-${RUBY_VERSION_SUFFIX}
+PKGREVISION=   1
 CATEGORIES=    lang ruby
 MASTER_SITES=  ${MASTER_SITE_RUBY}
 #PKGREVISION=
diff -r 1c37f305cbb5 -r e33fa8104b19 lang/ruby18-base/distinfo
--- a/lang/ruby18-base/distinfo Wed Sep 17 09:41:40 2008 +0000
+++ b/lang/ruby18-base/distinfo Wed Sep 17 10:41:37 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.31.4.2 2008/08/12 11:22:11 rtr Exp $
+$NetBSD: distinfo,v 1.31.4.3 2008/09/17 10:41:38 tron Exp $
 
 SHA1 (ruby-1.8.7-p72.tar.bz2) = 462e990a724580e4dfeeac5a271b93f6cfcbf5c7
 RMD160 (ruby-1.8.7-p72.tar.bz2) = 07bf0d6987ba111aed988093c569fb66ba54891b
@@ -6,3 +6,5 @@
 SHA1 (patch-aa) = 59f4462dada7e7b00c7a773c8a95454f3dc4f994
 SHA1 (patch-ab) = 239872c5faf95c05d2a94fe5f40af5b8541423c7
 SHA1 (patch-ac) = eb4dd068729ba2a2c7d4d659f6bcdb1410227f3b
+SHA1 (patch-dg) = 6c92da2111af7dd09d9cc28d1d82612ead14283e
+SHA1 (patch-dh) = ac637345ee171892b551f34d0deb65f238060c7c
diff -r 1c37f305cbb5 -r e33fa8104b19 lang/ruby18-base/patches/patch-dg
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/ruby18-base/patches/patch-dg Wed Sep 17 10:41:37 2008 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-dg,v 1.4.2.1 2008/09/17 10:41:38 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790.
+(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
+
+--- lib/rexml/document.rb.orig 2008-06-06 17:05:24.000000000 +0900
++++ lib/rexml/document.rb
+@@ -32,6 +32,7 @@ module REXML
+         # @param context if supplied, contains the context of the document;
+         # this should be a Hash.
+               def initialize( source = nil, context = {} )
++      @entity_expansion_count = 0
+                       super()
+                       @context = context
+                       return if source.nil?
+@@ -200,6 +201,27 @@ module REXML
+                       Parsers::StreamParser.new( source, listener ).parse
+               end
+ 
++    @@entity_expansion_limit = 10_000
++
++    # Set the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_limit=( val )
++      @@entity_expansion_limit = val
++    end
++
++    # Get the entity expansion limit. By default the limit is set to 10000.
++    def Document::entity_expansion_limit
++      return @@entity_expansion_limit
++    end
++
++    attr_reader :entity_expansion_count
++    
++    def record_entity_expansion
++      @entity_expansion_count += 1
++      if @entity_expansion_count > @@entity_expansion_limit
++        raise "number of entity expansions exceeded, processing aborted."
++      end
++    end
++
+               private
+               def build( source )
+       Parsers::TreeParser.new( source, self ).parse
diff -r 1c37f305cbb5 -r e33fa8104b19 lang/ruby18-base/patches/patch-dh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/ruby18-base/patches/patch-dh Wed Sep 17 10:41:37 2008 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-dh,v 1.2.8.1 2008/09/17 10:41:38 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790.
+(http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/)
+
+--- lib/rexml/entity.rb.orig   2008-04-18 16:22:13.000000000 +0900
++++ lib/rexml/entity.rb
+@@ -73,6 +73,7 @@ module REXML
+               # all entities -- both %ent; and &ent; entities.  This differs from
+               # +value()+ in that +value+ only replaces %ent; entities.
+               def unnormalized
++                        document.record_entity_expansion
+                       v = value()
+                       return nil if v.nil?
+                       @unnormalized = Text::unnormalize(v, parent)