CVS commit: pkgsrc/misc/ruby-sprockets22

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/misc/ruby-sprockets22
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Sat, 8 Sep 2018 16:59:45 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Sat Sep  8 16:59:45 UTC 2018

Modified Files:
        pkgsrc/misc/ruby-sprockets22: Makefile distinfo
Added Files:
        pkgsrc/misc/ruby-sprockets22/patches: patch-lib_sprockets_server.rb

Log Message:
misc/ruby-sprockets22 Add fix for CVE-2018-3760

* Add fix for CVE-2018-3760.
* pkgsrc change: update HOMEPAGE.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/misc/ruby-sprockets22/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/misc/ruby-sprockets22/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/misc/ruby-sprockets22/patches/patch-lib_sprockets_server.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/misc/ruby-sprockets22/Makefile
diff -u pkgsrc/misc/ruby-sprockets22/Makefile:1.6 pkgsrc/misc/ruby-sprockets22/Makefile:1.7
--- pkgsrc/misc/ruby-sprockets22/Makefile:1.6   Sat Sep  2 14:58:36 2017
+++ pkgsrc/misc/ruby-sprockets22/Makefile       Sat Sep  8 16:59:45 2018
@@ -1,12 +1,12 @@
-# $NetBSD: Makefile,v 1.6 2017/09/02 14:58:36 taca Exp $
+# $NetBSD: Makefile,v 1.7 2018/09/08 16:59:45 taca Exp $
 
 DISTNAME=      sprockets-2.2.3
 PKGNAME=       ${RUBY_PKGPREFIX}-${DISTNAME:S/sprockets/sprockets22/}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    www
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
-HOMEPAGE=      https://github.com/sstephenson/sprockets
+HOMEPAGE=      https://github.com/rails/sprockets
 COMMENT=       Rack-based asset packaging system
 LICENSE=       mit
 

Index: pkgsrc/misc/ruby-sprockets22/distinfo
diff -u pkgsrc/misc/ruby-sprockets22/distinfo:1.3 pkgsrc/misc/ruby-sprockets22/distinfo:1.4
--- pkgsrc/misc/ruby-sprockets22/distinfo:1.3   Tue Nov  3 23:49:51 2015
+++ pkgsrc/misc/ruby-sprockets22/distinfo       Sat Sep  8 16:59:45 2018
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.3 2015/11/03 23:49:51 agc Exp $
+$NetBSD: distinfo,v 1.4 2018/09/08 16:59:45 taca Exp $
 
 SHA1 (sprockets-2.2.3.gem) = c81e5cada0dfa45298678e57401819b13b7cb1ae
 RMD160 (sprockets-2.2.3.gem) = 83647cf6b27a3474127ea3c96bfb80865c5af39d
 SHA512 (sprockets-2.2.3.gem) = f4192aa296cdf5a92fd0b30e3184e1f8fda85fcdc91d6a60f309853599eea4d6cde780b930e2d2d34eeff66d5bd76b614cd24b70264c84234cf4ae9ab884ca51
 Size (sprockets-2.2.3.gem) = 37376 bytes
+SHA1 (patch-lib_sprockets_server.rb) = f3141893a9f2171a3692d8cbfa96339c9982c190

Added files:

Index: pkgsrc/misc/ruby-sprockets22/patches/patch-lib_sprockets_server.rb
diff -u /dev/null pkgsrc/misc/ruby-sprockets22/patches/patch-lib_sprockets_server.rb:1.1
--- /dev/null   Sat Sep  8 16:59:45 2018
+++ pkgsrc/misc/ruby-sprockets22/patches/patch-lib_sprockets_server.rb  Sat Sep  8 16:59:45 2018
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_sprockets_server.rb,v 1.1 2018/09/08 16:59:45 taca Exp $
+
+Try to avoid CVE-2018-3760.
+
+--- lib/sprockets/server.rb.orig       2018-06-20 01:37:23.885194827 +0000
++++ lib/sprockets/server.rb
+@@ -90,7 +90,7 @@ module Sprockets
+         #
+         #     http://example.org/assets/../../../etc/passwd
+         #
+-        path.include?("..") || Pathname.new(path).absolute?
++        path.include?("..") || Pathname.new(path).absolute? || path.include?("://")
+       end
+ 
+       # Returns a 403 Forbidden response tuple

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index