CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Thu, 29 Jun 2023 15:42:08 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Thu Jun 29 15:42:07 UTC 2023

Modified Files:
        pkgsrc/lang/ruby: rubyversion.mk
        pkgsrc/lang/ruby32-base: Makefile distinfo
Added Files:
        pkgsrc/lang/ruby32-base/patches: patch-lib_uri_rfc2396__parser.rb
            patch-lib_uri_rfc3986__parser.rb patch-lib_uri_version.rb

Log Message:
lang/ruby32-base: update bundled gem uri to 0.12.2

Fix CVE-2023-36617: ReDoS vulnerability in URI.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.267 -r1.268 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby32-base/Makefile
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/ruby32-base/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb \
    pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb \
    pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.267 pkgsrc/lang/ruby/rubyversion.mk:1.268
--- pkgsrc/lang/ruby/rubyversion.mk:1.267       Thu Jun 29 15:39:12 2023
+++ pkgsrc/lang/ruby/rubyversion.mk     Thu Jun 29 15:42:07 2023
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.267 2023/06/29 15:39:12 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.268 2023/06/29 15:42:07 taca Exp $
 #
 
 # This file determines which Ruby version is used as a dependency for
@@ -531,7 +531,7 @@ RUBY_TIMEOUT_VER=           0.3.1
 RUBY_TMPDIR_VER=               0.1.3
 RUBY_TSORT_VER=                        0.1.1
 RUBY_UN_VER=                   0.2.1
-RUBY_URI_VER=                  0.12.1
+RUBY_URI_VER=                  0.12.2
 RUBY_WEAKREF_VER=              0.1.2
 RUBY_YAML_VER=                 0.2.1
 RUBY_ZLIB_VER=                 3.0.0

Index: pkgsrc/lang/ruby32-base/Makefile
diff -u pkgsrc/lang/ruby32-base/Makefile:1.2 pkgsrc/lang/ruby32-base/Makefile:1.3
--- pkgsrc/lang/ruby32-base/Makefile:1.2        Tue May 30 15:54:36 2023
+++ pkgsrc/lang/ruby32-base/Makefile    Thu Jun 29 15:42:07 2023
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.2 2023/05/30 15:54:36 taca Exp $
+# $NetBSD: Makefile,v 1.3 2023/06/29 15:42:07 taca Exp $
 
 DISTNAME=      ${RUBY_DISTNAME}
 PKGNAME=       ${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    lang ruby
 MASTER_SITES=  ${MASTER_SITE_RUBY}
 

Index: pkgsrc/lang/ruby32-base/distinfo
diff -u pkgsrc/lang/ruby32-base/distinfo:1.4 pkgsrc/lang/ruby32-base/distinfo:1.5
--- pkgsrc/lang/ruby32-base/distinfo:1.4        Sat Apr  1 09:26:57 2023
+++ pkgsrc/lang/ruby32-base/distinfo    Thu Jun 29 15:42:07 2023
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2023/04/01 09:26:57 taca Exp $
+$NetBSD: distinfo,v 1.5 2023/06/29 15:42:07 taca Exp $
 
 BLAKE2s (ruby-3.2.2.tar.xz) = 880e96fbdec90238299174d0abb7be507f04b8036386d70b61769d339bb2b609
 SHA512 (ruby-3.2.2.tar.xz) = a29f24cd80f563f6368952d06d6273f7241a409fa9ab2f60e03dde2ac58ca06bee1750715b6134caebf4c061d3503446dc37a6059e19860bb0010eef34951935
@@ -16,6 +16,9 @@ SHA1 (patch-lib_rubygems_dependency__ins
 SHA1 (patch-lib_rubygems_install__update__options.rb) = 0cd0816e1cd7c84c1dab1e091787c4dc38d28273
 SHA1 (patch-lib_rubygems_installer.rb) = 1c94047a24362b3597dac7ea156982a09cb93234
 SHA1 (patch-lib_rubygems_platform.rb) = 58094b26520623f258ecf035084f4aa7226e9686
+SHA1 (patch-lib_uri_rfc2396__parser.rb) = f078cf329b50e157366225fffcb7d390c91edff7
+SHA1 (patch-lib_uri_rfc3986__parser.rb) = 2d50b1bdea0252ac92f81bb080b423de289a65bb
+SHA1 (patch-lib_uri_version.rb) = 3f8384570199b67f625a71d7f211c1d8dabde1e2
 SHA1 (patch-test_rubygems_test__gem.rb) = 32f7c7d7f8a024c045d78c2bce93944fc3113d04
 SHA1 (patch-thread__pthread.c) = 7c1231933a2d6ce9d56891ab512371841697fbca
 SHA1 (patch-tool_ifchange) = 1814cd41f0b0a93b181799cb117bd1f57068cf33

Added files:

Index: pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb
diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb:1.1
--- /dev/null   Thu Jun 29 15:42:08 2023
+++ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb    Thu Jun 29 15:42:07 2023
@@ -0,0 +1,17 @@
+$NetBSD: patch-lib_uri_rfc2396__parser.rb,v 1.1 2023/06/29 15:42:07 taca Exp $
+
+Fix for CVE-2023-36617 updating uri to 0.12.2.
+
+--- lib/uri/rfc2396_parser.rb.orig     2023-03-30 11:06:29.000000000 +0000
++++ lib/uri/rfc2396_parser.rb
+@@ -497,8 +497,8 @@ module URI
+       ret = {}
+ 
+       # for URI::split
+-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ 
+       # for URI::extract
+       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
Index: pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb
diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb:1.1
--- /dev/null   Thu Jun 29 15:42:08 2023
+++ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb    Thu Jun 29 15:42:07 2023
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_uri_rfc3986__parser.rb,v 1.1 2023/06/29 15:42:07 taca Exp $
+
+Fix for CVE-2023-36617 updating uri to 0.12.2.
+
+--- lib/uri/rfc3986_parser.rb.orig     2023-03-30 11:06:29.000000000 +0000
++++ lib/uri/rfc3986_parser.rb
+@@ -100,7 +100,7 @@ module URI
+         QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         OPAQUE: /\A(?:[^\/].*)?\z/,
+-        PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
++        PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
+       }
+     end
+ 
Index: pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb
diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb:1.1
--- /dev/null   Thu Jun 29 15:42:08 2023
+++ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb    Thu Jun 29 15:42:07 2023
@@ -0,0 +1,14 @@
+$NetBSD: patch-lib_uri_version.rb,v 1.1 2023/06/29 15:42:07 taca Exp $
+
+Fix for CVE-2023-36617 updating uri to 0.12.2.
+
+--- lib/uri/version.rb.orig    2023-03-30 11:06:29.000000000 +0000
++++ lib/uri/version.rb
+@@ -1,6 +1,6 @@
+ module URI
+   # :stopdoc:
+-  VERSION_CODE = '001201'.freeze
++  VERSION_CODE = '001202'.freeze
+   VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze
+   # :startdoc:
+ end

Prev by Date: Re: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index