CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Sat, 23 Mar 2024 14:47:13 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Sat Mar 23 14:47:13 UTC 2024

Modified Files:
        pkgsrc/lang/ruby: rubyversion.mk
        pkgsrc/lang/ruby32-base: Makefile distinfo
Added Files:
        pkgsrc/lang/ruby32-base/patches: patch-lib_rdoc_store.rb
            patch-lib_rdoc_version.rb

Log Message:
lang/ruby32-base: fix CVE-2024-27281

Update rdoc to 6.5.1.1 to fix for CVE-2024-27281.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.273 -r1.274 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/ruby32-base/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/ruby32-base/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb \
    pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.273 pkgsrc/lang/ruby/rubyversion.mk:1.274
--- pkgsrc/lang/ruby/rubyversion.mk:1.273       Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby/rubyversion.mk     Sat Mar 23 14:47:12 2024
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.273 2024/03/23 14:28:48 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.274 2024/03/23 14:47:12 taca Exp $
 #
 
 # This file determines which Ruby version is used as a dependency for
@@ -414,7 +414,7 @@ RUBY_PRETTYPRINT_VER=               0.1.1
 RUBY_PSTORE_VER=               0.1.2
 RUBY_PSYCH_VER=                        5.0.1
 RUBY_RACC_VER=                 1.6.2
-RUBY_RDOC_VER=                 6.5.0
+RUBY_RDOC_VER=                 6.5.1.1
 RUBY_READLINE_VER=             0.0.3
 RUBY_READLINE_EXT_VER=         0.1.5
 RUBY_RELINE_VER=               0.3.2

Index: pkgsrc/lang/ruby32-base/Makefile
diff -u pkgsrc/lang/ruby32-base/Makefile:1.7 pkgsrc/lang/ruby32-base/Makefile:1.8
--- pkgsrc/lang/ruby32-base/Makefile:1.7        Sun Jan 21 08:35:39 2024
+++ pkgsrc/lang/ruby32-base/Makefile    Sat Mar 23 14:47:12 2024
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.7 2024/01/21 08:35:39 taca Exp $
+# $NetBSD: Makefile,v 1.8 2024/03/23 14:47:12 taca Exp $
 
 DISTNAME=      ${RUBY_DISTNAME}
 PKGNAME=       ${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
+PKGREVISION=   1
 CATEGORIES=    lang ruby
 MASTER_SITES=  ${MASTER_SITE_RUBY}
 

Index: pkgsrc/lang/ruby32-base/distinfo
diff -u pkgsrc/lang/ruby32-base/distinfo:1.6 pkgsrc/lang/ruby32-base/distinfo:1.7
--- pkgsrc/lang/ruby32-base/distinfo:1.6        Sun Jan 21 08:35:39 2024
+++ pkgsrc/lang/ruby32-base/distinfo    Sat Mar 23 14:47:12 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2024/01/21 08:35:39 taca Exp $
+$NetBSD: distinfo,v 1.7 2024/03/23 14:47:12 taca Exp $
 
 BLAKE2s (ruby-3.2.3.tar.xz) = 19e7b48f2d1790297e731bcc624e40f2fc6c0bca522f727d4b051f1eb790f256
 SHA512 (ruby-3.2.3.tar.xz) = d2a1897c2f4e801a28acb869322abfee76775115016252cecad90639485ed51deda1446cb16edb387f10a2e188602d646ef9b008b57f27bd745071277c535f3b
@@ -9,6 +9,8 @@ SHA1 (patch-ext_openssl_openssl__missing
 SHA1 (patch-include_ruby_internal_static__assert.h) = 7d5c3ae7ff674b9b34639924fcf08237164de9f8
 SHA1 (patch-lib_mkmf.rb) = 4a3cd18548dbdf43a13695d4e76f817c0347e335
 SHA1 (patch-lib_rdoc_encoding.rb) = 0e82d2942d9bfcb67dc7c994889d7bc5ec2ae85a
+SHA1 (patch-lib_rdoc_store.rb) = b72582d5e3a21fb7e87db8f2b743bc8fb09cf04d
+SHA1 (patch-lib_rdoc_version.rb) = 3f96abdf5fe2ef1f9a1d111eeba1394bf3ca12e8
 SHA1 (patch-lib_rubygems.rb) = 060549c43b84f73c77432a72cdcf22941be4eb17
 SHA1 (patch-lib_rubygems_commands_setup__command.rb) = 66c475a5308deb2ed5096b88cf65549732f87421
 SHA1 (patch-lib_rubygems_config__file.rb) = 1da55a32d931f91321636401e94d89f78f9fa622

Added files:

Index: pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb
diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb:1.1
--- /dev/null   Sat Mar 23 14:47:13 2024
+++ pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb     Sat Mar 23 14:47:13 2024
@@ -0,0 +1,84 @@
+$NetBSD: patch-lib_rdoc_store.rb,v 1.1 2024/03/23 14:47:13 taca Exp $
+
+Update rdoc to 6.5.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/store.rb.orig     2024-01-18 06:26:39.000000000 +0000
++++ lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ class RDoc::Store
+   def load_cache
+     #orig_enc = @encoding
+ 
+-    File.open cache_path, 'rb' do |io|
+-      @cache = Marshal.load io
+-    end
++    @cache = marshal_load(cache_path)
+ 
+     load_enc = @cache[:encoding]
+ 
+@@ -615,9 +613,7 @@ class RDoc::Store
+   def load_class_data klass_name
+     file = class_file klass_name
+ 
+-    File.open file, 'rb' do |io|
+-      Marshal.load io
+-    end
++    marshal_load(file)
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name)
+     error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ class RDoc::Store
+   def load_method klass_name, method_name
+     file = method_file klass_name, method_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io
+-      obj.store = self
+-      obj.parent =
+-        find_class_or_module(klass_name) || load_class(klass_name) unless
+-          obj.parent
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name + method_name)
+     error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ class RDoc::Store
+   def load_page page_name
+     file = page_file page_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io
+-      obj.store = self
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, page_name)
+     error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ class RDoc::Store
+     @unique_modules
+   end
+ 
++  private
++  def marshal_load(file)
++    File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++    case obj
++    when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++    else
++      unless obj.class.name.start_with?("RDoc::")
++        raise TypeError, "not permitted class: #{obj.class.name}"
++      end
++    end
++    obj
++  end
++  private_constant :MarshalFilter
++
+ end
Index: pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb
diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb:1.1
--- /dev/null   Sat Mar 23 14:47:13 2024
+++ pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb   Sat Mar 23 14:47:13 2024
@@ -0,0 +1,14 @@
+$NetBSD: patch-lib_rdoc_version.rb,v 1.1 2024/03/23 14:47:13 taca Exp $
+
+Update rdoc to 6.5.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/version.rb.orig   2024-01-18 06:26:39.000000000 +0000
++++ lib/rdoc/version.rb
+@@ -5,6 +5,6 @@ module RDoc
+   ##
+   # RDoc version you are using
+ 
+-  VERSION = '6.5.0'
++  VERSION = '6.5.1.1'
+ 
+ end

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index