CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Sat, 23 Mar 2024 15:15:52 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Sat Mar 23 15:15:52 UTC 2024

Modified Files:
        pkgsrc/lang/ruby: rubyversion.mk
        pkgsrc/lang/ruby33: Makefile distinfo
Added Files:
        pkgsrc/lang/ruby33/patches: patch-lib_rdoc_store.rb
            patch-lib_rdoc_version.rb

Log Message:
lang/ruby33: fix CVE-2024-27281

Update rdoc to 6.6.3.1 to fix for CVE-2024-27281.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.274 -r1.275 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/ruby33/Makefile \
    pkgsrc/lang/ruby33/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/ruby33/patches/patch-lib_rdoc_store.rb \
    pkgsrc/lang/ruby33/patches/patch-lib_rdoc_version.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.274 pkgsrc/lang/ruby/rubyversion.mk:1.275
--- pkgsrc/lang/ruby/rubyversion.mk:1.274       Sat Mar 23 14:47:12 2024
+++ pkgsrc/lang/ruby/rubyversion.mk     Sat Mar 23 15:15:51 2024
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.274 2024/03/23 14:47:12 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.275 2024/03/23 15:15:51 taca Exp $
 #
 
 # This file determines which Ruby version is used as a dependency for
@@ -510,7 +510,7 @@ RUBY_PRETTYPRINT_VER=               0.2.0
 RUBY_PRISM_VER=                        0.19.0
 RUBY_PSTORE_VER=               0.1.3
 RUBY_PSYCH_VER=                        5.1.2
-RUBY_RDOC_VER=                 6.6.2
+RUBY_RDOC_VER=                 6.6.3.1
 RUBY_READLINE_VER=             0.0.4
 RUBY_RELINE_VER=               0.4.1
 RUBY_RESOLV_REPLACE_VER=       0.1.1

Index: pkgsrc/lang/ruby33/Makefile
diff -u pkgsrc/lang/ruby33/Makefile:1.1 pkgsrc/lang/ruby33/Makefile:1.2
--- pkgsrc/lang/ruby33/Makefile:1.1     Sun Jan 21 08:22:02 2024
+++ pkgsrc/lang/ruby33/Makefile Sat Mar 23 15:15:51 2024
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.1 2024/01/21 08:22:02 taca Exp $
+# $NetBSD: Makefile,v 1.2 2024/03/23 15:15:51 taca Exp $
 
 DISTNAME=      ${RUBY_DISTNAME}
 PKGNAME=       ${RUBY_PKGPREFIX}-${RUBY_VERSION:S/-rc/rc/}
+PKGREVISION=   1
 CATEGORIES=    lang ruby
 MASTER_SITES=  ${MASTER_SITE_RUBY}
 
Index: pkgsrc/lang/ruby33/distinfo
diff -u pkgsrc/lang/ruby33/distinfo:1.1 pkgsrc/lang/ruby33/distinfo:1.2
--- pkgsrc/lang/ruby33/distinfo:1.1     Sun Jan 21 08:22:02 2024
+++ pkgsrc/lang/ruby33/distinfo Sat Mar 23 15:15:51 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.1 2024/01/21 08:22:02 taca Exp $
+$NetBSD: distinfo,v 1.2 2024/03/23 15:15:51 taca Exp $
 
 BLAKE2s (ruby-3.3.0.tar.xz) = f68ac92dc254a1c77470384018622c6918dd4bdd1c082a3c1af64470aaccac86
 SHA512 (ruby-3.3.0.tar.xz) = 7959c5753bfa0bfc4d6d74060869aabbe9815c1c97930659da11b917ee0803ddbbd80e869e00c48b8694b4ba48709c3b6493fd045568e36e902616c35ababf01
@@ -9,6 +9,8 @@ SHA1 (patch-ext_openssl_openssl__missing
 SHA1 (patch-include_ruby_internal_static__assert.h) = 7d5c3ae7ff674b9b34639924fcf08237164de9f8
 SHA1 (patch-lib_mkmf.rb) = 4a3cd18548dbdf43a13695d4e76f817c0347e335
 SHA1 (patch-lib_rdoc_encoding.rb) = 0e82d2942d9bfcb67dc7c994889d7bc5ec2ae85a
+SHA1 (patch-lib_rdoc_store.rb) = e78f64b6cf2e8bb9c2015fad1312dca85a437413
+SHA1 (patch-lib_rdoc_version.rb) = 83e4886aad411f14ead218bfa31793c23e78b797
 SHA1 (patch-lib_rubygems.rb) = 81af71ae9b0c3fef2ad1de88a542b3ece14b4519
 SHA1 (patch-lib_rubygems_commands_setup__command.rb) = 66c475a5308deb2ed5096b88cf65549732f87421
 SHA1 (patch-lib_rubygems_config__file.rb) = 735d8e543c17c8ca4cd15a96fea865b603535603

Added files:

Index: pkgsrc/lang/ruby33/patches/patch-lib_rdoc_store.rb
diff -u /dev/null pkgsrc/lang/ruby33/patches/patch-lib_rdoc_store.rb:1.1
--- /dev/null   Sat Mar 23 15:15:52 2024
+++ pkgsrc/lang/ruby33/patches/patch-lib_rdoc_store.rb  Sat Mar 23 15:15:51 2024
@@ -0,0 +1,84 @@
+$NetBSD: patch-lib_rdoc_store.rb,v 1.1 2024/03/23 15:15:51 taca Exp $
+
+Update rdoc to 6.6.3.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/store.rb.orig     2023-12-25 05:59:38.000000000 +0000
++++ lib/rdoc/store.rb
+@@ -559,9 +559,7 @@ class RDoc::Store
+   def load_cache
+     #orig_enc = @encoding
+ 
+-    File.open cache_path, 'rb' do |io|
+-      @cache = Marshal.load io
+-    end
++    @cache = marshal_load(cache_path)
+ 
+     load_enc = @cache[:encoding]
+ 
+@@ -618,9 +616,7 @@ class RDoc::Store
+   def load_class_data klass_name
+     file = class_file klass_name
+ 
+-    File.open file, 'rb' do |io|
+-      Marshal.load io
+-    end
++    marshal_load(file)
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name)
+     error.set_backtrace e.backtrace
+@@ -633,14 +629,10 @@ class RDoc::Store
+   def load_method klass_name, method_name
+     file = method_file klass_name, method_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io
+-      obj.store = self
+-      obj.parent =
+-        find_class_or_module(klass_name) || load_class(klass_name) unless
+-          obj.parent
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name + method_name)
+     error.set_backtrace e.backtrace
+@@ -653,11 +645,9 @@ class RDoc::Store
+   def load_page page_name
+     file = page_file page_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io
+-      obj.store = self
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, page_name)
+     error.set_backtrace e.backtrace
+@@ -979,4 +969,21 @@ class RDoc::Store
+     @unique_modules
+   end
+ 
++  private
++  def marshal_load(file)
++    File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++    case obj
++    when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++    else
++      unless obj.class.name.start_with?("RDoc::")
++        raise TypeError, "not permitted class: #{obj.class.name}"
++      end
++    end
++    obj
++  end
++  private_constant :MarshalFilter
++
+ end
Index: pkgsrc/lang/ruby33/patches/patch-lib_rdoc_version.rb
diff -u /dev/null pkgsrc/lang/ruby33/patches/patch-lib_rdoc_version.rb:1.1
--- /dev/null   Sat Mar 23 15:15:52 2024
+++ pkgsrc/lang/ruby33/patches/patch-lib_rdoc_version.rb        Sat Mar 23 15:15:51 2024
@@ -0,0 +1,14 @@
+$NetBSD: patch-lib_rdoc_version.rb,v 1.1 2024/03/23 15:15:51 taca Exp $
+
+Update rdoc to 6.6.3.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/version.rb.orig   2023-12-25 05:59:38.000000000 +0000
++++ lib/rdoc/version.rb
+@@ -5,6 +5,6 @@ module RDoc
+   ##
+   # RDoc version you are using
+ 
+-  VERSION = '6.6.2'
++  VERSION = '6.6.3.1'
+ 
+ end

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index