pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: taca
Date: Wed May 6 05:15:35 UTC 2026
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby34: Makefile distinfo
Added Files:
pkgsrc/lang/ruby34/patches: patch-lib_erb.rb patch-lib_erb_version.rb
patch-test_erb_test__erb.rb
Log Message:
lang/ruby34: update default gem erb to 4.0.4.1
Update default gem erb to 4.0.4.1 to fix security problem of CVE-2026-41316.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.320 -r1.321 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/ruby34/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/ruby34/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/ruby34/patches/patch-lib_erb.rb \
pkgsrc/lang/ruby34/patches/patch-lib_erb_version.rb \
pkgsrc/lang/ruby34/patches/patch-test_erb_test__erb.rb
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.320 pkgsrc/lang/ruby/rubyversion.mk:1.321
--- pkgsrc/lang/ruby/rubyversion.mk:1.320 Tue May 5 14:09:07 2026
+++ pkgsrc/lang/ruby/rubyversion.mk Wed May 6 05:15:35 2026
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.320 2026/05/05 14:09:07 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.321 2026/05/06 05:15:35 taca Exp $
#
# This file determines which Ruby version is used as a dependency for
@@ -376,7 +376,7 @@ RUBY_CGI_VER= 0.4.2
RUBY_DELEGATE_VER= 0.4.0
RUBY_DID_YOU_MEAN_VER= 2.0.0
RUBY_ENGLISH_VER= 0.8.0
-RUBY_ERB_VER= 4.0.4
+RUBY_ERB_VER= 4.0.4.1
RUBY_ERROR_HIGHLIGHT_VER= 0.7.0
RUBY_FILEUTILS_VER= 1.7.3
RUBY_FIND_VER= 0.2.0
Index: pkgsrc/lang/ruby34/Makefile
diff -u pkgsrc/lang/ruby34/Makefile:1.7 pkgsrc/lang/ruby34/Makefile:1.8
--- pkgsrc/lang/ruby34/Makefile:1.7 Sat Jul 26 06:17:00 2025
+++ pkgsrc/lang/ruby34/Makefile Wed May 6 05:15:35 2026
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.7 2025/07/26 06:17:00 taca Exp $
+# $NetBSD: Makefile,v 1.8 2026/05/06 05:15:35 taca Exp $
DISTNAME= ${RUBY_DISTNAME}
PKGNAME= ${RUBY_PKGPREFIX}-${RUBY_VERSION}
+PKGREVISION= 1
CATEGORIES= lang ruby
MASTER_SITES= ${MASTER_SITE_RUBY}
Index: pkgsrc/lang/ruby34/distinfo
diff -u pkgsrc/lang/ruby34/distinfo:1.13 pkgsrc/lang/ruby34/distinfo:1.14
--- pkgsrc/lang/ruby34/distinfo:1.13 Thu Mar 12 15:42:14 2026
+++ pkgsrc/lang/ruby34/distinfo Wed May 6 05:15:35 2026
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.13 2026/03/12 15:42:14 taca Exp $
+$NetBSD: distinfo,v 1.14 2026/05/06 05:15:35 taca Exp $
BLAKE2s (ruby-3.4.9.tar.xz) = 4d09a702b948a81f4f6c39458092ab68e67a99148fe669c0c1bd33dedccda38d
SHA512 (ruby-3.4.9.tar.xz) = 356fb47cc56f2d25198cb95253fc20ff7d9a6fd1fa53bc475e5c440012aebe27562537c399d271357235114ade263fd625029b66cb0f9b526f9c04f169fb9580
@@ -7,6 +7,8 @@ SHA1 (patch-common.mk) = c23eed58427b2fd
SHA1 (patch-configure) = ff1b1e659ddc7cb1d62a71e1447df55f1f7b07c2
SHA1 (patch-ext_openssl_openssl__missing.h) = 3f8d79736fd14806dfaf76e333eec63ff3ff5890
SHA1 (patch-include_ruby_internal_static__assert.h) = 7d5c3ae7ff674b9b34639924fcf08237164de9f8
+SHA1 (patch-lib_erb.rb) = d69a109f7b184154ac66dc13085fe9ba8c198dc5
+SHA1 (patch-lib_erb_version.rb) = a11a9115b4b39b03583c69cf23cd21cb39ddea1d
SHA1 (patch-lib_mkmf.rb) = ea66bc4e42d2b15edfcd8ceefa9b94d07a3cdd0f
SHA1 (patch-lib_rdoc_encoding.rb) = aea07b878cbf46ddfdc0364ca5adf3fda9311735
SHA1 (patch-lib_rubygems.rb) = 81af71ae9b0c3fef2ad1de88a542b3ece14b4519
@@ -17,6 +19,7 @@ SHA1 (patch-lib_rubygems_install__update
SHA1 (patch-lib_rubygems_installer.rb) = 4ef74b4f79837a929e81bcd0e7eba9061a442304
SHA1 (patch-lib_rubygems_platform.rb) = bde36a8fc1ba2fbf4d6fb8829bc116fb4d09b404
SHA1 (patch-lib_rubygems_specification.rb) = a3154185ef89fb33e699dd54b19a8e274f3275e0
+SHA1 (patch-test_erb_test__erb.rb) = 474f058da00906bd3cf80a3b3777292afb833ac5
SHA1 (patch-test_rubygems_test__gem.rb) = 32f7c7d7f8a024c045d78c2bce93944fc3113d04
SHA1 (patch-thread__pthread.c) = 7c1231933a2d6ce9d56891ab512371841697fbca
SHA1 (patch-tool_ifchange) = 1803bb6a1836e232dcabcf38f11c9881dbf726ea
Added files:
Index: pkgsrc/lang/ruby34/patches/patch-lib_erb.rb
diff -u /dev/null pkgsrc/lang/ruby34/patches/patch-lib_erb.rb:1.1
--- /dev/null Wed May 6 05:15:35 2026
+++ pkgsrc/lang/ruby34/patches/patch-lib_erb.rb Wed May 6 05:15:35 2026
@@ -0,0 +1,16 @@
+$NetBSD: patch-lib_erb.rb,v 1.1 2026/05/06 05:15:35 taca Exp $
+
+Update to erb 4.0.4.1 to fix CVE-2026-41316.
+
+--- lib/erb.rb.orig 2026-03-11 09:51:47.000000000 +0000
++++ lib/erb.rb
+@@ -463,6 +463,9 @@ class ERB
+ # erb.def_method(MyClass, 'render(arg1, arg2)', filename)
+ # print MyClass.new.render('foo', 123)
+ def def_method(mod, methodname, fname='(ERB)')
++ unless @_init.equal?(self.class.singleton_class)
++ raise ArgumentError, "not initialized"
++ end
+ src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
+ mod.module_eval do
+ eval(src, binding, fname, -1)
Index: pkgsrc/lang/ruby34/patches/patch-lib_erb_version.rb
diff -u /dev/null pkgsrc/lang/ruby34/patches/patch-lib_erb_version.rb:1.1
--- /dev/null Wed May 6 05:15:35 2026
+++ pkgsrc/lang/ruby34/patches/patch-lib_erb_version.rb Wed May 6 05:15:35 2026
@@ -0,0 +1,13 @@
+$NetBSD: patch-lib_erb_version.rb,v 1.1 2026/05/06 05:15:35 taca Exp $
+
+Update to erb 4.0.4.1 to fix CVE-2026-41316.
+
+--- lib/erb/version.rb.orig 2026-03-11 09:51:47.000000000 +0000
++++ lib/erb/version.rb
+@@ -1,5 +1,5 @@
+ # frozen_string_literal: true
+ class ERB
+- VERSION = '4.0.4'
++ VERSION = '4.0.4.1'
+ private_constant :VERSION
+ end
Index: pkgsrc/lang/ruby34/patches/patch-test_erb_test__erb.rb
diff -u /dev/null pkgsrc/lang/ruby34/patches/patch-test_erb_test__erb.rb:1.1
--- /dev/null Wed May 6 05:15:35 2026
+++ pkgsrc/lang/ruby34/patches/patch-test_erb_test__erb.rb Wed May 6 05:15:35 2026
@@ -0,0 +1,40 @@
+$NetBSD: patch-test_erb_test__erb.rb,v 1.1 2026/05/06 05:15:35 taca Exp $
+
+Update to erb 4.0.4.1 to fix CVE-2026-41316.
+
+--- test/erb/test_erb.rb.orig 2026-03-11 09:51:47.000000000 +0000
++++ test/erb/test_erb.rb
+@@ -714,6 +714,33 @@ EOS
+ assert_raise(ArgumentError) {erb.result}
+ end
+
++ def test_prohibited_marshal_load_def_method
++ erb = ERB.allocate
++ erb.instance_variable_set(:@src, "")
++ erb.instance_variable_set(:@lineno, 1)
++ erb.instance_variable_set(:@_init, true)
++ erb = Marshal.load(Marshal.dump(erb))
++ assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')}
++ end
++
++ def test_prohibited_marshal_load_def_module
++ erb = ERB.allocate
++ erb.instance_variable_set(:@src, "")
++ erb.instance_variable_set(:@lineno, 1)
++ erb.instance_variable_set(:@_init, true)
++ erb = Marshal.load(Marshal.dump(erb))
++ assert_raise(ArgumentError) {erb.def_module}
++ end
++
++ def test_prohibited_marshal_load_def_class
++ erb = ERB.allocate
++ erb.instance_variable_set(:@src, "")
++ erb.instance_variable_set(:@lineno, 1)
++ erb.instance_variable_set(:@_init, true)
++ erb = Marshal.load(Marshal.dump(erb))
++ assert_raise(ArgumentError) {erb.def_class}
++ end
++
+ def test_multi_line_comment_lineno
+ erb = ERB.new(<<~EOS)
+ <%= __LINE__ %>
Home |
Main Index |
Thread Index |
Old Index