pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: taca
Date: Wed May 6 05:28:23 UTC 2026
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby33: Makefile distinfo
Added Files:
pkgsrc/lang/ruby33/patches: patch-lib_erb.rb patch-lib_erb_version.rb
patch-test_erb_test__erb.rb
Log Message:
lang/ruby33: update default gem erb to 4.0.3.1
Update default gem erb to 4.0.3.1 to fix security problem of CVE-2026-41316.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.321 -r1.322 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/ruby33/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/lang/ruby33/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/ruby33/patches/patch-lib_erb.rb \
pkgsrc/lang/ruby33/patches/patch-lib_erb_version.rb \
pkgsrc/lang/ruby33/patches/patch-test_erb_test__erb.rb
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.321 pkgsrc/lang/ruby/rubyversion.mk:1.322
--- pkgsrc/lang/ruby/rubyversion.mk:1.321 Wed May 6 05:15:35 2026
+++ pkgsrc/lang/ruby/rubyversion.mk Wed May 6 05:28:22 2026
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.321 2026/05/06 05:15:35 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.322 2026/05/06 05:28:22 taca Exp $
#
# This file determines which Ruby version is used as a dependency for
@@ -286,7 +286,7 @@ RUBY_DID_YOU_MEAN_VER= 1.6.3
RUBY_DIGEST_VER= 3.1.1
RUBY_DRB_VER= 2.2.0
RUBY_ENGLISH_VER= 0.8.0
-RUBY_ERB_VER= 4.0.3
+RUBY_ERB_VER= 4.0.3.1
RUBY_ERROR_HIGHLIGHT_VER= 0.6.0
RUBY_ETC_VER= 1.4.3
RUBY_FCNTL_VER= 1.1.0
Index: pkgsrc/lang/ruby33/Makefile
diff -u pkgsrc/lang/ruby33/Makefile:1.10 pkgsrc/lang/ruby33/Makefile:1.11
--- pkgsrc/lang/ruby33/Makefile:1.10 Thu Mar 26 14:05:17 2026
+++ pkgsrc/lang/ruby33/Makefile Wed May 6 05:28:22 2026
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.10 2026/03/26 14:05:17 taca Exp $
+# $NetBSD: Makefile,v 1.11 2026/05/06 05:28:22 taca Exp $
DISTNAME= ${RUBY_DISTNAME}
PKGNAME= ${RUBY_PKGPREFIX}-${RUBY_VERSION}
+PKGREVISION= 1
CATEGORIES= lang ruby
MASTER_SITES= ${MASTER_SITE_RUBY}
Index: pkgsrc/lang/ruby33/distinfo
diff -u pkgsrc/lang/ruby33/distinfo:1.16 pkgsrc/lang/ruby33/distinfo:1.17
--- pkgsrc/lang/ruby33/distinfo:1.16 Fri Mar 27 10:38:43 2026
+++ pkgsrc/lang/ruby33/distinfo Wed May 6 05:28:22 2026
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2026/03/27 10:38:43 kikadf Exp $
+$NetBSD: distinfo,v 1.17 2026/05/06 05:28:22 taca Exp $
BLAKE2s (ruby-3.3.11.tar.xz) = 2a6996052aae975b7e3aa34849ae11efdb7fdbf8594c9f6cb9e7f0338c361c21
SHA512 (ruby-3.3.11.tar.xz) = 1f8eb206a90121015b294dada7ea61ebd136e7e7dbb1c4bb7df21b85f359a2e733f438153bf07c57815a963e4ef3f766081fd4226caa6547f4c263b33ed7726e
@@ -7,6 +7,8 @@ SHA1 (patch-common.mk) = c23eed58427b2fd
SHA1 (patch-configure) = 031792cb999e3624236f8afc3363492b437e35d7
SHA1 (patch-ext_openssl_openssl__missing.h) = 3f8d79736fd14806dfaf76e333eec63ff3ff5890
SHA1 (patch-include_ruby_internal_static__assert.h) = 7d5c3ae7ff674b9b34639924fcf08237164de9f8
+SHA1 (patch-lib_erb.rb) = f28a0318017b90409e71d4b80e0c2fd7faec07ae
+SHA1 (patch-lib_erb_version.rb) = 6704dceeb27d582c648fdaa3988ae3ea69607ffb
SHA1 (patch-lib_mkmf.rb) = 4a3cd18548dbdf43a13695d4e76f817c0347e335
SHA1 (patch-lib_rdoc_encoding.rb) = 0e82d2942d9bfcb67dc7c994889d7bc5ec2ae85a
SHA1 (patch-lib_rubygems.rb) = 81af71ae9b0c3fef2ad1de88a542b3ece14b4519
@@ -16,6 +18,7 @@ SHA1 (patch-lib_rubygems_dependency__ins
SHA1 (patch-lib_rubygems_install__update__options.rb) = 0cd0816e1cd7c84c1dab1e091787c4dc38d28273
SHA1 (patch-lib_rubygems_installer.rb) = 4ef74b4f79837a929e81bcd0e7eba9061a442304
SHA1 (patch-lib_rubygems_platform.rb) = bde36a8fc1ba2fbf4d6fb8829bc116fb4d09b404
+SHA1 (patch-test_erb_test__erb.rb) = 4acc8a98f7051b05e2c7d0859068f2ca75bdbc20
SHA1 (patch-test_rubygems_test__gem.rb) = 32f7c7d7f8a024c045d78c2bce93944fc3113d04
SHA1 (patch-thread__pthread.c) = 7c1231933a2d6ce9d56891ab512371841697fbca
SHA1 (patch-tool_ifchange) = 1814cd41f0b0a93b181799cb117bd1f57068cf33
Added files:
Index: pkgsrc/lang/ruby33/patches/patch-lib_erb.rb
diff -u /dev/null pkgsrc/lang/ruby33/patches/patch-lib_erb.rb:1.1
--- /dev/null Wed May 6 05:28:23 2026
+++ pkgsrc/lang/ruby33/patches/patch-lib_erb.rb Wed May 6 05:28:23 2026
@@ -0,0 +1,16 @@
+$NetBSD: patch-lib_erb.rb,v 1.1 2026/05/06 05:28:23 taca Exp $
+
+Update to erb 4.0.3.1 to fix CVE-2026-41316.
+
+--- lib/erb.rb.orig 2026-03-26 00:05:04.000000000 +0000
++++ lib/erb.rb
+@@ -463,6 +463,9 @@ class ERB
+ # erb.def_method(MyClass, 'render(arg1, arg2)', filename)
+ # print MyClass.new.render('foo', 123)
+ def def_method(mod, methodname, fname='(ERB)')
++ unless @_init.equal?(self.class.singleton_class)
++ raise ArgumentError, "not initialized"
++ end
+ src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
+ mod.module_eval do
+ eval(src, binding, fname, -1)
Index: pkgsrc/lang/ruby33/patches/patch-lib_erb_version.rb
diff -u /dev/null pkgsrc/lang/ruby33/patches/patch-lib_erb_version.rb:1.1
--- /dev/null Wed May 6 05:28:23 2026
+++ pkgsrc/lang/ruby33/patches/patch-lib_erb_version.rb Wed May 6 05:28:23 2026
@@ -0,0 +1,13 @@
+$NetBSD: patch-lib_erb_version.rb,v 1.1 2026/05/06 05:28:23 taca Exp $
+
+Update to erb 4.0.3.1 to fix CVE-2026-41316.
+
+--- lib/erb/version.rb.orig 2026-03-26 00:05:04.000000000 +0000
++++ lib/erb/version.rb
+@@ -1,5 +1,5 @@
+ # frozen_string_literal: true
+ class ERB
+- VERSION = '4.0.3'
++ VERSION = '4.0.3.1'
+ private_constant :VERSION
+ end
Index: pkgsrc/lang/ruby33/patches/patch-test_erb_test__erb.rb
diff -u /dev/null pkgsrc/lang/ruby33/patches/patch-test_erb_test__erb.rb:1.1
--- /dev/null Wed May 6 05:28:23 2026
+++ pkgsrc/lang/ruby33/patches/patch-test_erb_test__erb.rb Wed May 6 05:28:23 2026
@@ -0,0 +1,40 @@
+$NetBSD: patch-test_erb_test__erb.rb,v 1.1 2026/05/06 05:28:23 taca Exp $
+
+Update to erb 4.0.3.1 to fix CVE-2026-41316.
+
+--- test/erb/test_erb.rb.orig 2026-03-26 00:05:04.000000000 +0000
++++ test/erb/test_erb.rb
+@@ -714,6 +714,33 @@ EOS
+ assert_raise(ArgumentError) {erb.result}
+ end
+
++ def test_prohibited_marshal_load_def_method
++ erb = ERB.allocate
++ erb.instance_variable_set(:@src, "")
++ erb.instance_variable_set(:@lineno, 1)
++ erb.instance_variable_set(:@_init, true)
++ erb = Marshal.load(Marshal.dump(erb))
++ assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')}
++ end
++
++ def test_prohibited_marshal_load_def_module
++ erb = ERB.allocate
++ erb.instance_variable_set(:@src, "")
++ erb.instance_variable_set(:@lineno, 1)
++ erb.instance_variable_set(:@_init, true)
++ erb = Marshal.load(Marshal.dump(erb))
++ assert_raise(ArgumentError) {erb.def_module}
++ end
++
++ def test_prohibited_marshal_load_def_class
++ erb = ERB.allocate
++ erb.instance_variable_set(:@src, "")
++ erb.instance_variable_set(:@lineno, 1)
++ erb.instance_variable_set(:@_init, true)
++ erb = Marshal.load(Marshal.dump(erb))
++ assert_raise(ArgumentError) {erb.def_class}
++ end
++
+ def test_multi_line_comment_lineno
+ erb = ERB.new(<<~EOS)
+ <%= __LINE__ %>
Home |
Main Index |
Thread Index |
Old Index