cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fixes for CVE-2008-1891, CVE-2008-2662, CVE-2008-2663,

Browse Source 
CVE-2008-2664, CVE-2008-2725 and CVE-2008-2726.

More info: http://secunia.com/advisories/29794/

with help from jcs@
tested by msf@, jcs@
This commit is contained in:
bernd 2008-07-21 09:40:42 +00:00
parent a21d22d462
commit 0d61615f79
9 changed files with 450 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lang/ruby/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.60 2008/07/04 19:57:06 naddy Exp $
# $OpenBSD: Makefile,v 1.61 2008/07/21 09:40:42 bernd Exp $
SHARED_ONLY= Yes
@ -11,7 +11,7 @@ VERSION= 1.8.6
PATCHLEVEL= 114
DISTNAME= ruby-${VERSION}-p${PATCHLEVEL}
SHARED_LIBS= ruby 1.86
PKGNAME-main= ruby-${VERSION}.${PATCHLEVEL}p0
PKGNAME-main= ruby-${VERSION}.${PATCHLEVEL}p1
PKGNAME-iconv= ruby-iconv-${VERSION}.${PATCHLEVEL}p0
PKGNAME-gdbm= ruby-gdbm-${VERSION}.${PATCHLEVEL}p0
PKGNAME-tk= ruby-tk-${VERSION}.${PATCHLEVEL}p0

80
lang/ruby/patches/patch-array_c Normal file
View File

@ -0,0 +1,80 @@
$OpenBSD: patch-array_c,v 1.1 2008/07/21 09:40:42 bernd Exp $
Fixes multiple security vulnerabilities.
http://secunia.com/advisories/29794/
Patch against ruby-1.8.6p114 from:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
and
https://launchpad.net/ubuntu/+source/ruby1.8
1.8.6-p229 and 1.8.7-p21 will break rails applications.
--- array.c.orig Fri Sep 7 09:46:40 2007
+++ array.c Tue Jul 1 20:47:08 2008
@@ -20,6 +20,7 @@ VALUE rb_cArray;
static ID id_cmp;
#define ARY_DEFAULT_SIZE 16
+#define ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE))
void
rb_mem_clear(mem, size)
@@ -120,7 +121,7 @@ ary_new(klass, len)
if (len < 0) {
rb_raise(rb_eArgError, "negative array size (or size too big)");
}
- if (len > 0 && len * sizeof(VALUE) <= len) {
+ if (len > ARY_MAX_SIZE) {
rb_raise(rb_eArgError, "array size too big");
}
if (len == 0) len++;
@@ -293,7 +294,7 @@ rb_ary_initialize(argc, argv, ary)
if (len < 0) {
rb_raise(rb_eArgError, "negative array size");
}
- if (len > 0 && len * (long)sizeof(VALUE) <= len) {
+ if (len > ARY_MAX_SIZE) {
rb_raise(rb_eArgError, "array size too big");
}
if (len > RARRAY(ary)->aux.capa) {
@@ -359,6 +360,10 @@ rb_ary_store(ary, idx, val)
}
}
+ if (idx >= ARY_MAX_SIZE) {
+ rb_raise(rb_eIndexError, "index %ld too big", idx);
+ }
+
rb_ary_modify(ary);
if (idx >= RARRAY(ary)->aux.capa) {
long new_capa = RARRAY(ary)->aux.capa / 2;
@@ -366,6 +371,9 @@ rb_ary_store(ary, idx, val)
if (new_capa < ARY_DEFAULT_SIZE) {
new_capa = ARY_DEFAULT_SIZE;
}
+ if (new_capa >= ARY_MAX_SIZE - idx) {
+ new_capa = (ARY_MAX_SIZE - idx) / 2;
+ }
new_capa += idx;
if (new_capa * (long)sizeof(VALUE) <= new_capa) {
rb_raise(rb_eArgError, "index too big");
@@ -975,6 +983,9 @@ rb_ary_splice(ary, beg, len, rpl)
rb_ary_modify(ary);
if (beg >= RARRAY(ary)->len) {
+ if (beg > ARY_MAX_SIZE - rlen) {
+ rb_raise(rb_eIndexError, "index %ld too big", beg);
+ }
len = beg + rlen;
if (len >= RARRAY(ary)->aux.capa) {
REALLOC_N(RARRAY(ary)->ptr, VALUE, len);
@@ -2378,7 +2389,7 @@ rb_ary_times(ary, times)
if (len < 0) {
rb_raise(rb_eArgError, "negative argument");
}
- if (LONG_MAX/len < RARRAY(ary)->len) {
+ if (ARY_MAX_SIZE/len < RARRAY(ary)->len) {
rb_raise(rb_eArgError, "argument too big");
}
len *= RARRAY(ary)->len;

66
lang/ruby/patches/patch-bignum_c Normal file
View File

@ -0,0 +1,66 @@
$OpenBSD: patch-bignum_c,v 1.1 2008/07/21 09:40:42 bernd Exp $
Fixes multiple security vulnerabilities.
http://secunia.com/advisories/29794/
Patch against ruby-1.8.6p114 from:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
and
https://launchpad.net/ubuntu/+source/ruby1.8
1.8.6-p229 and 1.8.7-p21 will break rails applications.
--- bignum.c.orig Wed Sep 19 04:13:21 2007
+++ bignum.c Tue Jul 1 20:47:08 2008
@@ -36,8 +36,22 @@ VALUE rb_cBignum;
#define BIGLO(x) ((BDIGIT)((x) & (BIGRAD-1)))
#define BDIGMAX ((BDIGIT)-1)
-#define BIGZEROP(x) (RBIGNUM(x)->len == 0 || (RBIGNUM(x)->len == 1 && BDIGITS(x)[0] == 0))
+#define BIGZEROP(x) (RBIGNUM(x)->len == 0 || \
+ (BDIGITS(x)[0] == 0 && \
+ (RBIGNUM(x)->len == 1 || bigzero_p(x))))
+static int bigzero_p(VALUE);
+static int
+bigzero_p(x)
+ VALUE x;
+{
+ long i;
+ for (i = 0; i < RBIGNUM(x)->len; ++i) {
+ if (BDIGITS(x)[i]) return 0;
+ }
+ return 1;
+}
+
static VALUE
bignew_1(klass, len, sign)
VALUE klass;
@@ -446,7 +460,7 @@ rb_cstr_to_inum(str, base, badcheck)
}
if (*str == '0') { /* squeeze preceeding 0s */
while (*++str == '0');
- if (!*str) --str;
+ if (!(c = *str) || ISSPACE(c)) --str;
}
c = *str;
c = conv_digit(c);
@@ -652,6 +666,9 @@ rb_big2str0(x, base, trim)
if (BIGZEROP(x)) {
return rb_str_new2("0");
}
+ if (i >= LONG_MAX/SIZEOF_BDIGITS/CHAR_BIT) {
+ rb_raise(rb_eRangeError, "bignum too big to convert into `string'");
+ }
j = SIZEOF_BDIGITS*CHAR_BIT*i;
switch (base) {
case 2: break;
@@ -706,7 +723,7 @@ rb_big2str0(x, base, trim)
while (k--) {
s[--j] = ruby_digitmap[num % base];
num /= base;
- if (!trim && j < 1) break;
+ if (!trim && j <= 1) break;
if (trim && i == 0 && num == 0) break;
}
}

51
lang/ruby/patches/patch-eval_c Normal file
View File

@ -0,0 +1,51 @@
$OpenBSD: patch-eval_c,v 1.1 2008/07/21 09:40:42 bernd Exp $
Fixes multiple security vulnerabilities.
http://secunia.com/advisories/29794/
Patch against ruby-1.8.6p114 from:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
1.8.6-p229 and 1.8.7-p21 will break rails applications.
and
https://launchpad.net/ubuntu/+source/ruby1.8
--- eval.c.orig Sun Sep 23 02:01:50 2007
+++ eval.c Tue Jul 1 20:47:08 2008
@@ -8332,16 +8332,25 @@ proc_clone(self)
* MISSING: documentation
*/
+#define PROC_TSHIFT (FL_USHIFT+1)
+#define PROC_TMASK (FL_USER1|FL_USER2|FL_USER3)
+#define PROC_TMAX (PROC_TMASK >> PROC_TSHIFT)
+
+static int proc_get_safe_level(VALUE);
+
static VALUE
proc_dup(self)
VALUE self;
{
struct BLOCK *orig, *data;
VALUE bind;
+ int safe = proc_get_safe_level(self);
Data_Get_Struct(self, struct BLOCK, orig);
bind = Data_Make_Struct(rb_obj_class(self),struct BLOCK,blk_mark,blk_free,data);
blk_dup(data, orig);
+ if (safe > PROC_TMAX) safe = PROC_TMAX;
+ FL_SET(bind, (safe << PROC_TSHIFT) & PROC_TMASK);
return bind;
}
@@ -8402,10 +8411,6 @@ rb_f_binding(self)
return bind;
}
-
-#define PROC_TSHIFT (FL_USHIFT+1)
-#define PROC_TMASK (FL_USER1|FL_USER2|FL_USER3)
-#define PROC_TMAX (PROC_TMASK >> PROC_TSHIFT)
#define SAFE_LEVEL_MAX PROC_TMASK

22
lang/ruby/patches/patch-intern_h Normal file
View File

@ -0,0 +1,22 @@
$OpenBSD: patch-intern_h,v 1.1 2008/07/21 09:40:42 bernd Exp $
Fixes multiple security vulnerabilities.
http://secunia.com/advisories/29794/
Patch against ruby-1.8.6p114 from:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
and
https://launchpad.net/ubuntu/+source/ruby1.8
1.8.6-p229 and 1.8.7-p21 will break rails applications.
--- intern.h.orig Wed Aug 22 04:41:24 2007
+++ intern.h Tue Jul 1 20:47:08 2008
@@ -400,6 +400,7 @@ const char *ruby_signal_name _((int));
void ruby_default_signal _((int));
/* sprintf.c */
VALUE rb_f_sprintf _((int, VALUE*));
+VALUE rb_str_format _((int, VALUE*, VALUE));
/* string.c */
VALUE rb_str_new _((const char*, long));
VALUE rb_str_new2 _((const char*));

34
lang/ruby/patches/patch-io_c Normal file
View File

@ -0,0 +1,34 @@
$OpenBSD: patch-io_c,v 1.1 2008/07/21 09:40:42 bernd Exp $
Fixes multiple security vulnerabilities.
http://secunia.com/advisories/29794/
Patch against ruby-1.8.6p114 from:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
and
https://launchpad.net/ubuntu/+source/ruby1.8
1.8.6-p229 and 1.8.7-p21 will break rails applications.
--- io.c.orig Tue May 22 18:28:10 2007
+++ io.c Tue Jul 1 20:47:08 2008
@@ -4851,8 +4851,9 @@ rb_f_select(argc, argv, obj)
#if !defined(MSDOS) && !defined(__human68k__)
static int
io_cntl(fd, cmd, narg, io_p)
- int fd, cmd, io_p;
+ int fd, io_p;
long narg;
+ unsigned long cmd;
{
int retval;
@@ -4882,7 +4883,7 @@ rb_io_ctl(io, req, arg, io_p)
int io_p;
{
#if !defined(MSDOS) && !defined(__human68k__)
- int cmd = NUM2ULONG(req);
+ unsigned long cmd = NUM2ULONG(req);
OpenFile *fptr;
long len = 0;
long narg = 0;

40
lang/ruby/patches/patch-sprintf_c Normal file
View File

@ -0,0 +1,40 @@
$OpenBSD: patch-sprintf_c,v 1.1 2008/07/21 09:40:42 bernd Exp $
Fixes multiple security vulnerabilities.
http://secunia.com/advisories/29794/
Patch against ruby-1.8.6p114 from:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
and
https://launchpad.net/ubuntu/+source/ruby1.8
1.8.6-p229 and 1.8.7-p21 will break rails applications.
--- sprintf.c.orig Wed Aug 22 04:53:31 2007
+++ sprintf.c Tue Jul 1 20:47:08 2008
@@ -247,7 +247,15 @@ rb_f_sprintf(argc, argv)
int argc;
VALUE *argv;
{
+ return rb_str_format(argc - 1, argv + 1, GETNTHARG(0));
+}
+
+VALUE
+rb_str_format(argc, argv, fmt)
+ int argc;
+ VALUE *argv;
VALUE fmt;
+{
const char *p, *end;
char *buf;
int blen, bsiz;
@@ -276,7 +284,8 @@ rb_f_sprintf(argc, argv)
rb_raise(rb_eArgError, "flag after precision"); \
}
- fmt = GETNTHARG(0);
+ ++argc;
+ --argv;
if (OBJ_TAINTED(fmt)) tainted = 1;
StringValue(fmt);
fmt = rb_str_new4(fmt);

153
lang/ruby/patches/patch-string_c Normal file
View File

@ -0,0 +1,153 @@
$OpenBSD: patch-string_c,v 1.1 2008/07/21 09:40:42 bernd Exp $
Fixes multiple security vulnerabilities.
http://secunia.com/advisories/29794/
Patch against ruby-1.8.6p114 from:
http://blog.phusion.nl/assets/r8ee-security-patch-20080623-2.txt
and
https://launchpad.net/ubuntu/+source/ruby1.8
1.8.6-p229 and 1.8.7-p21 will break rails applications.
--- string.c.orig Fri Sep 7 02:40:27 2007
+++ string.c Tue Jul 15 19:05:01 2008
@@ -452,22 +452,15 @@ rb_str_times(str, times)
*/
static VALUE
-rb_str_format(str, arg)
+rb_str_format_m(str, arg)
VALUE str, arg;
{
- VALUE *argv;
+ VALUE tmp = rb_check_array_type(arg);
- if (TYPE(arg) == T_ARRAY) {
- argv = ALLOCA_N(VALUE, RARRAY(arg)->len + 1);
- argv[0] = str;
- MEMCPY(argv+1, RARRAY(arg)->ptr, VALUE, RARRAY(arg)->len);
- return rb_f_sprintf(RARRAY(arg)->len+1, argv);
+ if (!NIL_P(tmp)) {
+ return rb_str_format(RARRAY_LEN(tmp), RARRAY_PTR(tmp), str);
}
-
- argv = ALLOCA_N(VALUE, 2);
- argv[0] = str;
- argv[1] = arg;
- return rb_f_sprintf(2, argv);
+ return rb_str_format(1, &arg, str);
}
static int
@@ -694,19 +687,19 @@ rb_str_resize(str, len)
return str;
}
-VALUE
-rb_str_buf_cat(str, ptr, len)
+static VALUE
+str_buf_cat(str, ptr, len)
VALUE str;
const char *ptr;
long len;
{
- long capa, total;
+ long capa, total, off = -1;;
- if (len == 0) return str;
- if (len < 0) {
- rb_raise(rb_eArgError, "negative string size (or size too big)");
- }
rb_str_modify(str);
+ if (ptr >= RSTRING(str)->ptr && ptr <= RSTRING(str)->ptr + RSTRING(str)->len) {
+ off = ptr - RSTRING(str)->ptr;
+ }
+ if (len == 0) return 0;
if (FL_TEST(str, STR_ASSOC)) {
FL_UNSET(str, STR_ASSOC);
capa = RSTRING(str)->aux.capa = RSTRING(str)->len;
@@ -714,13 +707,23 @@ rb_str_buf_cat(str, ptr, len)
else {
capa = RSTRING(str)->aux.capa;
}
+ if (RSTRING(str)->len >= LONG_MAX - len) {
+ rb_raise(rb_eArgError, "string sizes too big");
+ }
total = RSTRING(str)->len+len;
if (capa <= total) {
while (total > capa) {
+ if (capa + 1 >= LONG_MAX / 2) {
+ capa = total;
+ break;
+ }
capa = (capa + 1) * 2;
}
RESIZE_CAPA(str, capa);
}
+ if (off != -1) {
+ ptr = RSTRING(str)->ptr + off;
+ }
memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len);
RSTRING(str)->len = total;
RSTRING(str)->ptr[total] = '\0'; /* sentinel */
@@ -729,6 +732,19 @@ rb_str_buf_cat(str, ptr, len)
}
VALUE
+rb_str_buf_cat(str, ptr, len)
+ VALUE str;
+ const char *ptr;
+ long len;
+{
+ if (len == 0) return str;
+ if (len < 0) {
+ rb_raise(rb_eArgError, "negative string size (or size too big)");
+ }
+ return str_buf_cat(str, ptr, len);
+}
+
+VALUE
rb_str_buf_cat2(str, ptr)
VALUE str;
const char *ptr;
@@ -769,29 +785,8 @@ VALUE
rb_str_buf_append(str, str2)
VALUE str, str2;
{
- long capa, len;
-
- rb_str_modify(str);
- if (FL_TEST(str, STR_ASSOC)) {
- FL_UNSET(str, STR_ASSOC);
- capa = RSTRING(str)->aux.capa = RSTRING(str)->len;
- }
- else {
- capa = RSTRING(str)->aux.capa;
- }
- len = RSTRING(str)->len+RSTRING(str2)->len;
- if (capa <= len) {
- while (len > capa) {
- capa = (capa + 1) * 2;
- }
- RESIZE_CAPA(str, capa);
- }
- memcpy(RSTRING(str)->ptr + RSTRING(str)->len,
- RSTRING(str2)->ptr, RSTRING(str2)->len);
- RSTRING(str)->len += RSTRING(str2)->len;
- RSTRING(str)->ptr[RSTRING(str)->len] = '\0'; /* sentinel */
+ str_buf_cat(str, RSTRING(str2)->ptr, RSTRING(str2)->len);
OBJ_INFECT(str, str2);
-
return str;
}
@@ -4657,7 +4652,7 @@ Init_String()
rb_define_method(rb_cString, "casecmp", rb_str_casecmp, 1);
rb_define_method(rb_cString, "+", rb_str_plus, 1);
rb_define_method(rb_cString, "*", rb_str_times, 1);
- rb_define_method(rb_cString, "%", rb_str_format, 1);
+ rb_define_method(rb_cString, "%", rb_str_format_m, 1);
rb_define_method(rb_cString, "[]", rb_str_aref_m, -1);
rb_define_method(rb_cString, "[]=", rb_str_aset_m, -1);
rb_define_method(rb_cString, "insert", rb_str_insert, 2);

6
lang/ruby/pkg/PLIST-main
View File

@ -1,10 +1,10 @@
@comment $OpenBSD: PLIST-main,v 1.3 2008/03/29 12:05:27 bernd Exp $
@comment $OpenBSD: PLIST-main,v 1.4 2008/07/21 09:40:42 bernd Exp $
@pkgpath lang/ruby
bin/erb
bin/irb
bin/rdoc
bin/ri
bin/ruby
@bin bin/ruby
bin/testrb
lib/libruby-static.a
lib/libruby.so
@ -861,7 +861,6 @@ share/ri/${REV}/system/Bignum/to_s-i.yaml
share/ri/${REV}/system/Binding/
share/ri/${REV}/system/Binding/cdesc-Binding.yaml
share/ri/${REV}/system/Binding/clone-i.yaml
share/ri/${REV}/system/Binding/dup-i.yaml
share/ri/${REV}/system/CGI/
share/ri/${REV}/system/CGI/Cookie/
share/ri/${REV}/system/CGI/Cookie/cdesc-Cookie.yaml
@ -4124,7 +4123,6 @@ share/ri/${REV}/system/Proc/binding-i.yaml
share/ri/${REV}/system/Proc/call-i.yaml
share/ri/${REV}/system/Proc/cdesc-Proc.yaml
share/ri/${REV}/system/Proc/clone-i.yaml
share/ri/${REV}/system/Proc/dup-i.yaml
share/ri/${REV}/system/Proc/new-c.yaml
share/ri/${REV}/system/Proc/to_proc-i.yaml
share/ri/${REV}/system/Proc/to_s-i.yaml