diff --git a/.gitignore b/.gitignore index f5e8415..010a570 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ruby-2.3.1.tar.xz +SOURCES/ruby-2.3.6.tar.xz diff --git a/.rh-ruby23-ruby.metadata b/.rh-ruby23-ruby.metadata index 4d8c3f6..4a76360 100644 --- a/.rh-ruby23-ruby.metadata +++ b/.rh-ruby23-ruby.metadata @@ -1 +1 @@ -83499c14c674cf2d88e495031434a94c06330879 SOURCES/ruby-2.3.1.tar.xz +55e97913180a313f161d2e4e541dd904a477c31d SOURCES/ruby-2.3.6.tar.xz diff --git a/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch b/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch index 75eb363..7c7488f 100644 --- a/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch +++ b/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch @@ -39,7 +39,7 @@ diff --git a/configure.in b/configure.in index 0e371e2..d4f1dcb 100644 --- a/configure.in +++ b/configure.in -@@ -4374,6 +4374,13 @@ AC_SUBST(rubyarchhdrdir)dnl +@@ -4404,6 +4404,13 @@ AC_SUBST(rubyarchhdrdir)dnl AC_SUBST(sitearchhdrdir)dnl AC_SUBST(vendorarchhdrdir)dnl diff --git a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch index 43fa7f6..ef18d8a 100644 --- a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch +++ b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 37d9a62..553d4d0 100644 --- a/configure.in +++ b/configure.in -@@ -3632,6 +3632,11 @@ if test ${multiarch+set}; then +@@ -3668,6 +3668,11 @@ if test ${multiarch+set}; then fi archlibdir='${libdir}/${arch}' diff --git a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index eb34107..339f563 100644 --- a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.in b/configure.in index db37cd6..ce8d149 100644 --- a/configure.in +++ b/configure.in -@@ -4228,7 +4228,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -4258,7 +4258,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/SOURCES/ruby-2.1.0-always-use-i386.patch b/SOURCES/ruby-2.1.0-always-use-i386.patch index 9d78b05..23242b2 100644 --- a/SOURCES/ruby-2.1.0-always-use-i386.patch +++ b/SOURCES/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 553d4d0..03a4152 100644 --- a/configure.in +++ b/configure.in -@@ -4292,6 +4292,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -4322,6 +4322,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch index e82f172..eb51ec2 100644 --- a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch +++ b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.in b/configure.in index 03a4152..0e371e2 100644 --- a/configure.in +++ b/configure.in -@@ -4264,6 +4264,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -4294,6 +4294,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 03a4152..0e371e2 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -4288,6 +4292,7 @@ AC_SUBST(sitearchdir)dnl +@@ -4318,6 +4322,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/SOURCES/ruby-2.3.0-ruby_version.patch b/SOURCES/ruby-2.3.0-ruby_version.patch index cdd016c..71c9139 100644 --- a/SOURCES/ruby-2.3.0-ruby_version.patch +++ b/SOURCES/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.in b/configure.in index db37cd6..6e73fae 100644 --- a/configure.in +++ b/configure.in -@@ -4177,9 +4177,6 @@ AS_CASE(["$target_os"], +@@ -4207,9 +4207,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index db37cd6..6e73fae 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -4202,58 +4199,64 @@ AC_ARG_WITH(ridir, +@@ -4232,58 +4129,64 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -124,7 +124,7 @@ index db37cd6..6e73fae 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -4270,6 +4273,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -4300,6 +4303,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl @@ -249,7 +249,7 @@ diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb index 0428bea..b6e090e 100644 --- a/test/rubygems/test_gem.rb +++ b/test/rubygems/test_gem.rb -@@ -963,7 +963,8 @@ def test_self_use_paths +@@ -962,7 +962,8 @@ def test_self_use_paths def test_self_user_dir parts = [@userhome, '.gem', Gem.ruby_engine] @@ -259,7 +259,7 @@ index 0428bea..b6e090e 100644 assert_equal File.join(parts), Gem.user_dir end -@@ -1090,7 +1091,7 @@ def test_self_user_home_user_drive_and_path +@@ -1089,7 +1090,7 @@ def test_self_user_home_user_drive_and_path def test_self_vendor_dir expected = File.join RbConfig::CONFIG['vendordir'], 'gems', diff --git a/SOURCES/ruby-2.4.0-no_proxy-with-whitespaces-and-leading-dots.patch b/SOURCES/ruby-2.4.0-no_proxy-with-whitespaces-and-leading-dots.patch index fb91f9a..c063bc4 100644 --- a/SOURCES/ruby-2.4.0-no_proxy-with-whitespaces-and-leading-dots.patch +++ b/SOURCES/ruby-2.4.0-no_proxy-with-whitespaces-and-leading-dots.patch @@ -34,9 +34,9 @@ index 2945679..44116e0 100644 + for a leading dot in the domain name in no_proxy. + [ruby-core:54542] [Feature #8317] + - Tue Apr 26 02:58:51 2016 Marcus Stollsteimer + Thu Dec 14 23:53:41 2017 NAKAMURA Usaku - * doc/extension.rdoc: Improvements to english grammers. + * test/net/ftp/test_ftp.rb (process_port_or_eprt): merge a part of diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb index aba54c1..f2a2d56 100644 --- a/lib/uri/generic.rb @@ -54,7 +54,7 @@ diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb index fcfe1f9..ad189fc 100644 --- a/test/uri/test_generic.rb +++ b/test/uri/test_generic.rb -@@ -819,6 +819,14 @@ def test_find_proxy +@@ -828,6 +828,14 @@ def test_find_proxy assert_equal(URI('http://127.0.0.1:8080'), URI("http://192.0.2.1/").find_proxy) assert_nil(URI("http://192.0.2.2/").find_proxy) } diff --git a/SOURCES/ruby-2.5.0-Disable-Tokyo-TZ-tests.patch b/SOURCES/ruby-2.5.0-Disable-Tokyo-TZ-tests.patch new file mode 100644 index 0000000..01632eb --- /dev/null +++ b/SOURCES/ruby-2.5.0-Disable-Tokyo-TZ-tests.patch @@ -0,0 +1,30 @@ +diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb +index 20a57fe7dd..5b9e5a8bde 100644 +--- a/test/ruby/test_time_tz.rb ++++ b/test/ruby/test_time_tz.rb +@@ -126,8 +126,8 @@ def test_asia_singapore + + def test_asia_tokyo + with_tz(tz="Asia/Tokyo") { +- assert_time_constructor(tz, "1951-05-06 03:00:00 +1000", :local, [1951,5,6,2,0,0]) +- assert_time_constructor(tz, "1951-05-06 03:59:59 +1000", :local, [1951,5,6,2,59,59]) ++# assert_time_constructor(tz, "1951-05-06 03:00:00 +1000", :local, [1951,5,6,2,0,0]) ++# assert_time_constructor(tz, "1951-05-06 03:59:59 +1000", :local, [1951,5,6,2,59,59]) + assert_time_constructor(tz, "2010-06-10 06:13:28 +0900", :local, [2010,6,10,6,13,28]) + } + end +@@ -329,10 +329,10 @@ def self.gen_zdump_test(data) + Asia/Singapore Sun Aug 8 16:30:00 1965 UTC = Mon Aug 9 00:00:00 1965 SGT isdst=0 gmtoff=27000 + Asia/Singapore Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000 + Asia/Singapore Thu Dec 31 16:30:00 1981 UTC = Fri Jan 1 00:30:00 1982 SGT isdst=0 gmtoff=28800 +-Asia/Tokyo Sat May 5 16:59:59 1951 UTC = Sun May 6 01:59:59 1951 JST isdst=0 gmtoff=32400 +-Asia/Tokyo Sat May 5 17:00:00 1951 UTC = Sun May 6 03:00:00 1951 JDT isdst=1 gmtoff=36000 +-Asia/Tokyo Fri Sep 7 15:59:59 1951 UTC = Sat Sep 8 01:59:59 1951 JDT isdst=1 gmtoff=36000 +-Asia/Tokyo Fri Sep 7 16:00:00 1951 UTC = Sat Sep 8 01:00:00 1951 JST isdst=0 gmtoff=32400 ++#Asia/Tokyo Sat May 5 16:59:59 1951 UTC = Sun May 6 01:59:59 1951 JST isdst=0 gmtoff=32400 ++#Asia/Tokyo Sat May 5 17:00:00 1951 UTC = Sun May 6 03:00:00 1951 JDT isdst=1 gmtoff=36000 ++#Asia/Tokyo Fri Sep 7 15:59:59 1951 UTC = Sat Sep 8 01:59:59 1951 JDT isdst=1 gmtoff=36000 ++#Asia/Tokyo Fri Sep 7 16:00:00 1951 UTC = Sat Sep 8 01:00:00 1951 JST isdst=0 gmtoff=32400 + America/St_Johns Sun Mar 11 03:30:59 2007 UTC = Sun Mar 11 00:00:59 2007 NST isdst=0 gmtoff=-12600 + America/St_Johns Sun Mar 11 03:31:00 2007 UTC = Sun Mar 11 01:01:00 2007 NDT isdst=1 gmtoff=-9000 + America/St_Johns Sun Nov 4 02:30:59 2007 UTC = Sun Nov 4 00:00:59 2007 NDT isdst=1 gmtoff=-9000 diff --git a/SOURCES/ruby-2.5.0-Fixed-command-Injection.patch b/SOURCES/ruby-2.5.0-Fixed-command-Injection.patch new file mode 100644 index 0000000..dce1a2f --- /dev/null +++ b/SOURCES/ruby-2.5.0-Fixed-command-Injection.patch @@ -0,0 +1,156 @@ +From ba0d5f7a6df6ba5545c3ce0b09e107e10d082d49 Mon Sep 17 00:00:00 2001 +From: nobu +Date: Wed, 20 Dec 2017 04:18:31 +0000 +Subject: [PATCH 1/3] Fixed command Injection + +* resolv.rb (Resolv::Hosts#lazy_initialize): fixed potential + command Injection in Hosts::new() by use of Kernel#open. + [Fix GH-1777] [ruby-core:84347] [Bug #14205] + +From: Drigg3r + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61349 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/resolv.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/resolv.rb b/lib/resolv.rb +index 1044b95e68..56183b837d 100644 +--- a/lib/resolv.rb ++++ b/lib/resolv.rb +@@ -189,7 +189,7 @@ def lazy_initialize # :nodoc: + unless @initialized + @name2addr = {} + @addr2name = {} +- open(@filename, 'rb') {|f| ++ File.open(@filename, 'rb') {|f| + f.each {|line| + line.sub!(/#.*/, '') + addr, hostname, *aliases = line.split(/\s+/) +-- +2.15.1 + + +From 0b6213635018ef73567388c1095ad1c556e1f4ee Mon Sep 17 00:00:00 2001 +From: nobu +Date: Wed, 20 Dec 2017 04:25:01 +0000 +Subject: [PATCH 2/3] Fixed command Injection + +* lib/resolv.rb (Resolv::Config.parse_resolv_conf): fixed + potential command injection by use of Kernel#open. + [ruby-core:84347] [Bug #14205] + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/resolv.rb | 2 +- + test/resolv/test_addr.rb | 11 +++++++++++ + test/resolv/test_dns.rb | 10 ++++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/lib/resolv.rb b/lib/resolv.rb +index 56183b837d..48ee400efe 100644 +--- a/lib/resolv.rb ++++ b/lib/resolv.rb +@@ -933,7 +933,7 @@ def Config.parse_resolv_conf(filename) + nameserver = [] + search = nil + ndots = 1 +- open(filename, 'rb') {|f| ++ File.open(filename, 'rb') {|f| + f.each {|line| + line.sub!(/[#;].*/, '') + keyword, *args = line.split(/\s+/) +diff --git a/test/resolv/test_addr.rb b/test/resolv/test_addr.rb +index 4a2df5bfca..78a28c9633 100644 +--- a/test/resolv/test_addr.rb ++++ b/test/resolv/test_addr.rb +@@ -27,4 +27,15 @@ def test_invalid_byte_comment + end + end + end ++ ++ def test_hosts_by_command ++ Dir.mktmpdir do |dir| ++ Dir.chdir(dir) do ++ hosts = Resolv::Hosts.new("|echo error") ++ assert_raise(Errno::ENOENT) do ++ hosts.each_name("") {} ++ end ++ end ++ end ++ end + end +diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb +index f21a094b20..8236078374 100644 +--- a/test/resolv/test_dns.rb ++++ b/test/resolv/test_dns.rb +@@ -179,6 +179,16 @@ def test_invalid_byte_comment + end + end + ++ def test_resolv_conf_by_command ++ Dir.mktmpdir do |dir| ++ Dir.chdir(dir) do ++ assert_raise(Errno::ENOENT) do ++ Resolv::DNS::Config.parse_resolv_conf("|echo foo") ++ end ++ end ++ end ++ end ++ + def test_dots_diffences + name1 = Resolv::DNS::Name.create("example.org") + name2 = Resolv::DNS::Name.create("ex.ampl.eo.rg") +-- +2.15.1 + + +From dd71a5a9a459dbda9b9a4786f6a0b5bd59a81aae Mon Sep 17 00:00:00 2001 +From: usa +Date: Wed, 20 Dec 2017 16:04:41 +0000 +Subject: [PATCH 3/3] fix test errors on Windows + + * test/resolv/test_addr.rb (test_hosts_by_command): on Windows, `|` is + invalid charactor for path and raises `Errno::EINVAL` if trying to + open. + + * test/resolv/test_dns.rb (test_resolv_conf_by_command): ditto. + + cf. [Bug #14205] + + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61374 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + test/resolv/test_addr.rb | 2 +- + test/resolv/test_dns.rb | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/resolv/test_addr.rb b/test/resolv/test_addr.rb +index 78a28c9633..14ec2651ab 100644 +--- a/test/resolv/test_addr.rb ++++ b/test/resolv/test_addr.rb +@@ -32,7 +32,7 @@ def test_hosts_by_command + Dir.mktmpdir do |dir| + Dir.chdir(dir) do + hosts = Resolv::Hosts.new("|echo error") +- assert_raise(Errno::ENOENT) do ++ assert_raise(Errno::ENOENT, Errno::EINVAL) do + hosts.each_name("") {} + end + end +diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb +index 8236078374..1b44f32807 100644 +--- a/test/resolv/test_dns.rb ++++ b/test/resolv/test_dns.rb +@@ -182,7 +182,7 @@ def test_invalid_byte_comment + def test_resolv_conf_by_command + Dir.mktmpdir do |dir| + Dir.chdir(dir) do +- assert_raise(Errno::ENOENT) do ++ assert_raise(Errno::ENOENT, Errno::EINVAL) do + Resolv::DNS::Config.parse_resolv_conf("|echo foo") + end + end +-- +2.15.1 + diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index 41d011f..9801d08 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -3,7 +3,7 @@ %global major_version 2 %global minor_version 3 -%global teeny_version 1 +%global teeny_version 6 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -23,7 +23,7 @@ %global ruby_archive %{ruby_archive}-%{?milestone}%{?!milestone:%{?revision:r%{revision}}} %endif -%global release 64 +%global release 67 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -31,8 +31,8 @@ %global rubygems_dir %{_datadir}/rubygems # Bundled libraries versions -%global rubygems_version 2.5.1 -%global molinillo_version 0.4.0 +%global rubygems_version 2.5.2.2 +%global molinillo_version 0.4.1 # TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM. # http://redmine.ruby-lang.org/issues/5313 @@ -41,10 +41,10 @@ %global bigdecimal_version 1.2.8 %global did_you_mean_version 1.0.0 %global io_console_version 0.4.5 -%global json_version 1.8.3 -%global minitest_version 5.8.3 +%global json_version 1.8.3.1 +%global minitest_version 5.8.5 %global power_assert_version 0.2.6 -%global psych_version 2.0.17 +%global psych_version 2.1.0.1 %global rake_version 10.4.2 %global rdoc_version 4.2.1 %global net_telnet_version 0.1.1 @@ -128,6 +128,13 @@ Patch9: ruby-2.3.0-Disable-colorized-configure.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1384810 # https://github.com/ruby/ruby/commit/423d042371d0402071c309dc403ea2701600a98b Patch10: ruby-2.4.0-no_proxy-with-whitespaces-and-leading-dots.patch +# Recent tzdata change breaks Ruby test suite. +# https://bugs.ruby-lang.org/issues/14438 +Patch11: ruby-2.5.0-Disable-Tokyo-TZ-tests.patch +# CVE-2017-17790 - Command injection in lib/resolv.rb:lazy_initialize() allows +# arbitrary code execution +# https://bugs.ruby-lang.org/issues/14205 +Patch12: ruby-2.5.0-Fixed-command-Injection.patch Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release} Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version} @@ -469,6 +476,8 @@ rm -rf ext/fiddle/libffi* %patch7 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 # Allow to use autoconf 2.63. sed -i '/AC_PREREQ/ s/(.*)/(2.62)/' configure.in @@ -965,6 +974,17 @@ make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Mon Mar 12 2018 Pavel Valena - 2.3.6-67 +- Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code + execution(CVE-2017-17790). + * ruby-2.5.0-Fixed-command-Injection.patch + Related: rhbz#1549649 + +* Tue Feb 13 2018 Pavel Valena - 2.3.6-66 +- Upgrade to Ruby 2.3.6. + Resolves: rhbz#1549649 + Resolves: CVE-2017-17405 + * Wed Oct 26 2016 Pavel Valena - 2.3.1-64 - Fix: do not fail in operating_system.rb when X_SCLS is empty Resolves: rhbz#1387139