From c6d5d06bc975465b6ff822aecc24dfbe533f8442 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 19 2017 08:13:52 +0000 Subject: import rh-ruby24-ruby-2.4.2-86.el7 --- diff --git a/.gitignore b/.gitignore index 8dfcd62..269a4ea 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ruby-2.4.0.tar.xz +SOURCES/ruby-2.4.2.tar.xz diff --git a/.rh-ruby24-ruby.metadata b/.rh-ruby24-ruby.metadata index 9e8970d..50856a5 100644 --- a/.rh-ruby24-ruby.metadata +++ b/.rh-ruby24-ruby.metadata @@ -1 +1 @@ -038804bbd0e77508dd2510b729a9f3b325489b2e SOURCES/ruby-2.4.0.tar.xz +8373e32c63bba2180799da091b572664aa9faf6f SOURCES/ruby-2.4.2.tar.xz diff --git a/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch b/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch index af8b9a9..3e29d1b 100644 --- a/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch +++ b/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch @@ -39,7 +39,7 @@ diff --git a/configure.in b/configure.in index 0e371e2..d4f1dcb 100644 --- a/configure.in +++ b/configure.in -@@ -4536,6 +4536,13 @@ AC_SUBST(rubyarchhdrdir)dnl +@@ -4563,6 +4563,13 @@ AC_SUBST(rubyarchhdrdir)dnl AC_SUBST(sitearchhdrdir)dnl AC_SUBST(vendorarchhdrdir)dnl diff --git a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch index a4e6c28..bc75f5e 100644 --- a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch +++ b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 37d9a62..553d4d0 100644 --- a/configure.in +++ b/configure.in -@@ -3790,6 +3790,11 @@ if test ${multiarch+set}; then +@@ -3823,6 +3823,11 @@ if test ${multiarch+set}; then fi archlibdir='${libdir}/${arch}' diff --git a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index e841569..489a1b8 100644 --- a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.in b/configure.in index db37cd6..ce8d149 100644 --- a/configure.in +++ b/configure.in -@@ -4390,7 +4390,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -4417,7 +4417,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/SOURCES/ruby-2.1.0-always-use-i386.patch b/SOURCES/ruby-2.1.0-always-use-i386.patch index ba358f3..238cd66 100644 --- a/SOURCES/ruby-2.1.0-always-use-i386.patch +++ b/SOURCES/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 553d4d0..03a4152 100644 --- a/configure.in +++ b/configure.in -@@ -4454,6 +4454,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -4481,6 +4481,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch index 44fe4a7..1905381 100644 --- a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch +++ b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.in b/configure.in index 03a4152..0e371e2 100644 --- a/configure.in +++ b/configure.in -@@ -4426,6 +4426,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -4453,6 +4453,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 03a4152..0e371e2 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -4450,6 +4454,7 @@ AC_SUBST(sitearchdir)dnl +@@ -4477,6 +4481,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/SOURCES/ruby-2.3.0-ruby_version.patch b/SOURCES/ruby-2.3.0-ruby_version.patch index b4d6f76..80be728 100644 --- a/SOURCES/ruby-2.3.0-ruby_version.patch +++ b/SOURCES/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.in b/configure.in index db37cd6..6e73fae 100644 --- a/configure.in +++ b/configure.in -@@ -4341,9 +4341,6 @@ AS_CASE(["$target_os"], +@@ -4368,9 +4368,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index db37cd6..6e73fae 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -4366,56 +4363,62 @@ AC_ARG_WITH(ridir, +@@ -4393,56 +4390,62 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -120,7 +120,7 @@ index db37cd6..6e73fae 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -4432,6 +4435,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -4459,6 +4462,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl @@ -245,7 +245,7 @@ diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb index 0428bea..b6e090e 100644 --- a/test/rubygems/test_gem.rb +++ b/test/rubygems/test_gem.rb -@@ -1101,7 +1101,8 @@ def test_self_use_paths +@@ -1124,7 +1124,8 @@ def test_self_use_paths def test_self_user_dir parts = [@userhome, '.gem', Gem.ruby_engine] @@ -255,7 +255,7 @@ index 0428bea..b6e090e 100644 assert_equal File.join(parts), Gem.user_dir end -@@ -1228,7 +1229,7 @@ def test_self_user_home_user_drive_and_path +@@ -1251,7 +1252,7 @@ def test_self_user_home_user_drive_and_path def test_self_vendor_dir expected = File.join RbConfig::CONFIG['vendordir'], 'gems', diff --git a/SOURCES/ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch b/SOURCES/ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch deleted file mode 100644 index cb8fe26..0000000 --- a/SOURCES/ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ff3496b0116ed2ed589d000b7bfca3d8288b009c Mon Sep 17 00:00:00 2001 -From: nobu -Date: Mon, 9 Jan 2017 02:55:39 +0000 -Subject: [PATCH] vm_insnhelper.c: block argument at tailcall - -* vm_insnhelper.c (vm_call_iseq_setup_tailcall): check interrupts - after set up the new frame, not the passed block to be clobbered - by invoked finalizers and so on. [ruby-core:78981] [Bug #13107] - -git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57293 b2dd03c8-39d4-4d8f-98ff-823fe69b080e ---- - vm_insnhelper.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/vm_insnhelper.c b/vm_insnhelper.c -index b580412..662a2d6 100644 ---- a/vm_insnhelper.c -+++ b/vm_insnhelper.c -@@ -1538,8 +1538,6 @@ vm_call_iseq_setup_tailcall(rb_thread_t *th, rb_control_frame_t *cfp, struct rb_ - vm_pop_frame(th, cfp, cfp->ep); - cfp = th->cfp; - -- RUBY_VM_CHECK_INTS(th); -- - sp_orig = sp = cfp->sp; - - /* push self */ -@@ -1558,6 +1556,8 @@ vm_call_iseq_setup_tailcall(rb_thread_t *th, rb_control_frame_t *cfp, struct rb_ - iseq->body->stack_max); - - cfp->sp = sp_orig; -+ RUBY_VM_CHECK_INTS(th); -+ - return Qundef; - } - diff --git a/SOURCES/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch b/SOURCES/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch new file mode 100644 index 0000000..a7272f0 --- /dev/null +++ b/SOURCES/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch @@ -0,0 +1,156 @@ +From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001 +From: nagachika +Date: Wed, 11 Oct 2017 13:48:14 +0000 +Subject: [PATCH] merge revision(s) 60149: [Backport #14003] + + Merge rubygems-2.6.14 changes. + + It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/rubygems.rb | 5 +++-- + lib/rubygems/config_file.rb | 2 +- + lib/rubygems/package.rb | 2 +- + lib/rubygems/package/old.rb | 2 +- + lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++ + lib/rubygems/specification.rb | 2 +- + 6 files changed, 55 insertions(+), 6 deletions(-) + create mode 100644 lib/rubygems/safe_yaml.rb + +diff --git a/lib/rubygems.rb b/lib/rubygems.rb +index 55aa85b8b2bd..0685bcb3c629 100644 +--- a/lib/rubygems.rb ++++ b/lib/rubygems.rb +@@ -10,7 +10,7 @@ + require 'thread' + + module Gem +- VERSION = "2.6.13" ++ VERSION = "2.6.14" + end + + # Must be first since it unloads the prelude from 1.9.2 +@@ -675,7 +675,7 @@ def self.load_yaml + + unless test_syck + begin +- gem 'psych', '>= 1.2.1' ++ gem 'psych', '>= 2.0.0' + rescue Gem::LoadError + # It's OK if the user does not have the psych gem installed. We will + # attempt to require the stdlib version +@@ -699,6 +699,7 @@ def self.load_yaml + end + + require 'yaml' ++ require 'rubygems/safe_yaml' + + # If we're supposed to be using syck, then we may have to force + # activate it via the YAML::ENGINE API. +diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb +index c95d7dd1f14e..63583b361615 100644 +--- a/lib/rubygems/config_file.rb ++++ b/lib/rubygems/config_file.rb +@@ -345,7 +345,7 @@ def load_file(filename) + return {} unless filename and File.exist? filename + + begin +- content = YAML.load(File.read(filename)) ++ content = Gem::SafeYAML.load(File.read(filename)) + unless content.kind_of? Hash + warn "Failed to load #{filename} because it doesn't contain valid YAML hash" + return {} +diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb +index c36e71d800a2..77811ed5ecaa 100644 +--- a/lib/rubygems/package.rb ++++ b/lib/rubygems/package.rb +@@ -468,7 +468,7 @@ def read_checksums gem + + @checksums = gem.seek 'checksums.yaml.gz' do |entry| + Zlib::GzipReader.wrap entry do |gz_io| +- YAML.load gz_io.read ++ Gem::SafeYAML.safe_load gz_io.read + end + end + end +diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb +index 5e722baa3540..071f7141ab78 100644 +--- a/lib/rubygems/package/old.rb ++++ b/lib/rubygems/package/old.rb +@@ -101,7 +101,7 @@ def file_list io # :nodoc: + header << line + end + +- YAML.load header ++ Gem::SafeYAML.safe_load header + end + + ## +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +new file mode 100644 +index 000000000000..b98cfaa5e60d +--- /dev/null ++++ b/lib/rubygems/safe_yaml.rb +@@ -0,0 +1,48 @@ ++module Gem ++ ++ ### ++ # This module is used for safely loading YAML specs from a gem. The ++ # `safe_load` method defined on this module is specifically designed for ++ # loading Gem specifications. For loading other YAML safely, please see ++ # Psych.safe_load ++ ++ module SafeYAML ++ WHITELISTED_CLASSES = %w( ++ Symbol ++ Time ++ Date ++ Gem::Dependency ++ Gem::Platform ++ Gem::Requirement ++ Gem::Specification ++ Gem::Version ++ Gem::Version::Requirement ++ YAML::Syck::DefaultKey ++ Syck::DefaultKey ++ ) ++ ++ WHITELISTED_SYMBOLS = %w( ++ development ++ runtime ++ ) ++ ++ if ::YAML.respond_to? :safe_load ++ def self.safe_load input ++ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) ++ end ++ ++ def self.load input ++ ::YAML.safe_load(input, [::Symbol]) ++ end ++ else ++ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." ++ def self.safe_load input, *args ++ ::YAML.load input ++ end ++ ++ def self.load input ++ ::YAML.load input ++ end ++ end ++ end ++end +diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb +index 88e320c05ac9..40e3a70d476c 100644 +--- a/lib/rubygems/specification.rb ++++ b/lib/rubygems/specification.rb +@@ -1101,7 +1101,7 @@ def self.from_yaml(input) + Gem.load_yaml + + input = normalize_yaml_input input +- spec = YAML.load input ++ spec = Gem::SafeYAML.safe_load input + + if spec && spec.class == FalseClass then + raise Gem::EndOfYAMLException diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index e36ac6a..9c083d3 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -3,7 +3,7 @@ %global major_version 2 %global minor_version 4 -%global teeny_version 0 +%global teeny_version 2 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -24,7 +24,7 @@ %endif -%global release 75 +%global release 86 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -32,8 +32,8 @@ %global rubygems_dir %{_datadir}/rubygems # Bundled libraries versions -%global rubygems_version 2.6.8 -%global molinillo_version 0.5.3 +%global rubygems_version 2.6.14 +%global molinillo_version 0.5.7 # TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM. # http://redmine.ruby-lang.org/issues/5313 @@ -42,10 +42,10 @@ %global bigdecimal_version 1.3.0 %global did_you_mean_version 1.1.0 %global io_console_version 0.4.6 -%global json_version 2.0.2 +%global json_version 2.0.4 %global minitest_version 5.10.1 %global net_telnet_version 0.1.1 -%global openssl_version 2.0.2 +%global openssl_version 2.0.5 %global power_assert_version 0.4.1 %global psych_version 2.2.2 %global rake_version 12.0.0 @@ -62,9 +62,13 @@ %global _normalized_cpu %(echo %{_target_cpu} | sed 's/^ppc/powerpc/;s/i.86/i386/;s/sparcv./sparc/') %if 0%{?fedora} >= 19 -%global with_rubypick 1 +%bcond_without rubypick %endif +%bcond_without systemtap +%bcond_without git +%bcond_without cmake + %if 0%{?fedora} %global with_checksec 1 %endif @@ -136,9 +140,10 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch -# This fixed rubygem-mongo build failures and may be something else as well. -# https://bugs.ruby-lang.org/issues/13107 -Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch +# CVE-2017-0903: Fix unsafe object deserialization through YAML formatted gem +# specifications. +# https://bugs.ruby-lang.org/issues/14003 +Patch10: ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release} Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version} @@ -158,10 +163,10 @@ BuildRequires: libyaml-devel BuildRequires: readline-devel # Needed to pass test_set_program_name(TestRubyOptions) BuildRequires: procps -BuildRequires: %{?_root_bindir}%{!?_root_bindir:%{_bindir}}/dtrace +%{?with_systemtap:BuildRequires: %{?_root_bindir}%{!?_root_bindir:%{_bindir}}/dtrace} # RubyGems test suite optional dependencies. -BuildRequires: %{?_root_bindir}%{!?_root_bindir:%{_bindir}}/git -BuildRequires: %{?_root_bindir}%{!?_root_bindir:%{_bindir}}/cmake +%{?with_git:BuildRequires: %{?_root_bindir}%{!?_root_bindir:%{_bindir}}/git} +%{?with_cmake:BuildRequires: %{?_root_bindir}%{!?_root_bindir:%{_bindir}}/cmake} # Required to test hardening. %{?with_checksec:BuildRequires: %{?_root_bindir}%{!?_root_bindir:%{_bindir}}/checksec} @@ -175,6 +180,7 @@ object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. + %package devel Summary: A Ruby development environment Group: Development/Languages @@ -732,7 +738,7 @@ touch abrt.rb make runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE12}" # Check if systemtap is supported. -make runruby TESTRUN_SCRIPT=%{SOURCE13} +%{?with_systemtap:make runruby TESTRUN_SCRIPT=%{SOURCE13}} DISABLE_TESTS="" @@ -929,7 +935,11 @@ make check TESTS="-v $DISABLE_TESTS" %files -n %{?scl_prefix}rubygems %{_bindir}/gem -%{rubygems_dir} +%dir %{rubygems_dir} +%{rubygems_dir}/rbconfig +%{rubygems_dir}/rubygems +%{rubygems_dir}/rubygems.rb +%{rubygems_dir}/ubygems.rb # Explicitly include only RubyGems directory strucure to avoid accidentally # packaged content. @@ -1047,6 +1057,16 @@ make check TESTS="-v $DISABLE_TESTS" %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Mon Oct 30 2017 Vít Ondruch - 2.4.2-86 +- Upgrade to Ruby 2.4.2. + * Remove Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch; + subsumed + Resolves: rhbz#1506785 +- Fix unsafe object deserialization in RubyGems (CVE-2017-0903). + * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization + -vulnerability.patch + Resolves: CVE-2017-0903 + * Tue Jan 17 2017 Vít Ondruch - 2.4.0-75 - Apply patch fixing rubygem-mongo build failures.