On 07/01 07:07, Jeremy Evans wrote:
> On 06/27 03:31, Jeremy Evans wrote:
> > Ruby 1.8.7, 1.9.3, and 2.0.0 had security releases today to fix
> > CVE-2013-4073: Hostname check bypassing vulnerability in SSL client.
> > http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
> >
> > Exploitation of this vulnerability requires that a trusted CA
> > issue a certificate with a null byte in the subjectAltName field.
> >
> > This will likely be the last patch release of ruby 1.8.7, as it
> > becomes unsupported upstream next week.
> >
> > The 1.9.3 and 2.0.0 releases also contain other bugfixes.
> > Unfortunately, upstream got sloppy and changed ABI in a patch
> > release (removing a function, adding some new functions), so this
> > bumps the majors on libruby19.so and libruby20.so.
> >
> > Tested on i386. Compiles fine on amd64, but I still need to do some
> > additional testing there. Assuming no problems, I will be commiting
> > this next week.
>
> There have been regressions reported with these new releases, so I
> won't be committing this until they are fixed:
> https://bugs.ruby-lang.org/issues/8575
I was hoping that the ruby developers would issue new releases after
they fixed the regression introduced with the fix for this CVE.
Unforuntately, they have not yet done so. So I've backported the
necessary fixes from the subversion repository.
I've also backported a fix for ruby 1.9 and 2.0 that makes it so that
the ABI is not broken in a point release. So instead of bumping the
majors of libruby19.so and libruby20.so, I've only bumped the minors,
as there were still a handful of functions added.
I still have to do some additional testing on this, but assuming no
problems or objections I plan to commit it sometime this week.
Thanks,
Jeremy
Index: 1.8/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/1.8/Makefile,v
retrieving revision 1.27
diff -u -p -r1.27 Makefile
--- 1.8/Makefile 11 Mar 2013 11:20:28 -0000 1.27
+++ 1.8/Makefile 27 Jun 2013 20:15:46 -0000
@@ -7,7 +7,7 @@ COMMENT-tk= tk interface for ruby
COMMENT-ri_docs= ri documentation files ruby
VERSION= 1.8.7
-PATCHLEVEL= 370
+PATCHLEVEL= 374
SHARED_LIBS= ruby18 0.0
PKGNAME-main= ruby-${VERSION}.${PATCHLEVEL}
@@ -15,8 +15,6 @@ PKGNAME-iconv= ruby-iconv-${VERSION}.${
PKGNAME-gdbm= ruby-gdbm-${VERSION}.${PATCHLEVEL}
PKGNAME-tk= ruby-tk-${VERSION}.${PATCHLEVEL}
PKGNAME-ri_docs= ruby-ri_docs-${VERSION}.${PATCHLEVEL}
-
-REVISION-main= 1
PKG_ARCH-ri_docs= *
PKGSPEC-main= ruby->=1.8,<1.9
Index: 1.8/distinfo
===================================================================
RCS file: /cvs/ports/lang/ruby/1.8/distinfo,v
retrieving revision 1.7
diff -u -p -r1.7 distinfo
--- 1.8/distinfo 3 Jul 2012 19:58:39 -0000 1.7
+++ 1.8/distinfo 27 Jun 2013 20:16:44 -0000
@@ -1,5 +1,2 @@
-MD5 (ruby-1.8.7-p370.tar.gz) = mLALvRzd4xFhVe225VW3gQ==
-RMD160 (ruby-1.8.7-p370.tar.gz) = dtLpYn+11oui0FqRpFspvpqRzR8=
-SHA1 (ruby-1.8.7-p370.tar.gz) = /8VzYBnJqmkqBe2Vr3/pdq+z2hM=
-SHA256 (ruby-1.8.7-p370.tar.gz) = vNjbR6329eOCK2CgR4Xu2xuX1B+9fLWV0CdZ+qNlgcY=
-SIZE (ruby-1.8.7-p370.tar.gz) = 4897464
+SHA256 (ruby-1.8.7-p374.tar.gz) = h27uqu6rEMv0dngzVH1m2G1nF+9I/T2J4n24kmplJ2w=
+SIZE (ruby-1.8.7-p374.tar.gz) = 4903749
Index: 1.8/patches/patch-error_c
===================================================================
RCS file: 1.8/patches/patch-error_c
diff -N 1.8/patches/patch-error_c
--- 1.8/patches/patch-error_c 8 Oct 2012 13:15:17 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,17 +0,0 @@
-$OpenBSD: patch-error_c,v 1.2 2012/10/08 13:15:17 jeremy Exp $
-
-Backport security fix, from Shugo Maeda (ruby developer), similar to
-changes in ruby SVN revision 37068.
-
---- error.c.orig Mon Oct 8 03:43:34 2012
-+++ error.c Mon Oct 8 03:43:49 2012
-@@ -665,9 +665,6 @@ name_err_to_s(exc)
-
- if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
- StringValue(str);
-- if (str != mesg) {
-- OBJ_INFECT(str, mesg);
-- }
- return str;
- }
-
Index: 1.8/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb
===================================================================
RCS file: 1.8/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb
diff -N 1.8/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 1.8/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb 15 Jul 2013
02:19:01 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+Backport fix for regression introduced by fix for CVE-2013-4073 from
+ruby svn r41805.
+
+--- ext/openssl/lib/openssl/ssl-internal.rb.orig Sun Jul 14 19:10:20 2013
++++ ext/openssl/lib/openssl/ssl-internal.rb Sun Jul 14 19:09:31 2013
+@@ -90,7 +90,7 @@ module OpenSSL
+ should_verify_common_name = true
+ cert.extensions.each{|ext|
+ next if ext.oid != "subjectAltName"
+- id, ostr = OpenSSL::ASN1.decode(ext.to_der).value
++ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
+ sequence = OpenSSL::ASN1.decode(ostr.value)
+ sequence.value.each{|san|
+ case san.tag
Index: 1.9/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/1.9/Makefile,v
retrieving revision 1.37
diff -u -p -r1.37 Makefile
--- 1.9/Makefile 17 May 2013 20:08:35 -0000 1.37
+++ 1.9/Makefile 15 Jul 2013 02:22:03 -0000
@@ -9,10 +9,10 @@ COMMENT-tk = tk interface for ruby
COMMENT-ri_docs = ri documentation files for ruby
VERSION = 1.9.3
-PATCHLEVEL = 429
+PATCHLEVEL = 448
RUBYLIBREV = 1.9.1
-SHARED_LIBS = ruby19 1.0
+SHARED_LIBS = ruby19 1.1
PKGNAME-main = ruby-${VERSION}.${PATCHLEVEL}
PKGNAME-gdbm = ruby-gdbm-${VERSION}.${PATCHLEVEL}
PKGNAME-dbm = ruby-dbm-${VERSION}.${PATCHLEVEL}
Index: 1.9/distinfo
===================================================================
RCS file: /cvs/ports/lang/ruby/1.9/distinfo,v
retrieving revision 1.13
diff -u -p -r1.13 distinfo
--- 1.9/distinfo 17 May 2013 20:08:35 -0000 1.13
+++ 1.9/distinfo 27 Jun 2013 20:17:47 -0000
@@ -1,2 +1,2 @@
-SHA256 (ruby-1.9.3-p429.tar.gz) = 0ZLRr8RqfvJ7nQo8eme1CQSJhNssOJB6qCZBvfmArPQ=
-SIZE (ruby-1.9.3-p429.tar.gz) = 12553234
+SHA256 (ruby-1.9.3-p448.tar.gz) = LzXhhlQ6A77F5gMpbW2IKLlMpYurBJtnsc62HTgbyKc=
+SIZE (ruby-1.9.3-p448.tar.gz) = 12559260
Index: 1.9/patches/patch-Makefile_in
===================================================================
RCS file: 1.9/patches/patch-Makefile_in
diff -N 1.9/patches/patch-Makefile_in
--- 1.9/patches/patch-Makefile_in 17 May 2013 20:08:35 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-$OpenBSD: patch-Makefile_in,v 1.1 2013/05/17 20:08:35 jeremy Exp $
-
-This lines causes make build to fail when run the first time.
-
---- Makefile.in.orig Tue May 14 09:52:50 2013
-+++ Makefile.in Tue May 14 09:53:00 2013
-@@ -169,7 +169,6 @@ $(PROGRAM):
- @$(RM) $@
- $(ECHO) linking $@
- $(Q) $(PURIFY) $(CC) $(LDFLAGS) $(XLDFLAGS) $(MAINOBJ)
$(EXTOBJS) $(LIBRUBYARG) $(MAINLIBS) $(LIBS) $(OUTFLAG)$@
-- $(Q) $(POSTLINK)
-
- # We must `rm' the library each time this rule is invoked because "updating" a
- # MAB library on Apple/NeXT (see --enable-fat-binary in configure) is not
Index: 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb
===================================================================
RCS file: 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb
diff -N 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb 15 Jul 2013
02:25:51 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+Backport fix for regression introduced by fix for CVE-2013-4073 from
+ruby svn r41805.
+
+--- ext/openssl/lib/openssl/ssl-internal.rb.orig Thu Jun 27 04:13:08 2013
++++ ext/openssl/lib/openssl/ssl-internal.rb Sun Jul 14 19:24:37 2013
+@@ -88,7 +88,7 @@ module OpenSSL
+ should_verify_common_name = true
+ cert.extensions.each{|ext|
+ next if ext.oid != "subjectAltName"
+- id, ostr = OpenSSL::ASN1.decode(ext.to_der).value
++ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
+ sequence = OpenSSL::ASN1.decode(ostr.value)
+ sequence.value.each{|san|
+ case san.tag
Index: 1.9/patches/patch-include_ruby_intern_h
===================================================================
RCS file: 1.9/patches/patch-include_ruby_intern_h
diff -N 1.9/patches/patch-include_ruby_intern_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 1.9/patches/patch-include_ruby_intern_h 15 Jul 2013 02:29:28 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Don't break ABI in a patch level release, from ruby svn r41875.
+
+--- include/ruby/intern.h.orig Sun Jul 14 19:25:14 2013
++++ include/ruby/intern.h Sun Jul 14 19:25:28 2013
+@@ -350,6 +350,7 @@ VALUE rb_require_safe(VALUE, int);
+ void rb_obj_call_init(VALUE, int, VALUE*);
+ VALUE rb_class_new_instance(int, VALUE*, VALUE);
+ VALUE rb_block_proc(void);
++VALUE rb_f_lambda(void);
+ VALUE rb_block_lambda(void);
+ VALUE rb_proc_new(VALUE (*)(ANYARGS/* VALUE yieldarg[, VALUE procarg] */),
VALUE);
+ VALUE rb_obj_is_proc(VALUE);
Index: 1.9/pkg/PLIST-ri_docs
===================================================================
RCS file: /cvs/ports/lang/ruby/1.9/pkg/PLIST-ri_docs,v
retrieving revision 1.8
diff -u -p -r1.8 PLIST-ri_docs
--- 1.9/pkg/PLIST-ri_docs 17 May 2013 20:08:35 -0000 1.8
+++ 1.9/pkg/PLIST-ri_docs 27 Jun 2013 20:49:24 -0000
@@ -13097,8 +13097,6 @@ share/ri/${RUBYLIBREV}/system/Struct/to_
share/ri/${RUBYLIBREV}/system/Struct/to_s-i.ri
share/ri/${RUBYLIBREV}/system/Struct/values-i.ri
share/ri/${RUBYLIBREV}/system/Struct/values_at-i.ri
-share/ri/${RUBYLIBREV}/system/Syck/
-share/ri/${RUBYLIBREV}/system/Syck/cdesc-Syck.ri
share/ri/${RUBYLIBREV}/system/Symbol/
share/ri/${RUBYLIBREV}/system/Symbol/%3c%3d%3e-i.ri
share/ri/${RUBYLIBREV}/system/Symbol/%3d%3d%3d-i.ri
Index: 2.0/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/2.0/Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 Makefile
--- 2.0/Makefile 3 Jul 2013 20:09:54 -0000 1.5
+++ 2.0/Makefile 15 Jul 2013 02:41:35 -0000
@@ -9,11 +9,11 @@ COMMENT-tk = tk interface for ruby
COMMENT-ri_docs = ri documentation files for ruby
VERSION = 2.0.0
-PATCHLEVEL = 195
+PATCHLEVEL = 247
RUBYLIBREV = 2.0
DISTNAME = ruby-${VERSION}-p${PATCHLEVEL}
-SHARED_LIBS = ruby20 0.0
+SHARED_LIBS = ruby20 0.1
PKGNAME-main = ruby-${VERSION}.${PATCHLEVEL}
PKGNAME-gdbm = ruby20-gdbm-${VERSION}.${PATCHLEVEL}
PKGNAME-tk = ruby20-tk-${VERSION}.${PATCHLEVEL}
Index: 2.0/distinfo
===================================================================
RCS file: /cvs/ports/lang/ruby/2.0/distinfo,v
retrieving revision 1.2
diff -u -p -r1.2 distinfo
--- 2.0/distinfo 17 May 2013 20:11:43 -0000 1.2
+++ 2.0/distinfo 27 Jun 2013 21:09:09 -0000
@@ -1,2 +1,2 @@
-SHA256 (ruby-2.0.0-p195.tar.gz) = ov6NROrDwn0ZHKLQ7i2HH5rthzx0SRsqjfIpv9xOWpM=
-SIZE (ruby-2.0.0-p195.tar.gz) = 13641558
+SHA256 (ruby-2.0.0-p247.tar.gz) = PnEEKHLHdyZAlGDoZHovMECDoVrg3v6Q2AAKaZF+INM=
+SIZE (ruby-2.0.0-p247.tar.gz) = 13652782
Index: 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb
===================================================================
RCS file: 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb
diff -N 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb 15 Jul 2013 02:42:41
-0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+Backport fix for regression introduced by fix for CVE-2013-4073 from
+ruby svn r41805.
+
+--- ext/openssl/lib/openssl/ssl.rb.orig Thu Jun 27 04:13:08 2013
++++ ext/openssl/lib/openssl/ssl.rb Sun Jul 14 19:24:37 2013
+@@ -88,7 +88,7 @@ module OpenSSL
+ should_verify_common_name = true
+ cert.extensions.each{|ext|
+ next if ext.oid != "subjectAltName"
+- id, ostr = OpenSSL::ASN1.decode(ext.to_der).value
++ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
+ sequence = OpenSSL::ASN1.decode(ostr.value)
+ sequence.value.each{|san|
+ case san.tag
Index: 2.0/patches/patch-include_ruby_intern_h
===================================================================
RCS file: 2.0/patches/patch-include_ruby_intern_h
diff -N 2.0/patches/patch-include_ruby_intern_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 2.0/patches/patch-include_ruby_intern_h 15 Jul 2013 02:42:07 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Don't break ABI in a patch level release, from ruby svn r41875.
+
+--- include/ruby/intern.h.orig Sun Jul 14 19:25:14 2013
++++ include/ruby/intern.h Sun Jul 14 19:25:28 2013
+@@ -350,6 +350,7 @@ VALUE rb_require_safe(VALUE, int);
+ void rb_obj_call_init(VALUE, int, VALUE*);
+ VALUE rb_class_new_instance(int, VALUE*, VALUE);
+ VALUE rb_block_proc(void);
++VALUE rb_f_lambda(void);
+ VALUE rb_block_lambda(void);
+ VALUE rb_proc_new(VALUE (*)(ANYARGS/* VALUE yieldarg[, VALUE procarg] */),
VALUE);
+ VALUE rb_obj_is_proc(VALUE);
Index: 2.0/pkg/PLIST-ri_docs
===================================================================
RCS file: /cvs/ports/lang/ruby/2.0/pkg/PLIST-ri_docs,v
retrieving revision 1.2
diff -u -p -r1.2 PLIST-ri_docs
--- 2.0/pkg/PLIST-ri_docs 17 May 2013 20:11:43 -0000 1.2
+++ 2.0/pkg/PLIST-ri_docs 27 Jun 2013 21:30:23 -0000
@@ -3836,6 +3836,7 @@ share/ri/${RUBYLIBREV}/system/Gem/TestCa
share/ri/${RUBYLIBREV}/system/Gem/TestCase/StaticSet/prefetch-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/add_to_fetcher-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/all_spec_names-i.ri
+share/ri/${RUBYLIBREV}/system/Gem/TestCase/assert_contains_make_command-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/assert_path_exists-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/build_rake_in-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/cdesc-TestCase.ri
@@ -3856,6 +3857,7 @@ share/ri/${RUBYLIBREV}/system/Gem/TestCa
share/ri/${RUBYLIBREV}/system/Gem/TestCase/new_default_spec-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/new_spec-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/nmake_found%3f-i.ri
+share/ri/${RUBYLIBREV}/system/Gem/TestCase/parse_make_command_line-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/process_based_port-c.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/process_based_port-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/quick_gem-i.ri
@@ -3865,6 +3867,7 @@ share/ri/${RUBYLIBREV}/system/Gem/TestCa
share/ri/${RUBYLIBREV}/system/Gem/TestCase/refute_path_exists-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/req-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/rubybin-c.ri
+share/ri/${RUBYLIBREV}/system/Gem/TestCase/scan_make_command_lines-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/setup-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/spec-i.ri
share/ri/${RUBYLIBREV}/system/Gem/TestCase/teardown-i.ri
@@ -3964,8 +3967,10 @@ share/ri/${RUBYLIBREV}/system/Gem/config
share/ri/${RUBYLIBREV}/system/Gem/configuration-c.ri
share/ri/${RUBYLIBREV}/system/Gem/datadir-c.ri
share/ri/${RUBYLIBREV}/system/Gem/default_bindir-c.ri
+share/ri/${RUBYLIBREV}/system/Gem/default_cert_path-c.ri
share/ri/${RUBYLIBREV}/system/Gem/default_dir-c.ri
share/ri/${RUBYLIBREV}/system/Gem/default_exec_format-c.ri
+share/ri/${RUBYLIBREV}/system/Gem/default_key_path-c.ri
share/ri/${RUBYLIBREV}/system/Gem/default_path-c.ri
share/ri/${RUBYLIBREV}/system/Gem/default_rubygems_dirs-c.ri
share/ri/${RUBYLIBREV}/system/Gem/default_sources-c.ri
@@ -7936,10 +7941,6 @@ share/ri/${RUBYLIBREV}/system/Psych/Code
share/ri/${RUBYLIBREV}/system/Psych/Coder/style-i.ri
share/ri/${RUBYLIBREV}/system/Psych/Coder/tag-i.ri
share/ri/${RUBYLIBREV}/system/Psych/Coder/type-i.ri
-share/ri/${RUBYLIBREV}/system/Psych/EngineManager/
-share/ri/${RUBYLIBREV}/system/Psych/EngineManager/cdesc-EngineManager.ri
-share/ri/${RUBYLIBREV}/system/Psych/EngineManager/yamler%3d-i.ri
-share/ri/${RUBYLIBREV}/system/Psych/EngineManager/yamler-i.ri
share/ri/${RUBYLIBREV}/system/Psych/Error/
share/ri/${RUBYLIBREV}/system/Psych/Error/cdesc-Error.ri
share/ri/${RUBYLIBREV}/system/Psych/Exception/
