Ruby just released new versions of 1.9.3 and 2.0.0 containing security fixes for a heap overflow in the floating point parser:
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ As ruby 1.8 is no longer supported upstream, they did not release a new version for that. Thankfully, the ruby 1.9 patch backports, and I've verified the backport works using the unit test (which I didn't backport): ("1."+"1"*300000).to_f I can try to test and commit this soon, but it will probably be at least 10 days before I will be able to backport to 5.4. If another porter could take care of that, I'd greatly appreciate it. Thanks, Jeremy Index: 1.8/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.8/Makefile,v retrieving revision 1.28 diff -u -p -r1.28 Makefile --- 1.8/Makefile 17 Jul 2013 15:48:25 -0000 1.28 +++ 1.8/Makefile 22 Nov 2013 06:37:58 -0000 @@ -19,6 +19,8 @@ PKGNAME-ri_docs= ruby-ri_docs-${VERSION} PKG_ARCH-ri_docs= * PKGSPEC-main= ruby->=1.8,<1.9 +REVISION-main= 0 + CONFIGURE_ARGS= --program-suffix=18 \ --enable-ipv6 \ --with-dbm-type=bogus \ Index: 1.8/patches/patch-configure =================================================================== RCS file: /cvs/ports/lang/ruby/1.8/patches/patch-configure,v retrieving revision 1.3 diff -u -p -r1.3 patch-configure --- 1.8/patches/patch-configure 19 Jul 2011 17:06:39 -0000 1.3 +++ 1.8/patches/patch-configure 22 Nov 2013 06:39:52 -0000 @@ -3,9 +3,9 @@ $OpenBSD: patch-configure,v 1.3 2011/07/ Override the arch setting to remove OpenBSD version from it, so ports don't have to be bumped when OpenBSD version changes. ---- configure.orig Sat Jul 2 02:54:02 2011 -+++ configure Mon Jul 18 15:21:06 2011 -@@ -10706,7 +10706,7 @@ if test "$enable_shared" = 'yes'; then +--- configure.orig Thu Jun 27 04:57:43 2013 ++++ configure Thu Nov 21 22:38:05 2013 +@@ -10912,7 +10912,7 @@ if test "$enable_shared" = 'yes'; then ;; openbsd*) SOLIBS='$(LIBS)' @@ -14,7 +14,7 @@ so ports don't have to be bumped when Op ;; solaris*) SOLIBS='$(LIBS)' -@@ -11009,7 +11009,10 @@ _ACEOF +@@ -11215,7 +11215,10 @@ _ACEOF _ACEOF else Index: 1.8/patches/patch-util_c =================================================================== RCS file: 1.8/patches/patch-util_c diff -N 1.8/patches/patch-util_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ 1.8/patches/patch-util_c 22 Nov 2013 06:41:32 -0000 @@ -0,0 +1,55 @@ +$OpenBSD$ + +Backport r43776 and r43782 from Ruby SVN to fix CVE-2013-4164. + +--- util.c.orig Sun Nov 21 23:21:34 2010 ++++ util.c Thu Nov 21 22:40:16 2013 +@@ -892,6 +892,11 @@ extern void *MALLOC(size_t); + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1176,7 +1181,7 @@ Balloc(int k) + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1186,7 +1191,7 @@ Balloc(int k) + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1205,6 +1210,10 @@ static void + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2200,6 +2209,7 @@ break2: + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) Index: 1.9/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.9/Makefile,v retrieving revision 1.39 diff -u -p -r1.39 Makefile --- 1.9/Makefile 4 Sep 2013 18:15:19 -0000 1.39 +++ 1.9/Makefile 22 Nov 2013 06:43:29 -0000 @@ -10,7 +10,7 @@ COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby VERSION = 1.9.3 -PATCHLEVEL = 448 +PATCHLEVEL = 484 RUBYLIBREV = 1.9.1 SHARED_LIBS = ruby19 1.1 Index: 1.9/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/1.9/distinfo,v retrieving revision 1.14 diff -u -p -r1.14 distinfo --- 1.9/distinfo 17 Jul 2013 15:51:09 -0000 1.14 +++ 1.9/distinfo 22 Nov 2013 06:31:40 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-1.9.3-p448.tar.gz) = LzXhhlQ6A77F5gMpbW2IKLlMpYurBJtnsc62HTgbyKc= -SIZE (ruby-1.9.3-p448.tar.gz) = 12559260 +SHA256 (ruby-1.9.3-p484.tar.gz) = 1oS8OlunLNqe8wA594PA+M3DJbrlyHOMe/BVd8vo8x0= +SIZE (ruby-1.9.3-p484.tar.gz) = 12576996 Index: 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb =================================================================== RCS file: 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb diff -N 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb --- 1.9/patches/patch-ext_openssl_lib_openssl_ssl-internal_rb 17 Jul 2013 15:51:10 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-ext_openssl_lib_openssl_ssl-internal_rb,v 1.1 2013/07/17 15:51:10 jeremy Exp $ - -Backport fix for regression introduced by fix for CVE-2013-4073 from -ruby svn r41805. - ---- ext/openssl/lib/openssl/ssl-internal.rb.orig Thu Jun 27 04:13:08 2013 -+++ ext/openssl/lib/openssl/ssl-internal.rb Sun Jul 14 19:24:37 2013 -@@ -88,7 +88,7 @@ module OpenSSL - should_verify_common_name = true - cert.extensions.each{|ext| - next if ext.oid != "subjectAltName" -- id, ostr = OpenSSL::ASN1.decode(ext.to_der).value -+ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last - sequence = OpenSSL::ASN1.decode(ostr.value) - sequence.value.each{|san| - case san.tag Index: 1.9/patches/patch-include_ruby_intern_h =================================================================== RCS file: 1.9/patches/patch-include_ruby_intern_h diff -N 1.9/patches/patch-include_ruby_intern_h --- 1.9/patches/patch-include_ruby_intern_h 17 Jul 2013 15:51:10 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -$OpenBSD: patch-include_ruby_intern_h,v 1.1 2013/07/17 15:51:10 jeremy Exp $ - -Don't break ABI in a patch level release, from ruby svn r41875. - ---- include/ruby/intern.h.orig Sun Jul 14 19:25:14 2013 -+++ include/ruby/intern.h Sun Jul 14 19:25:28 2013 -@@ -350,6 +350,7 @@ VALUE rb_require_safe(VALUE, int); - void rb_obj_call_init(VALUE, int, VALUE*); - VALUE rb_class_new_instance(int, VALUE*, VALUE); - VALUE rb_block_proc(void); -+VALUE rb_f_lambda(void); - VALUE rb_block_lambda(void); - VALUE rb_proc_new(VALUE (*)(ANYARGS/* VALUE yieldarg[, VALUE procarg] */), VALUE); - VALUE rb_obj_is_proc(VALUE); Index: 2.0/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/Makefile,v retrieving revision 1.7 diff -u -p -r1.7 Makefile --- 2.0/Makefile 4 Sep 2013 18:15:19 -0000 1.7 +++ 2.0/Makefile 22 Nov 2013 06:29:53 -0000 @@ -10,7 +10,7 @@ COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby VERSION = 2.0.0 -PATCHLEVEL = 247 +PATCHLEVEL = 353 RUBYLIBREV = 2.0 DISTNAME = ruby-${VERSION}-p${PATCHLEVEL} Index: 2.0/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- 2.0/distinfo 17 Jul 2013 15:52:55 -0000 1.3 +++ 2.0/distinfo 22 Nov 2013 06:34:49 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.0.0-p247.tar.gz) = PnEEKHLHdyZAlGDoZHovMECDoVrg3v6Q2AAKaZF+INM= -SIZE (ruby-2.0.0-p247.tar.gz) = 13652782 +SHA256 (ruby-2.0.0-p353.tar.gz) = Rlr8d9IBtYFbt842YKH1oTH0Qpo/pIPBJs5mkj5HJsw= +SIZE (ruby-2.0.0-p353.tar.gz) = 13572794 Index: 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb =================================================================== RCS file: 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb diff -N 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb --- 2.0/patches/patch-ext_openssl_lib_openssl_ssl_rb 17 Jul 2013 15:52:55 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-ext_openssl_lib_openssl_ssl_rb,v 1.1 2013/07/17 15:52:55 jeremy Exp $ - -Backport fix for regression introduced by fix for CVE-2013-4073 from -ruby svn r41805. - ---- ext/openssl/lib/openssl/ssl.rb.orig Thu Jun 27 04:13:08 2013 -+++ ext/openssl/lib/openssl/ssl.rb Sun Jul 14 19:24:37 2013 -@@ -88,7 +88,7 @@ module OpenSSL - should_verify_common_name = true - cert.extensions.each{|ext| - next if ext.oid != "subjectAltName" -- id, ostr = OpenSSL::ASN1.decode(ext.to_der).value -+ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last - sequence = OpenSSL::ASN1.decode(ostr.value) - sequence.value.each{|san| - case san.tag Index: 2.0/patches/patch-include_ruby_intern_h =================================================================== RCS file: 2.0/patches/patch-include_ruby_intern_h diff -N 2.0/patches/patch-include_ruby_intern_h --- 2.0/patches/patch-include_ruby_intern_h 17 Jul 2013 15:52:55 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -$OpenBSD: patch-include_ruby_intern_h,v 1.1 2013/07/17 15:52:55 jeremy Exp $ - -Don't break ABI in a patch level release, from ruby svn r41875. - ---- include/ruby/intern.h.orig Sun Jul 14 19:25:14 2013 -+++ include/ruby/intern.h Sun Jul 14 19:25:28 2013 -@@ -350,6 +350,7 @@ VALUE rb_require_safe(VALUE, int); - void rb_obj_call_init(VALUE, int, VALUE*); - VALUE rb_class_new_instance(int, VALUE*, VALUE); - VALUE rb_block_proc(void); -+VALUE rb_f_lambda(void); - VALUE rb_block_lambda(void); - VALUE rb_proc_new(VALUE (*)(ANYARGS/* VALUE yieldarg[, VALUE procarg] */), VALUE); - VALUE rb_obj_is_proc(VALUE); Index: 2.0/pkg/PLIST-main =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/pkg/PLIST-main,v retrieving revision 1.2 diff -u -p -r1.2 PLIST-main --- 2.0/pkg/PLIST-main 17 May 2013 20:11:43 -0000 1.2 +++ 2.0/pkg/PLIST-main 22 Nov 2013 06:46:13 -0000 @@ -854,11 +854,10 @@ lib/ruby/${RUBYLIBREV}/rubygems/source_s lib/ruby/${RUBYLIBREV}/rubygems/spec_fetcher.rb lib/ruby/${RUBYLIBREV}/rubygems/specification.rb lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/ -lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/AddTrustExternalCARoot.pem -lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/Entrust_net-Secure-Server-Certification-Authority.pem -lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/GeoTrust_Global_CA.pem -lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/VerisignClass3PublicPrimaryCertificationAuthority-G2.pem -lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/ca-bundle.pem +lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem +lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem +lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem +lib/ruby/${RUBYLIBREV}/rubygems/ssl_certs/GeoTrustGlobalCA.pem lib/ruby/${RUBYLIBREV}/rubygems/syck_hack.rb lib/ruby/${RUBYLIBREV}/rubygems/test_case.rb lib/ruby/${RUBYLIBREV}/rubygems/test_utilities.rb Index: 2.0/pkg/PLIST-ri_docs =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/pkg/PLIST-ri_docs,v retrieving revision 1.3 diff -u -p -r1.3 PLIST-ri_docs --- 2.0/pkg/PLIST-ri_docs 17 Jul 2013 15:52:56 -0000 1.3 +++ 2.0/pkg/PLIST-ri_docs 22 Nov 2013 06:48:18 -0000 @@ -2719,6 +2719,7 @@ share/ri/${RUBYLIBREV}/system/Gem/Comman share/ri/${RUBYLIBREV}/system/Gem/Commands/RdocCommand/new-c.ri share/ri/${RUBYLIBREV}/system/Gem/Commands/SearchCommand/ share/ri/${RUBYLIBREV}/system/Gem/Commands/SearchCommand/cdesc-SearchCommand.ri +share/ri/${RUBYLIBREV}/system/Gem/Commands/SearchCommand/execute-i.ri share/ri/${RUBYLIBREV}/system/Gem/Commands/SearchCommand/new-c.ri share/ri/${RUBYLIBREV}/system/Gem/Commands/ServerCommand/ share/ri/${RUBYLIBREV}/system/Gem/Commands/ServerCommand/cdesc-ServerCommand.ri @@ -2739,6 +2740,7 @@ share/ri/${RUBYLIBREV}/system/Gem/Comman share/ri/${RUBYLIBREV}/system/Gem/Commands/SetupCommand/rb_files_in-i.ri share/ri/${RUBYLIBREV}/system/Gem/Commands/SetupCommand/remove_old_bin_files-i.ri share/ri/${RUBYLIBREV}/system/Gem/Commands/SetupCommand/remove_old_lib_files-i.ri +share/ri/${RUBYLIBREV}/system/Gem/Commands/SetupCommand/show_release_notes-i.ri share/ri/${RUBYLIBREV}/system/Gem/Commands/SetupCommand/uninstall_old_gemcutter-i.ri share/ri/${RUBYLIBREV}/system/Gem/Commands/SourcesCommand/ share/ri/${RUBYLIBREV}/system/Gem/Commands/SourcesCommand/cdesc-SourcesCommand.ri @@ -3203,6 +3205,7 @@ share/ri/${RUBYLIBREV}/system/Gem/NameTu share/ri/${RUBYLIBREV}/system/Gem/NameTuple/version-i.ri share/ri/${RUBYLIBREV}/system/Gem/NoAliasYAMLTree/ share/ri/${RUBYLIBREV}/system/Gem/NoAliasYAMLTree/cdesc-NoAliasYAMLTree.ri +share/ri/${RUBYLIBREV}/system/Gem/NoAliasYAMLTree/create-c.ri share/ri/${RUBYLIBREV}/system/Gem/NoAliasYAMLTree/format_time-i.ri share/ri/${RUBYLIBREV}/system/Gem/NoAliasYAMLTree/register-i.ri share/ri/${RUBYLIBREV}/system/Gem/NoAliasYAMLTree/visit_String-i.ri @@ -3383,6 +3386,7 @@ share/ri/${RUBYLIBREV}/system/Gem/Remote share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/download-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/download_to_cache-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/escape-i.ri +share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/escape_auth_info-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/fetch_file-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/fetch_http-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/fetch_https-i.ri @@ -3399,6 +3403,7 @@ share/ri/${RUBYLIBREV}/system/Gem/Remote share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/request-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/reset-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/unescape-i.ri +share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/unescape_auth_info-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/uri_escaper-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteFetcher/user_agent-i.ri share/ri/${RUBYLIBREV}/system/Gem/RemoteInstallationCancelled/ @@ -3636,7 +3641,6 @@ share/ri/${RUBYLIBREV}/system/Gem/Specif share/ri/${RUBYLIBREV}/system/Gem/Specification/author-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/authors%3d-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/authors-i.ri -share/ri/${RUBYLIBREV}/system/Gem/Specification/autorequire-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/base_dir-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/bin_dir-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/bin_file-i.ri @@ -3691,9 +3695,6 @@ share/ri/${RUBYLIBREV}/system/Gem/Specif share/ri/${RUBYLIBREV}/system/Gem/Specification/full_name-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/gem_dir-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/gems_dir-i.ri -share/ri/${RUBYLIBREV}/system/Gem/Specification/has_rdoc%3d-i.ri -share/ri/${RUBYLIBREV}/system/Gem/Specification/has_rdoc%3f-i.ri -share/ri/${RUBYLIBREV}/system/Gem/Specification/has_rdoc-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/has_unit_tests%3f-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/homepage-i.ri share/ri/${RUBYLIBREV}/system/Gem/Specification/initialize_copy-i.ri
