It's like deja vu all over again. Similar vulnerability to the previous one. Here is the link to the vulnerability disclosure:
https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/ And the links to each release announcement: https://www.ruby-lang.org/en/news/2014/11/13/ruby-2-1-5-is-released/ https://www.ruby-lang.org/en/news/2014/11/13/ruby-2-0-0-p598-is-released/ https://www.ruby-lang.org/en/news/2014/11/13/ruby-1-9-3-p551-is-released/ As before, the patch has been backported to ruby 1.8. I noticed that a previous patch for a REXML vulnerability in 2008 was fixed upstream, but we had duplicate code in a local patch, so remove that local patch for 1.8. No library bumps this time, thankfully. Complies fine on amd64 and i386. I'll be running tests on both before commit. I'll be committing this weekend unless I hear objections. Thanks, Jeremy Index: 1.8/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.8/Makefile,v retrieving revision 1.32 diff -u -p -r1.32 Makefile --- 1.8/Makefile 1 Nov 2014 04:56:40 -0000 1.32 +++ 1.8/Makefile 13 Nov 2014 16:29:08 -0000 @@ -20,7 +20,7 @@ PKGNAME-ri_docs= ruby-ri_docs-${VERSION} PKG_ARCH-ri_docs= * PKGSPEC-main= ruby->=1.8,<1.9 -REVISION-main= 2 +REVISION-main= 3 CONFIGURE_ARGS= --program-suffix=18 \ --enable-ipv6 \ Index: 1.8/patches/patch-configure =================================================================== RCS file: /cvs/ports/lang/ruby/1.8/patches/patch-configure,v retrieving revision 1.3 diff -u -p -r1.3 patch-configure --- 1.8/patches/patch-configure 19 Jul 2011 17:06:39 -0000 1.3 +++ 1.8/patches/patch-configure 13 Nov 2014 16:24:47 -0000 @@ -3,9 +3,9 @@ $OpenBSD: patch-configure,v 1.3 2011/07/ Override the arch setting to remove OpenBSD version from it, so ports don't have to be bumped when OpenBSD version changes. ---- configure.orig Sat Jul 2 02:54:02 2011 -+++ configure Mon Jul 18 15:21:06 2011 -@@ -10706,7 +10706,7 @@ if test "$enable_shared" = 'yes'; then +--- configure.orig Thu Jun 27 04:57:43 2013 ++++ configure Thu Nov 13 08:23:54 2014 +@@ -10912,7 +10912,7 @@ if test "$enable_shared" = 'yes'; then ;; openbsd*) SOLIBS='$(LIBS)' @@ -14,7 +14,7 @@ so ports don't have to be bumped when Op ;; solaris*) SOLIBS='$(LIBS)' -@@ -11009,7 +11009,10 @@ _ACEOF +@@ -11215,7 +11215,10 @@ _ACEOF _ACEOF else Index: 1.8/patches/patch-lib_rexml_document_rb =================================================================== RCS file: /cvs/ports/lang/ruby/1.8/patches/patch-lib_rexml_document_rb,v retrieving revision 1.1 diff -u -p -r1.1 patch-lib_rexml_document_rb --- 1.8/patches/patch-lib_rexml_document_rb 23 Sep 2010 21:58:50 -0000 1.1 +++ 1.8/patches/patch-lib_rexml_document_rb 13 Nov 2014 16:28:55 -0000 @@ -1,25 +1,17 @@ $OpenBSD: patch-lib_rexml_document_rb,v 1.1 2010/09/23 21:58:50 jeremy Exp $ -http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ +Fixes CVE-2014-8090: Another Denial Of Service XML Expansion ---- lib/rexml/document.rb.orig Sun Nov 4 05:50:15 2007 -+++ lib/rexml/document.rb Thu Sep 4 09:53:31 2008 -@@ -18,6 +18,18 @@ module REXML - # you create, you must add one; REXML documents do not write a default - # declaration for you. See |DECLARATION| and |write|. - class Document < Element -+ @@entity_expansion_limit = 10_000 -+ def self.entity_expansion_limit= val -+ @@entity_expansion_limit = val -+ end +--- lib/rexml/document.rb.orig Sat May 18 07:55:14 2013 ++++ lib/rexml/document.rb Thu Nov 13 08:28:16 2014 +@@ -236,6 +236,10 @@ module REXML + end + end + ++ def document ++ self ++ end + -+ def record_entity_expansion! -+ @number_of_expansions ||= 0 -+ @number_of_expansions += 1 -+ if @number_of_expansions > @@entity_expansion_limit -+ raise "Number of entity expansions exceeded, processing aborted." -+ end -+ end - # A convenient default XML declaration. If you want an XML declaration, - # the easiest way to add one is mydoc << Document::DECLARATION - # +DEPRECATED+ + private + def build( source ) + Parsers::TreeParser.new( source, self ).parse Index: 1.9/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/1.9/Makefile,v retrieving revision 1.47 diff -u -p -r1.47 Makefile --- 1.9/Makefile 1 Nov 2014 04:56:09 -0000 1.47 +++ 1.9/Makefile 13 Nov 2014 16:31:11 -0000 @@ -9,7 +9,7 @@ COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby VERSION = 1.9.3 -PATCHLEVEL = 550 +PATCHLEVEL = 551 RUBYLIBREV = 1.9.1 SHARED_LIBS = ruby19 1.1 Index: 1.9/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/1.9/distinfo,v retrieving revision 1.17 diff -u -p -r1.17 distinfo --- 1.9/distinfo 1 Nov 2014 04:56:09 -0000 1.17 +++ 1.9/distinfo 13 Nov 2014 16:32:54 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-1.9.3-p550.tar.gz) = 1s8AjZ86mu7S7wRCjxnWbiiu2KcUVvftumhifTMCzWs= -SIZE (ruby-1.9.3-p550.tar.gz) = 12605180 +SHA256 (ruby-1.9.3-p551.tar.gz) = u1vlXNH0nJW7Bbb1h3ATdrU9MQ6xu3x2+9RFocdbUeg= +SIZE (ruby-1.9.3-p551.tar.gz) = 12605119 Index: 2.0/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/Makefile,v retrieving revision 1.16 diff -u -p -r1.16 Makefile --- 2.0/Makefile 1 Nov 2014 04:54:43 -0000 1.16 +++ 2.0/Makefile 13 Nov 2014 16:31:20 -0000 @@ -6,7 +6,7 @@ COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby VERSION = 2.0.0 -PATCHLEVEL = 594 +PATCHLEVEL = 598 RUBYLIBREV = 2.0 DISTNAME = ruby-${VERSION}-p${PATCHLEVEL} Index: 2.0/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.0/distinfo,v retrieving revision 1.8 diff -u -p -r1.8 distinfo --- 2.0/distinfo 1 Nov 2014 04:54:43 -0000 1.8 +++ 2.0/distinfo 13 Nov 2014 16:33:11 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.0.0-p594.tar.gz) = 7lFd17F828EGOWzUMvVmK7C1r8BQREaRdZFKq2Xzxuc= -SIZE (ruby-2.0.0-p594.tar.gz) = 13606970 +SHA256 (ruby-2.0.0-p598.tar.gz) = QTa/fXZMvMHH2igk7Sgmw1UPK2KvZzx53b+QSbEglf0= +SIZE (ruby-2.0.0-p598.tar.gz) = 13608640 Index: 2.0/patches/patch-test_rexml_test_document_rb =================================================================== RCS file: 2.0/patches/patch-test_rexml_test_document_rb diff -N 2.0/patches/patch-test_rexml_test_document_rb --- 2.0/patches/patch-test_rexml_test_document_rb 1 Nov 2014 04:54:43 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-test_rexml_test_document_rb,v 1.1 2014/11/01 04:54:43 jeremy Exp $ - -Fix error in backported patch. - ---- test/rexml/test_document.rb.orig Mon Oct 27 20:08:32 2014 -+++ test/rexml/test_document.rb Mon Oct 27 20:08:41 2014 -@@ -57,7 +57,7 @@ EOF - <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;"> - <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;"> - <!ENTITY test "test %g;"> --+]> -+]> - <cd></cd> - EOF - Index: 2.1/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/Makefile,v retrieving revision 1.10 diff -u -p -r1.10 Makefile --- 2.1/Makefile 1 Nov 2014 04:53:09 -0000 1.10 +++ 2.1/Makefile 13 Nov 2014 16:31:30 -0000 @@ -9,7 +9,7 @@ COMMENT-gdbm = gdbm interface for ruby COMMENT-tk = tk interface for ruby COMMENT-ri_docs = ri documentation files for ruby -VERSION = 2.1.4 +VERSION = 2.1.5 RUBYLIBREV = 2.1 DISTNAME = ruby-${VERSION} Index: 2.1/distinfo =================================================================== RCS file: /cvs/ports/lang/ruby/2.1/distinfo,v retrieving revision 1.5 diff -u -p -r1.5 distinfo --- 2.1/distinfo 1 Nov 2014 04:53:09 -0000 1.5 +++ 2.1/distinfo 13 Nov 2014 16:33:16 -0000 @@ -1,2 +1,2 @@ -SHA256 (ruby-2.1.4.tar.gz) = v5lSzes6DGpaJ3Rcm0wOXiZOkrZpsrCO+zY/UVZUkgQ= -SIZE (ruby-2.1.4.tar.gz) = 15127418 +SHA256 (ruby-2.1.5.tar.gz) = QwXMbOsJTfVSENg1SNy+tRF9dO6iUZapsU+iaNNUsQA= +SIZE (ruby-2.1.5.tar.gz) = 15127433
