Pullup ticket #769 - requested by Takahiro Kambe

security and portability fixes for ruby18-base Revisions pulled up: - pkgsrc/lang/ruby18-base/Makefile 1.7, 1.8 - pkgsrc/lang/ruby18-base/distinfo 1.3, 1.4, 1.5 - pkgsrc/lang/ruby18-base/patches/patch-aa 1.2 - pkgsrc/lang/ruby18-base/patches/patch-ab 1.2 - pkgsrc/lang/ruby18-base/patches/patch-ad 1.1 - pkgsrc/lang/ruby18-base/patches/patch-au 1.1 - pkgsrc/lang/ruby18-base/patches/patch-av 1.1 - pkgsrc/lang/ruby18-base/patches/patch-aw 1.1 - pkgsrc/lang/ruby18-base/patches/patch-ax 1.1 - pkgsrc/lang/ruby18-base/patches/patch-ay 1.1 - pkgsrc/lang/ruby18-base/patches/patch-az 1.1 Module Name: pkgsrc Committed By: taca Date: Sun Sep 18 13:38:50 UTC 2005 Modified Files: pkgsrc/lang/ruby18-base: Makefile distinfo Added Files: pkgsrc/lang/ruby18-base/patches: patch-au patch-av patch-aw patch-ax patch-ay patch-az Log Message: Adding DrafonFly BSD support based on patch provided by Joerg Sonnenberger. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Mon Sep 19 15:19:13 UTC 2005 Modified Files: pkgsrc/lang/ruby18-base: distinfo pkgsrc/lang/ruby18-base/patches: patch-aa patch-ab Log Message: Rearrange configure script a little: - Correct case statement moving "interix3*)" to before "interrix*)" since "interix3*)" wouldn't match and always match to "interix*)". - Remove "interix3*" in the case condition which always "interix*" pattern. This dosen't fix anything bulding on Interix3 (SFU 3.5) and on other platforms, but fix obvious mistake in configure script. --- Module Name: pkgsrc Committed By: taca Date: Wed Sep 21 14:03:22 UTC 2005 Modified Files: pkgsrc/lang/ruby18-base: Makefile distinfo Added Files: pkgsrc/lang/ruby18-base/patches: patch-ad Log Message: Add a patch for fix the security problem which allows an arbitrary code to run bypassing the safe level check. The patch was provided by Yukihiro Matsumoto on ruby-dev mailing list. Bump PKGREVISION.
jsonn · Sep 22, 2005 · cff7e31 · cff7e31
1 parent 6e57142
commit cff7e31
Show file tree

Hide file tree

Showing 11 changed files with 315 additions and 49 deletions.
diff --git a/lang/ruby18-base/Makefile b/lang/ruby18-base/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.5.2.1 2005/06/24 08:40:44 salo Exp $
+# $NetBSD: Makefile,v 1.5.2.2 2005/09/22 16:44:59 salo Exp $
 #
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
-PKGREVISION=	2
+PKGREVISION=	4
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 

diff --git a/lang/ruby18-base/distinfo b/lang/ruby18-base/distinfo
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.1.1.1.4.1 2005/06/24 08:40:44 salo Exp $
+$NetBSD: distinfo,v 1.1.1.1.4.2 2005/09/22 16:45:00 salo Exp $
 
 SHA1 (ruby/ruby-1.8.2.tar.gz) = 409a917d3a0aba41f45bd053b767c85b2bc35ffa
 RMD160 (ruby/ruby-1.8.2.tar.gz) = fc4dcdc2dda9bfbcf8ca19ca090aa55a18ea06a4
 Size (ruby/ruby-1.8.2.tar.gz) = 3627349 bytes
-SHA1 (patch-aa) = 5d000eaeac3d5166073863f002b1d7eb551405fa
-SHA1 (patch-ab) = 0b419b2948409e6375eb605bb33623f97bf0d91d
+SHA1 (patch-aa) = b0c96d7f10ff48245f97d7561e33ced4c4fed69d
+SHA1 (patch-ab) = eeb4048b99784392b7a09a904748e8ff23205580
 SHA1 (patch-ac) = 8a60292e7fd312df639404fc015c4f3eeef49137
+SHA1 (patch-ad) = 79661e47e0a489cf8f2ad81a9c816ce23d88902b
 SHA1 (patch-al) = a62c126e971a0d45b00e873802bc9ee67786c47e
 SHA1 (patch-am) = fe000acf64e20245058c83319030e11606e75004
 SHA1 (patch-an) = aa56ea179d9b7bf6ece22b4d8bba0c9137a0e342
@@ -15,3 +16,9 @@ SHA1 (patch-aq) = be270544464ad51bbc1e2deb238dec16ab7308d7
 SHA1 (patch-ar) = b9743d012e1c70573b590973a68e1d640ebab1c5
 SHA1 (patch-as) = 19acb0f24b0e24c6253ea5df8592a39b38223b91
 SHA1 (patch-at) = ee6b178f5fe31616253e5b47a979c31d18db2a6c
+SHA1 (patch-au) = f49bce921fec7d58c59e686d83c671ae71e28e1d
+SHA1 (patch-av) = 16955a5779607374b8ca80ab1abe04d07dcef03d
+SHA1 (patch-aw) = 95ccd93d39f9b13e5a4c34f5dae5764e984b5682
+SHA1 (patch-ax) = 00e9e4ba94fb550863d635d91b3da0aed3b15dea
+SHA1 (patch-ay) = ff77057f34279635d05a80ce316a478e3b528ab4
+SHA1 (patch-az) = 22484716620583e289da3c7d01a55163a1194d93
diff --git a/lang/ruby18-base/patches/patch-aa b/lang/ruby18-base/patches/patch-aa
@@ -1,4 +1,4 @@
-$NetBSD: patch-aa,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
+$NetBSD: patch-aa,v 1.1.1.1.4.1 2005/09/22 16:45:00 salo Exp $
 
 --- configure.in.orig	2004-12-23 00:16:55.000000000 +0900
 +++ configure.in
@@ -12,17 +12,8 @@ $NetBSD: patch-aa,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
  freebsd*)	LIBS="-lm $LIBS"
  		AC_CACHE_CHECK([whether -lxpg4 has to be linked],
  		  rb_cv_lib_xpg4_needed,
-@@ -813,7 +816,7 @@ if test "$with_dln_a_out" != yes; then
-     openstep*)	CCDLFLAGS="$CCDLFLAGS -fno-common";;
-     rhapsody*)	CCDLFLAGS="$CCDLFLAGS -fno-common";;
-     darwin*)	CCDLFLAGS="$CCDLFLAGS -fno-common";;
--    human*|bsdi*|beos*|cygwin*|mingw*|aix*|interix*) ;;
-+    human*|interix3*|bsdi*|beos*|cygwin*|mingw*|aix*|interix*) ;;
-     *) CCDLFLAGS="$CCDLFLAGS -fPIC";;
-     esac
-   else
-@@ -875,6 +878,13 @@ if test "$with_dln_a_out" != yes; then
- 			  test "$GCC" = yes && test "$rb_cv_prog_gnu_ld" = yes || LDSHARED="ld -Bshareable"
+@@ -863,6 +866,13 @@ if test "$with_dln_a_out" != yes; then
+ 			    LDFLAGS="$LDFLAGS -Wl,-export-dynamic"
  			fi
  			rb_cv_dlopen=yes ;;
 +	interix3*)	: ${LDSHARED='${CC} -shared'}
@@ -32,13 +23,13 @@ $NetBSD: patch-aa,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
 +			LIBPATHFLAG=' -L%1$-s'
 +			RPATHFLAG=' -Wl,-R%1$-s'
 +			rb_cv_dlopen=yes ;;
- 	openbsd*) 	: ${LDSHARED="\$(CC) -shared ${CCDLFLAGS}"}
- 			if test "$rb_cv_binary_elf" = yes; then
- 			    LDFLAGS="$LDFLAGS -Wl,-E"
-@@ -1172,6 +1182,14 @@ if test "$enable_shared" = 'yes'; then
- 	   LIBRUBY_ALIASES=""
- 	fi
-  	;;
+ 	interix*) 	: ${LDSHARED="$CC -shared"}
+ 			XLDFLAGS="$XLDFLAGS -Wl,-E"
+ 			LIBPATHFLAG=" -L'%1\$-s'"
+@@ -1216,6 +1226,14 @@ if test "$enable_shared" = 'yes'; then
+ 	LIBRUBY_DLDFLAGS='-install_name $(libdir)/lib$(RUBY_SO_NAME).dylib -current_version $(MAJOR).$(MINOR).$(TEENY) -compatibility_version $(MAJOR).$(MINOR)'
+ 	LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).$(MAJOR).$(MINOR).dylib lib$(RUBY_SO_NAME).dylib'
+ 	;;
 +    interix3*)
 +	SOLIBS='$(LIBS)'
 +	LIBRUBY_SO='lib$(RUBY_SO_NAME).so.$(MAJOR)$(MINOR).$(TEENY)'
@@ -47,6 +38,6 @@ $NetBSD: patch-aa,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
 +	LIBRUBYARG_SHARED='-Wl,-R -Wl,${libdir} -L${libdir} -L. -l$(RUBY_SO_NAME)'
 +	LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR)$(MINOR) lib$(RUBY_SO_NAME).so'
 + 	;;
-     openbsd*)
- 	SOLIBS='$(LIBS)'
- 	LIBRUBY_SO='lib$(RUBY_INSTALL_NAME).so.$(MAJOR).'`expr ${MINOR} \* 10 + ${TEENY}`
+     interix*)
+ 	LIBRUBYARG_SHARED='-L${libdir} -L. -l$(RUBY_SO_NAME)'
+ 	;;
diff --git a/lang/ruby18-base/patches/patch-ab b/lang/ruby18-base/patches/patch-ab
@@ -1,4 +1,4 @@
-$NetBSD: patch-ab,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
+$NetBSD: patch-ab,v 1.1.1.1.4.1 2005/09/22 16:45:00 salo Exp $
 
 --- configure.orig	2004-12-25 19:58:38.000000000 +0900
 +++ configure
@@ -12,17 +12,8 @@ $NetBSD: patch-ab,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
  freebsd*)	LIBS="-lm $LIBS"
  		echo "$as_me:$LINENO: checking whether -lxpg4 has to be linked" >&5
  echo $ECHO_N "checking whether -lxpg4 has to be linked... $ECHO_C" >&6
-@@ -13953,7 +13956,7 @@ echo $ECHO_N "checking whether OS depend
-     openstep*)	CCDLFLAGS="$CCDLFLAGS -fno-common";;
-     rhapsody*)	CCDLFLAGS="$CCDLFLAGS -fno-common";;
-     darwin*)	CCDLFLAGS="$CCDLFLAGS -fno-common";;
--    human*|bsdi*|beos*|cygwin*|mingw*|aix*|interix*) ;;
-+    human*|interix3*|bsdi*|beos*|cygwin*|mingw*|aix*|interix*) ;;
-     *) CCDLFLAGS="$CCDLFLAGS -fPIC";;
-     esac
-   else
-@@ -14015,6 +14018,13 @@ echo $ECHO_N "checking whether OS depend
- 			  test "$GCC" = yes && test "$rb_cv_prog_gnu_ld" = yes || LDSHARED="ld -Bshareable"
+@@ -14003,6 +14006,13 @@ echo $ECHO_N "checking whether OS depend
+ 			    LDFLAGS="$LDFLAGS -Wl,-export-dynamic"
  			fi
  			rb_cv_dlopen=yes ;;
 +	interix3*)	: ${LDSHARED='${CC} -shared'}
@@ -32,13 +23,13 @@ $NetBSD: patch-ab,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
 +			LIBPATHFLAG=' -L%1$-s'
 +			RPATHFLAG=' -Wl,-R%1$-s'
 +			rb_cv_dlopen=yes ;;
- 	openbsd*) 	: ${LDSHARED="\$(CC) -shared ${CCDLFLAGS}"}
- 			if test "$rb_cv_binary_elf" = yes; then
- 			    LDFLAGS="$LDFLAGS -Wl,-E"
-@@ -14732,6 +14742,14 @@ if test "$enable_shared" = 'yes'; then
- 	   LIBRUBY_ALIASES=""
- 	fi
-  	;;
+ 	interix*) 	: ${LDSHARED="$CC -shared"}
+ 			XLDFLAGS="$XLDFLAGS -Wl,-E"
+ 			LIBPATHFLAG=" -L'%1\$-s'"
+@@ -14776,6 +14786,14 @@ if test "$enable_shared" = 'yes'; then
+ 	LIBRUBY_DLDFLAGS='-install_name $(libdir)/lib$(RUBY_SO_NAME).dylib -current_version $(MAJOR).$(MINOR).$(TEENY) -compatibility_version $(MAJOR).$(MINOR)'
+ 	LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).$(MAJOR).$(MINOR).dylib lib$(RUBY_SO_NAME).dylib'
+ 	;;
 +    interix3*)
 +	SOLIBS='$(LIBS)'
 +	LIBRUBY_SO='lib$(RUBY_SO_NAME).so.$(MAJOR)$(MINOR).$(TEENY)'
@@ -47,6 +38,6 @@ $NetBSD: patch-ab,v 1.1.1.1 2005/03/06 16:36:57 taca Exp $
 +	LIBRUBYARG_SHARED='-Wl,-R -Wl,${libdir} -L${libdir} -L. -l$(RUBY_SO_NAME)'
 +	LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR)$(MINOR) lib$(RUBY_SO_NAME).so'
 + 	;;
-     openbsd*)
- 	SOLIBS='$(LIBS)'
- 	LIBRUBY_SO='lib$(RUBY_INSTALL_NAME).so.$(MAJOR).'`expr ${MINOR} \* 10 + ${TEENY}`
+     interix*)
+ 	LIBRUBYARG_SHARED='-L${libdir} -L. -l$(RUBY_SO_NAME)'
+ 	;;
diff --git a/lang/ruby18-base/patches/patch-ad b/lang/ruby18-base/patches/patch-ad
@@ -0,0 +1,158 @@
+$NetBSD: patch-ad,v 1.1.2.2 2005/09/22 16:45:00 salo Exp $
+
+--- eval.c.orig	2004-12-18 11:07:29.000000000 +0900
++++ eval.c
+@@ -252,6 +252,11 @@ struct cache_entry {		/* method hash tab
+ static struct cache_entry cache[CACHE_SIZE];
+ static int ruby_running = 0;
+
++#define NOEX_TAINTED 8
++#define NOEX_SAFE(n) ((n) >> 4)
++#define NOEX_WITH(n, v) ((n) | (v) << 4)
++#define NOEX_WITH_SAFE(n) NOEX_WITH(n, ruby_safe_level)
++
+ void
+ rb_clear_cache()
+ {
+@@ -344,7 +349,7 @@ rb_add_method(klass, mid, node, noex)
+     }
+     if (OBJ_FROZEN(klass)) rb_error_frozen("class/module");
+     rb_clear_cache_by_id(mid);
+-    body = NEW_METHOD(node, noex);
++    body = NEW_METHOD(node, NOEX_WITH_SAFE(noex));
+     st_insert(RCLASS(klass)->m_tbl, mid, (st_data_t)body);
+     if (node && mid != ID_ALLOCATOR && ruby_running) {
+ 	if (FL_TEST(klass, FL_SINGLETON)) {
+@@ -5456,20 +5461,21 @@ call_cfunc(func, recv, len, argc, argv)
+ }
+
+ static VALUE
+-rb_call0(klass, recv, id, oid, argc, argv, body, nosuper)
++rb_call0(klass, recv, id, oid, argc, argv, body, flags)
+     VALUE klass, recv;
+     ID    id;
+     ID    oid;
+     int argc;			/* OK */
+     VALUE *argv;		/* OK */
+     NODE *body;			/* OK */
+-    int nosuper;
++    int flags;
+ {
+     NODE *b2;		/* OK */
+     volatile VALUE result = Qnil;
+     int itr;
+     static int tick;
+     TMP_PROTECT;
++    volatile int safe = -1;
+
+     switch (ruby_iter->iter) {
+       case ITER_PRE:
+@@ -5491,7 +5497,7 @@ rb_call0(klass, recv, id, oid, argc, arg
+
+     ruby_frame->last_func = id;
+     ruby_frame->orig_func = oid;
+-    ruby_frame->last_class = nosuper?0:klass;
++    ruby_frame->last_class = (flags & NOEX_UNDEF)?0:klass;
+     ruby_frame->self = recv;
+     ruby_frame->argc = argc;
+     ruby_frame->argv = argv;
+@@ -5553,7 +5559,6 @@ rb_call0(klass, recv, id, oid, argc, arg
+ 	    NODE *saved_cref = 0;
+
+ 	    PUSH_SCOPE();
+-
+ 	    if (body->nd_rval) {
+ 		saved_cref = ruby_cref;
+ 		ruby_cref = (NODE*)body->nd_rval;
+@@ -5572,9 +5577,16 @@ rb_call0(klass, recv, id, oid, argc, arg
+ 	    }
+ 	    b2 = body = body->nd_next;
+
++	    if (NOEX_SAFE(flags) > ruby_safe_level) {
++		if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) {
++		    rb_raise(rb_eSecurityError, "calling insecure method: %s",
++			     rb_id2name(id));
++		}
++		safe = ruby_safe_level;
++		ruby_safe_level = NOEX_SAFE(flags);
++	    }
+ 	    PUSH_VARS();
+ 	    PUSH_TAG(PROT_FUNC);
+-
+ 	    if ((state = EXEC_TAG()) == 0) {
+ 		NODE *node = 0;
+ 		int i;
+@@ -5653,6 +5665,7 @@ rb_call0(klass, recv, id, oid, argc, arg
+ 		result = prot_tag->retval;
+ 		state = 0;
+ 	    }
++	    if (safe >= 0) ruby_safe_level = safe;
+ 	    POP_TAG();
+ 	    POP_VARS();
+ 	    POP_CLASS();
+@@ -5740,7 +5753,7 @@ rb_call(klass, recv, mid, argc, argv, sc
+ 	}
+     }
+
+-    return rb_call0(klass, recv, mid, id, argc, argv, body, noex & NOEX_NOSUPER);
++    return rb_call0(klass, recv, mid, id, argc, argv, body, noex);
+ }
+
+ VALUE
+@@ -8530,6 +8543,7 @@ struct METHOD {
+     VALUE klass, rklass;
+     VALUE recv;
+     ID id, oid;
++    int safe_level;
+     NODE *body;
+ };
+
+@@ -8577,6 +8591,7 @@ mnew(klass, obj, id, mklass)
+     data->body = body;
+     data->rklass = rklass;
+     data->oid = oid;
++    data->safe_level = NOEX_WITH_SAFE(0);
+     OBJ_INFECT(method, klass);
+
+     return method;
+@@ -8661,6 +8676,7 @@ method_unbind(obj)
+     data->body = orig->body;
+     data->rklass = orig->rklass;
+     data->oid = orig->oid;
++    data->safe_level = NOEX_WITH_SAFE(0);
+     OBJ_INFECT(method, obj);
+
+     return method;
+@@ -8782,26 +8798,21 @@ method_call(argc, argv, method)
+ {
+     VALUE result = Qnil;	/* OK */
+     struct METHOD *data;
+-    int state;
+-    volatile int safe = -1;
++    int safe;
+
+     Data_Get_Struct(method, struct METHOD, data);
+     if (data->recv == Qundef) {
+ 	rb_raise(rb_eTypeError, "you cannot call unbound method; bind first");
+     }
+-    PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT);
+-    PUSH_TAG(PROT_NONE);
+     if (OBJ_TAINTED(method)) {
+-	safe = ruby_safe_level;
+-	if (ruby_safe_level < 4) ruby_safe_level = 4;
++        safe = NOEX_WITH(data->safe_level, 4)|NOEX_TAINTED;
+     }
+-    if ((state = EXEC_TAG()) == 0) {
+-	result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,0);
++    else {
++	safe = data->safe_level;
+     }
+-    POP_TAG();
++    PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT);
++    result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,safe);
+     POP_ITER();
+-    if (safe >= 0) ruby_safe_level = safe;
+-    if (state) JUMP_TAG(state);
+     return result;
+ }
+
diff --git a/lang/ruby18-base/patches/patch-au b/lang/ruby18-base/patches/patch-au
@@ -0,0 +1,12 @@
+$NetBSD: patch-au,v 1.1.2.2 2005/09/22 16:45:00 salo Exp $
+
+--- error.c.orig	2005-07-15 16:08:36.000000000 +0000
++++ error.c
+@@ -1108,7 +1108,6 @@ void
+ rb_sys_fail(mesg)
+     const char *mesg;
+ {
+-    extern int errno;
+     int n = errno;
+     VALUE arg;
+
diff --git a/lang/ruby18-base/patches/patch-av b/lang/ruby18-base/patches/patch-av
@@ -0,0 +1,52 @@
+$NetBSD: patch-av,v 1.1.2.2 2005/09/22 16:45:00 salo Exp $
+
+--- process.c.orig	2005-07-15 16:12:12.000000000 +0000
++++ process.c
+@@ -2050,7 +2050,6 @@ static VALUE
+ p_uid_change_privilege(obj, id)
+     VALUE obj, id;
+ {
+-    extern int errno;
+     int uid;
+
+     check_uid_switch();
+@@ -2602,7 +2601,6 @@ static VALUE
+ p_gid_change_privilege(obj, id)
+     VALUE obj, id;
+ {
+-    extern int errno;
+     int gid;
+
+     check_gid_switch();
+@@ -3129,7 +3127,6 @@ static VALUE
+ p_uid_switch(obj)
+     VALUE obj;
+ {
+-    extern int errno;
+     int uid, euid;
+
+     check_uid_switch();
+@@ -3171,7 +3168,6 @@ static VALUE
+ p_uid_switch(obj)
+     VALUE obj;
+ {
+-    extern int errno;
+     int uid, euid;
+
+     check_uid_switch();
+@@ -3242,7 +3238,6 @@ static VALUE
+ p_gid_switch(obj)
+     VALUE obj;
+ {
+-    extern int errno;
+     int gid, egid;
+
+     check_gid_switch();
+@@ -3283,7 +3278,6 @@ static VALUE
+ p_gid_switch(obj)
+     VALUE obj;
+ {
+-    extern int errno;
+     int gid, egid;
+
+     check_gid_switch();
diff --git a/lang/ruby18-base/patches/patch-aw b/lang/ruby18-base/patches/patch-aw
@@ -0,0 +1,13 @@
+$NetBSD: patch-aw,v 1.1.2.2 2005/09/22 16:45:00 salo Exp $
+
+--- ext/pty/pty.c.orig	2005-07-15 16:16:50.000000000 +0000
++++ ext/pty/pty.c
+@@ -103,8 +103,6 @@ char	*MasterDevice = "/dev/pty%s",
+
+ static char SlaveName[DEVICELEN];
+
+-extern int errno;
+-
+ #ifndef HAVE_SETEUID
+ # ifdef HAVE_SETREUID
+ #  define seteuid(e)	setreuid(-1, (e))