head 1.12; access; symbols OPENPKG_E1_MP_HEAD:1.11 OPENPKG_E1_MP:1.11 OPENPKG_E1_MP_2_STABLE:1.6.4.3 OPENPKG_E1_FP:1.6.4.3 OPENPKG_2_STABLE_MP:1.9 OPENPKG_2_STABLE_20061018:1.6.4.2 OPENPKG_2_STABLE_20060622:1.6 OPENPKG_2_STABLE:1.6.0.4 OPENPKG_2_STABLE_BP:1.6 OPENPKG_2_5_RELEASE:1.6 OPENPKG_2_5_SOLID:1.6.0.2 OPENPKG_2_5_SOLID_BP:1.6 OPENPKG_2_4_RELEASE:1.4 OPENPKG_2_4_SOLID:1.4.0.2 OPENPKG_2_4_SOLID_BP:1.4 OPENPKG_CW_FP:1.4 OPENPKG_2_3_RELEASE:1.2 OPENPKG_2_3_SOLID:1.2.0.8 OPENPKG_2_3_SOLID_BP:1.2 OPENPKG_2_2_RELEASE:1.2 OPENPKG_2_2_SOLID:1.2.0.6 OPENPKG_2_2_SOLID_BP:1.2 OPENPKG_2_1_RELEASE:1.2 OPENPKG_2_1_SOLID:1.2.0.4 OPENPKG_2_1_SOLID_BP:1.2 OPENPKG_2_0_RELEASE:1.2 OPENPKG_2_0_SOLID:1.2.0.2 OPENPKG_2_0_SOLID_BP:1.2 OPENPKG_1_3_RELEASE:1.1 OPENPKG_1_3_SOLID:1.1.0.6 OPENPKG_1_3_SOLID_BP:1.1 OPENPKG_1_STABLE_MP:1.1 OPENPKG_1_2_RELEASE:1.1 OPENPKG_1_2_SOLID:1.1.0.4 OPENPKG_1_2_SOLID_BP:1.1 OPENPKG_1_STABLE:1.1.0.2 OPENPKG_1_STABLE_BP:1.1; locks; strict; comment @# @; 1.12 date 2007.03.13.07.16.19; author rse; state Exp; branches; next 1.11; commitid PRW9HuMnoXG7KT9s; 1.11 date 2006.12.25.19.14.46; author rse; state Exp; branches; next 1.10; commitid xlbGPns1Z1D3eWZr; 1.10 date 2006.12.04.17.03.26; author cs; state Exp; branches; next 1.9; commitid 1Q1DpQ3XqH9PaeXr; 1.9 date 2006.11.04.13.17.39; author rse; state Exp; branches; next 1.8; commitid URiU7IjpQPvaTlTr; 1.8 date 2006.08.25.19.37.37; author rse; state Exp; branches; next 1.7; commitid 1ozajzEbqII1hgKr; 1.7 date 2006.07.28.08.59.30; author rse; state Exp; branches; next 1.6; commitid 9OEYTDg4P9RUDBGr; 1.6 date 2005.09.21.06.29.30; author rse; state Exp; branches 1.6.2.1 1.6.4.1; next 1.5; 1.5 date 2005.07.07.09.45.21; author rse; state Exp; branches; next 1.4; 1.4 date 2005.03.17.15.44.15; author rse; state Exp; branches; next 1.3; 1.3 date 2005.03.17.12.07.36; author rse; state Exp; branches; next 1.2; 1.2 date 2003.08.05.18.42.13; author rse; state Exp; branches; next 1.1; 1.1 date 2002.12.30.09.37.57; author rse; state Exp; branches; next ; 1.6.2.1 date 2006.07.28.09.04.24; author rse; state Exp; branches; next ; commitid 9fsFZds9k2aAFBGr; 1.6.4.1 date 2006.07.28.09.00.34; author rse; state Exp; branches; next 1.6.4.2; commitid wneP2kb5tZqhEBGr; 1.6.4.2 date 2006.10.16.14.55.56; author rse; state Exp; branches; next 1.6.4.3; commitid iZxwRSmmWscPXUQr; 1.6.4.3 date 2006.10.20.14.40.32; author rse; state Exp; branches; next 1.6.4.4; commitid H3LpSYag47RvPqRr; 1.6.4.4 date 2006.11.04.13.18.33; author rse; state Exp; branches; next ; commitid PexSlEumnVJuTlTr; desc @@ 1.12 log @upgrading package: ruby 1.8.5p12 -> 1.8.6 @ text @Index: configure --- configure.orig 2007-03-12 20:19:03 +0100 +++ configure 2007-03-13 08:08:33 +0100 @@@@ -15935,7 +15935,7 @@@@ rb_cv_dlopen=yes ;; esix*|uxpds*) : ${LDSHARED="ld -G"} rb_cv_dlopen=yes ;; - osf*) : ${LDSHARED="ld -shared -expect_unresolved \"*\""} + osf*) : ${LDSHARED="ld -shared -expect_unresolved \"*\" -oldstyle_liblookup"} rb_cv_dlopen=yes ;; bsdi3*) case "$CC" in *shlicc*) : ${LDSHARED="$CC -r"} Index: ext/dbm/extconf.rb --- ext/dbm/extconf.rb.orig 2007-02-13 00:01:19 +0100 +++ ext/dbm/extconf.rb 2007-03-13 08:11:50 +0100 @@@@ -5,7 +5,7 @@@@ if dblib = with_config("dbm-type", nil) dblib = dblib.split(/[ ,]+/) else - dblib = %w(db db2 db1 dbm gdbm gdbm_compat qdbm) + dblib = %w(dbm db2 db1 db gdbm gdbm_compat qdbm) end headers = { @ 1.11 log @upgrading package: ruby 1.8.5p2 -> 1.8.5p12 @ text @d2 3 a4 3 --- configure.orig 2006-12-16 00:27:37 +0100 +++ configure 2006-12-25 19:40:08 +0100 @@@@ -18285,7 +18285,7 @@@@ d14 5 a18 5 --- ext/dbm/extconf.rb.orig 2006-12-05 20:27:06 +0100 +++ ext/dbm/extconf.rb 2006-12-25 19:41:45 +0100 @@@@ -48,7 +48,7 @@@@ if dblib dbm_hdr = db_check(dblib) d20 2 a21 4 - dbm_hdr = %w(db db2 db1 dbm gdbm gdbm_compat qdbm).any? do |dblib| + dbm_hdr = %w(dbm db2 db1 db gdbm gdbm_compat qdbm).any? do |dblib| db_check(dblib) end d23 2 @ 1.10 log @upgrading package: ruby 1.8.5 -> 1.8.5p2 @ text @d2 3 a4 3 --- configure.orig 2006-08-25 10:34:16 +0200 +++ configure 2006-08-25 21:35:39 +0200 @@@@ -18137,7 +18137,7 @@@@ d14 2 a15 2 --- ext/dbm/extconf.rb.orig 2006-05-26 01:44:05 +0200 +++ ext/dbm/extconf.rb 2006-08-25 21:35:39 +0200 d18 1 a18 1 db_check(dblib) d20 3 a22 3 - for dblib in %w(db db2 db1 dbm gdbm gdbm_compat qdbm) + for dblib in %w(dbm db2 db1 db gdbm gdbm_compat qdbm) db_check(dblib) and break @ 1.9 log @Security Fix (CVE-2006-5467) @ text @a24 17 ----------------------------------------------------------------------------- Security Fix (CVE-2006-5467) Index: lib/cgi.rb --- lib/cgi.rb.orig 2006-08-22 11:38:19 +0200 +++ lib/cgi.rb 2006-11-04 14:11:46 +0100 @@@@ -1018,7 +1018,7 @@@@ else stdinput.read(content_length) end - if c.nil? + if c.nil? || c.empty? raise EOFError, "bad content body" end buf.concat(c) @ 1.8 log @upgrading package: ruby 1.8.4 -> 1.8.5 @ text @d25 17 @ 1.7 log @Security Fixes (CVE-2006-3694) @ text @d2 3 a4 3 --- configure.orig 2005-09-21 02:10:31 +0200 +++ configure 2005-09-21 08:24:44 +0200 @@@@ -14293,7 +14293,7 @@@@ d14 2 a15 2 --- ext/dbm/extconf.rb.orig 2003-07-24 09:41:36 +0200 +++ ext/dbm/extconf.rb 2005-09-21 08:24:44 +0200 a24 93 ----------------------------------------------------------------------------- Security Fixes (CVE-2006-3694) - eval.c, alias(): preserve current safe level http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/eval.c?cvsroot=src&r1=1.616.2.166&r2=1.616.2.167 (only relevant part) - re.c: do not modify untainted levels in safe levels > 3 http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/re.c?cvsroot=src&r1=1.114.2.17&r2=1.114.2.18 (only last hunk is relevant) - dir.c: should not close untainted dir stream http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/dir.c?cvsroot=src&r1=1.92.2.32&r2=1.92.2.33 Index: dir.c --- dir.c.orig 2005-09-14 15:40:58 +0200 +++ dir.c 2006-07-28 10:47:57 +0200 @@@@ -325,7 +325,17 @@@@ rb_raise(rb_eIOError, "closed directory"); } +static void +dir_check(dir) + VALUE dir; +{ + if (!OBJ_TAINTED(dir) && rb_safe_level() >= 4) + rb_raise(rb_eSecurityError, "Insecure: operation on untainted Dir"); + rb_check_frozen(dir); +} + #define GetDIR(obj, dirp) do {\ + dir_check(dir);\ Data_Get_Struct(obj, struct dir_data, dirp);\ if (dirp->dir == NULL) dir_closed();\ } while (0) @@@@ -536,6 +546,9 @@@@ { struct dir_data *dirp; + if (rb_safe_level() >= 4 && !OBJ_TAINTED(dir)) { + rb_raise(rb_eSecurityError, "Insecure: can't close"); + } GetDIR(dir, dirp); closedir(dirp->dir); dirp->dir = NULL; Index: eval.c --- eval.c.orig 2005-12-20 14:41:47 +0100 +++ eval.c 2006-07-28 10:47:57 +0200 @@@@ -2097,7 +2097,8 @@@@ } } st_insert(RCLASS(klass)->m_tbl, name, - (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), orig->nd_noex)); + (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), + NOEX_WITH_SAFE(orig->nd_noex))); if (singleton) { rb_funcall(singleton, singleton_added, 1, ID2SYM(name)); } @@@@ -5638,6 +5639,11 @@@@ TMP_PROTECT; volatile int safe = -1; + if (NOEX_SAFE(flags) > ruby_safe_level && + !(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } switch (ruby_iter->iter) { case ITER_PRE: case ITER_PAS: @@@@ -5742,10 +5748,6 @@@@ b2 = body = body->nd_next; if (NOEX_SAFE(flags) > ruby_safe_level) { - if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { - rb_raise(rb_eSecurityError, "calling insecure method: %s", - rb_id2name(id)); - } safe = ruby_safe_level; ruby_safe_level = NOEX_SAFE(flags); } Index: re.c --- re.c.orig 2005-12-13 04:27:51 +0100 +++ re.c 2006-07-28 10:47:57 +0200 @@@@ -1332,6 +1332,8 @@@@ { struct RRegexp *re = RREGEXP(obj); + if (!OBJ_TAINTED(obj) && rb_safe_level() >= 4) + rb_raise(rb_eSecurityError, "Insecure: can't modify regexp"); if (re->ptr) re_free_pattern(re->ptr); if (re->str) free(re->str); re->ptr = 0; @ 1.6 log @upgrading package: ruby 1.8.2 -> 1.8.3 @ text @d25 93 @ 1.6.2.1 log @Security Fixes (CVE-2006-3694) @ text @a24 93 ----------------------------------------------------------------------------- Security Fixes (CVE-2006-3694) - eval.c, alias(): preserve current safe level http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/eval.c?cvsroot=src&r1=1.616.2.166&r2=1.616.2.167 (only relevant part) - re.c: do not modify untainted levels in safe levels > 3 http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/re.c?cvsroot=src&r1=1.114.2.17&r2=1.114.2.18 (only last hunk is relevant) - dir.c: should not close untainted dir stream http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/dir.c?cvsroot=src&r1=1.92.2.32&r2=1.92.2.33 Index: dir.c --- dir.c.orig 2005-09-14 15:40:58 +0200 +++ dir.c 2006-07-28 10:47:57 +0200 @@@@ -325,7 +325,17 @@@@ rb_raise(rb_eIOError, "closed directory"); } +static void +dir_check(dir) + VALUE dir; +{ + if (!OBJ_TAINTED(dir) && rb_safe_level() >= 4) + rb_raise(rb_eSecurityError, "Insecure: operation on untainted Dir"); + rb_check_frozen(dir); +} + #define GetDIR(obj, dirp) do {\ + dir_check(dir);\ Data_Get_Struct(obj, struct dir_data, dirp);\ if (dirp->dir == NULL) dir_closed();\ } while (0) @@@@ -536,6 +546,9 @@@@ { struct dir_data *dirp; + if (rb_safe_level() >= 4 && !OBJ_TAINTED(dir)) { + rb_raise(rb_eSecurityError, "Insecure: can't close"); + } GetDIR(dir, dirp); closedir(dirp->dir); dirp->dir = NULL; Index: eval.c --- eval.c.orig 2005-12-20 14:41:47 +0100 +++ eval.c 2006-07-28 10:47:57 +0200 @@@@ -2097,7 +2097,8 @@@@ } } st_insert(RCLASS(klass)->m_tbl, name, - (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), orig->nd_noex)); + (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), + NOEX_WITH_SAFE(orig->nd_noex))); if (singleton) { rb_funcall(singleton, singleton_added, 1, ID2SYM(name)); } @@@@ -5638,6 +5639,11 @@@@ TMP_PROTECT; volatile int safe = -1; + if (NOEX_SAFE(flags) > ruby_safe_level && + !(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } switch (ruby_iter->iter) { case ITER_PRE: case ITER_PAS: @@@@ -5742,10 +5748,6 @@@@ b2 = body = body->nd_next; if (NOEX_SAFE(flags) > ruby_safe_level) { - if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { - rb_raise(rb_eSecurityError, "calling insecure method: %s", - rb_id2name(id)); - } safe = ruby_safe_level; ruby_safe_level = NOEX_SAFE(flags); } Index: re.c --- re.c.orig 2005-12-13 04:27:51 +0100 +++ re.c 2006-07-28 10:47:57 +0200 @@@@ -1332,6 +1332,8 @@@@ { struct RRegexp *re = RREGEXP(obj); + if (!OBJ_TAINTED(obj) && rb_safe_level() >= 4) + rb_raise(rb_eSecurityError, "Insecure: can't modify regexp"); if (re->ptr) re_free_pattern(re->ptr); if (re->str) free(re->str); re->ptr = 0; @ 1.6.4.1 log @Security Fixes (CVE-2006-3694) @ text @a24 93 ----------------------------------------------------------------------------- Security Fixes (CVE-2006-3694) - eval.c, alias(): preserve current safe level http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/eval.c?cvsroot=src&r1=1.616.2.166&r2=1.616.2.167 (only relevant part) - re.c: do not modify untainted levels in safe levels > 3 http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/re.c?cvsroot=src&r1=1.114.2.17&r2=1.114.2.18 (only last hunk is relevant) - dir.c: should not close untainted dir stream http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/dir.c?cvsroot=src&r1=1.92.2.32&r2=1.92.2.33 Index: dir.c --- dir.c.orig 2005-09-14 15:40:58 +0200 +++ dir.c 2006-07-28 10:47:57 +0200 @@@@ -325,7 +325,17 @@@@ rb_raise(rb_eIOError, "closed directory"); } +static void +dir_check(dir) + VALUE dir; +{ + if (!OBJ_TAINTED(dir) && rb_safe_level() >= 4) + rb_raise(rb_eSecurityError, "Insecure: operation on untainted Dir"); + rb_check_frozen(dir); +} + #define GetDIR(obj, dirp) do {\ + dir_check(dir);\ Data_Get_Struct(obj, struct dir_data, dirp);\ if (dirp->dir == NULL) dir_closed();\ } while (0) @@@@ -536,6 +546,9 @@@@ { struct dir_data *dirp; + if (rb_safe_level() >= 4 && !OBJ_TAINTED(dir)) { + rb_raise(rb_eSecurityError, "Insecure: can't close"); + } GetDIR(dir, dirp); closedir(dirp->dir); dirp->dir = NULL; Index: eval.c --- eval.c.orig 2005-12-20 14:41:47 +0100 +++ eval.c 2006-07-28 10:47:57 +0200 @@@@ -2097,7 +2097,8 @@@@ } } st_insert(RCLASS(klass)->m_tbl, name, - (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), orig->nd_noex)); + (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), + NOEX_WITH_SAFE(orig->nd_noex))); if (singleton) { rb_funcall(singleton, singleton_added, 1, ID2SYM(name)); } @@@@ -5638,6 +5639,11 @@@@ TMP_PROTECT; volatile int safe = -1; + if (NOEX_SAFE(flags) > ruby_safe_level && + !(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } switch (ruby_iter->iter) { case ITER_PRE: case ITER_PAS: @@@@ -5742,10 +5748,6 @@@@ b2 = body = body->nd_next; if (NOEX_SAFE(flags) > ruby_safe_level) { - if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { - rb_raise(rb_eSecurityError, "calling insecure method: %s", - rb_id2name(id)); - } safe = ruby_safe_level; ruby_safe_level = NOEX_SAFE(flags); } Index: re.c --- re.c.orig 2005-12-13 04:27:51 +0100 +++ re.c 2006-07-28 10:47:57 +0200 @@@@ -1332,6 +1332,8 @@@@ { struct RRegexp *re = RREGEXP(obj); + if (!OBJ_TAINTED(obj) && rb_safe_level() >= 4) + rb_raise(rb_eSecurityError, "Insecure: can't modify regexp"); if (re->ptr) re_free_pattern(re->ptr); if (re->str) free(re->str); re->ptr = 0; @ 1.6.4.2 log @Mass merge from CURRENT to 2-STABLE (all packages except those of JUNK class) @ text @d2 3 a4 3 --- configure.orig 2006-08-25 10:34:16 +0200 +++ configure 2006-08-25 21:35:39 +0200 @@@@ -18137,7 +18137,7 @@@@ d14 2 a15 2 --- ext/dbm/extconf.rb.orig 2006-05-26 01:44:05 +0200 +++ ext/dbm/extconf.rb 2006-08-25 21:35:39 +0200 @ 1.6.4.3 log @resynchronize patch with CURRENT @ text @d25 93 @ 1.6.4.4 log @MFC: Security Fix (CVE-2006-5467) @ text @a24 17 ----------------------------------------------------------------------------- Security Fix (CVE-2006-5467) Index: lib/cgi.rb --- lib/cgi.rb.orig 2006-08-22 11:38:19 +0200 +++ lib/cgi.rb 2006-11-04 14:11:46 +0100 @@@@ -1018,7 +1018,7 @@@@ else stdinput.read(content_length) end - if c.nil? + if c.nil? || c.empty? raise EOFError, "bad content body" end buf.concat(c) @ 1.5 log @fix building against OpenSSL 0.9.8 @ text @d2 3 a4 3 --- configure.orig 2004-12-25 03:24:04 +0100 +++ configure 2005-07-07 11:41:28 +0200 @@@@ -13991,7 +13991,7 @@@@ d15 1 a15 1 +++ ext/dbm/extconf.rb 2005-07-07 11:41:28 +0200 a24 33 Index: ext/digest/md5/md5ossl.h --- ext/digest/md5/md5ossl.h.orig 2002-09-26 18:27:23 +0200 +++ ext/digest/md5/md5ossl.h 2005-07-07 11:42:52 +0200 @@@@ -3,6 +3,7 @@@@ #ifndef MD5OSSL_H_INCLUDED #define MD5OSSL_H_INCLUDED +#include #include void MD5_End(MD5_CTX *pctx, unsigned char *hexdigest); Index: ext/digest/rmd160/rmd160ossl.h --- ext/digest/rmd160/rmd160ossl.h.orig 2002-09-26 19:26:46 +0200 +++ ext/digest/rmd160/rmd160ossl.h 2005-07-07 11:43:15 +0200 @@@@ -3,6 +3,7 @@@@ #ifndef RMD160OSSL_H_INCLUDED #define RMD160OSSL_H_INCLUDED +#include #include #define RMD160_CTX RIPEMD160_CTX Index: ext/digest/sha1/sha1ossl.h --- ext/digest/sha1/sha1ossl.h.orig 2002-09-26 19:44:33 +0200 +++ ext/digest/sha1/sha1ossl.h 2005-07-07 11:43:46 +0200 @@@@ -3,6 +3,7 @@@@ #ifndef SHA1OSSL_H_INCLUDED #define SHA1OSSL_H_INCLUDED +#include #include #define SHA1_CTX SHA_CTX @ 1.4 log @fix order of arguments @ text @a0 11 --- ext/dbm/extconf.rb.orig 2002-12-16 08:34:23.000000000 +0100 +++ ext/dbm/extconf.rb 2002-12-30 10:04:05.000000000 +0100 @@@@ -47,7 +47,7 @@@@ if dblib db_check(dblib) else - for dblib in %w(db db2 db1 dbm gdbm gdbm_compat qdbm) + for dblib in %w(dbm db2 db1 db gdbm gdbm_compat qdbm) db_check(dblib) and break end end d3 1 a3 1 +++ configure 2005-03-17 13:07:01 +0100 d13 45 @ 1.3 log @apply a workaround for Tru64 @ text @d20 1 a20 1 + osf*) : ${LDSHARED="ld -shared -expect_unresolved -oldstyle_liblookup \"*\""} @ 1.2 log @upgrading package: ruby 1.6.8 -> 1.8.0 @ text @d12 12 @ 1.1 log @add patch to CVS, too @ text @d7 2 a8 2 - for dblib in %w(db db2 db1 dbm gdbm) + for dblib in %w(dbm db2 db1 db gdbm) @