From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Apr 27 15:20:09 2012 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B1B6106566C for ; Fri, 27 Apr 2012 15:20:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6E63C8FC19 for ; Fri, 27 Apr 2012 15:20:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q3RFK9Ij070487 for ; Fri, 27 Apr 2012 15:20:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q3RFK9K9070486; Fri, 27 Apr 2012 15:20:09 GMT (envelope-from gnats) Resent-Date: Fri, 27 Apr 2012 15:20:09 GMT Resent-Message-Id: <201204271520.q3RFK9K9070486@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eric Freeman Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DDF141065670 for ; Fri, 27 Apr 2012 15:13:24 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id AFADF8FC0C for ; Fri, 27 Apr 2012 15:13:24 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q3RFDOND076421 for ; Fri, 27 Apr 2012 15:13:24 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q3RFDO5s076417; Fri, 27 Apr 2012 15:13:24 GMT (envelope-from nobody) Message-Id: <201204271513.q3RFDO5s076417@red.freebsd.org> Date: Fri, 27 Apr 2012 15:13:24 GMT From: Eric Freeman To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/167363: [MAINTAINER] update mail/rubygem-mail to 2.4.4 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 15:20:09 -0000 >Number: 167363 >Category: ports >Synopsis: [MAINTAINER] update mail/rubygem-mail to 2.4.4 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Apr 27 15:20:09 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Eric Freeman >Release: 9.0 >Organization: Sundive Networks >Environment: FreeBSD bsd9.local 9.0-CURRENT-201008 FreeBSD 9.0-CURRENT-201008 #0: Tue Aug 3 20:09:44 UTC 2010 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Eitan Adler alerted me to two flaws that are present in the version of the 'mail' gem currently in ports. These are both fixed in the current (2.4.4) version. Please see http://seclists.org/oss-sec/2012/q2/190 for details of the flaws. These will have CVE-2012-2139 and CVE-2012-2140 assigned. The patch in this PR updates the mail gem to 2.4.4 As it stands by the gemspecs there should be some version mismatches with 2.4.4, some pre-existing, some new[1]. That said I've successfully installed on a clean system and run test scripts using - mail/rubygem-actionmailer - mail/rubygem-pony - mail/rubygem-mail to send email, so I'm fairly confident this wont break rails or anything. I have removed the active-support dependency, since this appears to have been removed back in version 2.3.0 [1] By the gemspec mail requires: * i18n >= 0.4.0 * mime-types ~> 1.16 * treetop ~> 1.4.8 Currently ports has: * devel/rubygem-i18n 0.6.0 * misc/rubygem-mime-types 1.17.2 * devel/rubygem-treetop 1.4.10 So mime-types and treetop are currently wrong, but it still appears to work without issues I can see with my limited testing. >How-To-Repeat: See http://seclists.org/oss-sec/2012/q2/190 CVE-2012-2139 CVE-2012-2140 >Fix: --- mail/rubygem-mail.old/Makefile 2012-04-26 20:44:48.000000000 +0100 +++ mail/rubygem-mail/Makefile 2012-04-26 20:47:28.000000000 +0100 @@ -6,7 +6,7 @@ # PORTNAME= mail -PORTVERSION= 2.4.1 +PORTVERSION= 2.4.4 PORTEPOCH= 1 CATEGORIES= mail rubygems MASTER_SITES= RG @@ -18,7 +18,6 @@ RUN_DEPENDS= rubygem-treetop>=1.4.8:${PORTSDIR}/devel/rubygem-treetop \ rubygem-mime-types>=1.16:${PORTSDIR}/misc/rubygem-mime-types \ - rubygem-activesupport>=2.3.6:${PORTSDIR}/devel/rubygem-activesupport \ rubygem-i18n>=0.4.0:${PORTSDIR}/devel/rubygem-i18n USE_RUBY= yes diff -ru mail/rubygem-mail.old/distinfo mail/rubygem-mail/distinfo --- mail/rubygem-mail.old/distinfo 2012-04-26 20:44:48.000000000 +0100 +++ mail/rubygem-mail/distinfo 2012-04-26 20:47:40.000000000 +0100 @@ -1,2 +1,2 @@ -SHA256 (rubygem/mail-2.4.1.gem) = 80d742e6f93c01e7f25015f2cd1f88e8869b9ef4bce3fc22f0f568ce925c050e -SIZE (rubygem/mail-2.4.1.gem) = 121856 +SHA256 (rubygem/mail-2.4.4.gem) = 237625b7e70f8cd9615658e0963c9880094a974cfa9dda7325e3537bcba7be45 +SIZE (rubygem/mail-2.4.4.gem) = 121856 >Release-Note: >Audit-Trail: >Unformatted: