From owner-svn-ports-all@FreeBSD.ORG  Sat Nov 23 03:10:06 2013
Return-Path: <owner-svn-ports-all@FreeBSD.ORG>
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 75448D1;
 Sat, 23 Nov 2013 03:10:06 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 559282EF5;
 Sat, 23 Nov 2013 03:10:06 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rAN3A6J1097363;
 Sat, 23 Nov 2013 03:10:06 GMT (envelope-from swills@svn.freebsd.org)
Received: (from swills@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id rAN3A476097349;
 Sat, 23 Nov 2013 03:10:04 GMT (envelope-from swills@svn.freebsd.org)
Message-Id: <201311230310.rAN3A476097349@svn.freebsd.org>
From: Steve Wills <swills@FreeBSD.org>
Date: Sat, 23 Nov 2013 03:10:04 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r334630 - in head: Mk lang/ruby19 lang/ruby20
 lang/ruby20/files security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Nov 2013 03:10:06 -0000

Author: swills
Date: Sat Nov 23 03:10:04 2013
New Revision: 334630
URL: http://svnweb.freebsd.org/changeset/ports/334630

Log:
  - Fix and report heap overflow in floating point parsing issue in ruby
  
  Security:	cc9043cf-7f7a-426e-b2cc-8d1980618113

Modified:
  head/Mk/bsd.ruby.mk
  head/lang/ruby19/distinfo
  head/lang/ruby20/distinfo
  head/lang/ruby20/files/patch-cont.c
  head/lang/ruby20/files/patch-lib_mkmf.rb
  head/lang/ruby20/files/patch-lib_uri_generic.rb   (contents, props changed)
  head/security/vuxml/vuln.xml

Modified: head/Mk/bsd.ruby.mk
==============================================================================
--- head/Mk/bsd.ruby.mk	Sat Nov 23 01:21:00 2013	(r334629)
+++ head/Mk/bsd.ruby.mk	Sat Nov 23 03:10:04 2013	(r334630)
@@ -179,7 +179,7 @@ RUBY?=			${LOCALBASE}/bin/${RUBY_NAME}
 RUBY_RELVERSION=	1.9.3
 RUBY_PORTREVISION=	0
 RUBY_PORTEPOCH=		1
-RUBY_PATCHLEVEL=	448
+RUBY_PATCHLEVEL=	484
 
 RUBY_VERSION?=		${RUBY_RELVERSION}.${RUBY_PATCHLEVEL}
 RUBY_DISTVERSION?=	${RUBY_RELVERSION}-p${RUBY_PATCHLEVEL}
@@ -204,9 +204,9 @@ RUBY20=			"@comment "
 # Ruby 2.0
 #
 RUBY_RELVERSION=	2.0.0
-RUBY_PORTREVISION=	1
+RUBY_PORTREVISION=	0
 RUBY_PORTEPOCH=		1
-RUBY_PATCHLEVEL=	195
+RUBY_PATCHLEVEL=	353
 
 RUBY_VERSION?=		${RUBY_RELVERSION}.${RUBY_PATCHLEVEL}
 RUBY_DISTVERSION?=	${RUBY_RELVERSION}-p${RUBY_PATCHLEVEL}

Modified: head/lang/ruby19/distinfo
==============================================================================
--- head/lang/ruby19/distinfo	Sat Nov 23 01:21:00 2013	(r334629)
+++ head/lang/ruby19/distinfo	Sat Nov 23 03:10:04 2013	(r334630)
@@ -1,2 +1,2 @@
-SHA256 (ruby/ruby-1.9.3-p448.tar.bz2) = a7372230357bfff8e4525fb8019046da521561fe66b02c25d8efc10c9877bc91
-SIZE (ruby/ruby-1.9.3-p448.tar.bz2) = 10052488
+SHA256 (ruby/ruby-1.9.3-p484.tar.bz2) = 0fdc6e860d0023ba7b94c7a0cf1f7d32908b65b526246de9dfd5bb39d0d7922b
+SIZE (ruby/ruby-1.9.3-p484.tar.bz2) = 10041514

Modified: head/lang/ruby20/distinfo
==============================================================================
--- head/lang/ruby20/distinfo	Sat Nov 23 01:21:00 2013	(r334629)
+++ head/lang/ruby20/distinfo	Sat Nov 23 03:10:04 2013	(r334630)
@@ -1,2 +1,2 @@
-SHA256 (ruby/ruby-2.0.0-p195.tar.bz2) = 0be32aef7a7ab6e3708cc1d65cd3e0a99fa801597194bbedd5799c11d652eb5b
-SIZE (ruby/ruby-2.0.0-p195.tar.bz2) = 10807456
+SHA256 (ruby/ruby-2.0.0-p353.tar.bz2) = 3de4e4d9aff4682fa4f8ed2b70bd0d746fae17452fc3d3a8e8f505ead9105ad9
+SIZE (ruby/ruby-2.0.0-p353.tar.bz2) = 10730412

Modified: head/lang/ruby20/files/patch-cont.c
==============================================================================
--- head/lang/ruby20/files/patch-cont.c	Sat Nov 23 01:21:00 2013	(r334629)
+++ head/lang/ruby20/files/patch-cont.c	Sat Nov 23 03:10:04 2013	(r334630)
@@ -1,11 +1,11 @@
---- cont.c.orig	2013-01-30 04:17:59.000000000 +0000
-+++ cont.c	2013-02-17 21:39:30.712834241 +0000
-@@ -15,7 +15,7 @@
- #include "gc.h"
- #include "eval_intern.h"
- 
--#if ((defined(_WIN32) && _WIN32_WINNT >= 0x0400) || (defined(HAVE_GETCONTEXT) && defined(HAVE_SETCONTEXT))) && !defined(__NetBSD__) && !defined(__sun) && !defined(__ia64) && !defined(FIBER_USE_NATIVE)
-+#if ((defined(_WIN32) && _WIN32_WINNT >= 0x0400) || (defined(HAVE_GETCONTEXT) && defined(HAVE_SETCONTEXT))) && !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__sun) && !defined(__ia64) && !defined(FIBER_USE_NATIVE)
- #define FIBER_USE_NATIVE 1
- 
- /* FIBER_USE_NATIVE enables Fiber performance improvement using system
+--- cont.c.orig	2013-10-09 15:37:54.000000000 +0000
++++ cont.c	2013-11-22 15:05:19.138396780 +0000
+@@ -44,6 +44,8 @@
+ /* At least, Linux/ia64's getcontext(3) doesn't save register window.
+  */
+ #     define FIBER_USE_NATIVE 0
++#   elif defined(__FreeBSD__)
++#     define FIBER_USE_NATIVE 0
+ #   elif defined(__GNU__)
+ /* GNU/Hurd doesn't fully support getcontext, setcontext, makecontext
+  * and swapcontext functions. Disabling their usage till support is

Modified: head/lang/ruby20/files/patch-lib_mkmf.rb
==============================================================================
--- head/lang/ruby20/files/patch-lib_mkmf.rb	Sat Nov 23 01:21:00 2013	(r334629)
+++ head/lang/ruby20/files/patch-lib_mkmf.rb	Sat Nov 23 03:10:04 2013	(r334630)
@@ -1,11 +1,11 @@
---- lib/mkmf.rb.orig	2012-11-28 04:19:49.000000000 -0800
-+++ lib/mkmf.rb	2012-12-03 23:18:58.000000000 -0800
-@@ -204,7 +204,7 @@
-   $extmk &&= true
-   if not $extmk and File.exist?(RbConfig::CONFIG["rubyhdrdir"] + "/ruby/ruby.h")
-     $hdrdir = CONFIG["rubyhdrdir"]
+--- lib/mkmf.rb.orig	2013-06-26 07:03:38.000000000 -0700
++++ lib/mkmf.rb	2013-07-03 17:43:05.000000000 -0700
+@@ -226,7 +226,7 @@
+   end
+   $extmk ||= false
+   if not $extmk and File.exist?(($hdrdir = RbConfig::CONFIG["rubyhdrdir"]) + "/ruby/ruby.h")
 -    $topdir = $hdrdir
 +    $topdir = $hdrdir + "/" + "#{CONFIG['arch']}/ruby/"
      $top_srcdir = $hdrdir
-     $arch_hdrdir = "$(hdrdir)/$(arch)"
+     $arch_hdrdir = RbConfig::CONFIG["rubyarchhdrdir"]
    elsif File.exist?(($hdrdir = ($top_srcdir ||= topdir) + "/include")  + "/ruby.h")

Modified: head/lang/ruby20/files/patch-lib_uri_generic.rb
==============================================================================
--- head/lang/ruby20/files/patch-lib_uri_generic.rb	Sat Nov 23 01:21:00 2013	(r334629)
+++ head/lang/ruby20/files/patch-lib_uri_generic.rb	Sat Nov 23 03:10:04 2013	(r334630)
@@ -1,19 +1,20 @@
---- lib/uri/generic.rb.orig	2009-06-18 16:47:45.000000000 +0400
-+++ lib/uri/generic.rb	2009-06-18 16:48:54.000000000 +0400
-@@ -1032,7 +1032,15 @@
-           end
+--- lib/uri/generic.rb.orig	2012-07-20 01:56:21.000000000 +0000
++++ lib/uri/generic.rb	2013-11-21 20:50:14.143925606 +0000
+@@ -1482,6 +1482,17 @@
          end
  
--        str << path_query
+         str << path_query
 +        path = path_query
 +
 +        #
 +        # Add URI delimiter if the path misses it (like as in FTP)
 +        #
 +        if not path.empty? and not str.empty? and path[0, 1] != '/'
-+          path = '/' + path 
++          path = '/' + path
 +        end
 +        str << path
++       end 
++       if @fragment
        end
  
        if @fragment

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sat Nov 23 01:21:00 2013	(r334629)
+++ head/security/vuxml/vuln.xml	Sat Nov 23 03:10:04 2013	(r334630)
@@ -51,6 +51,43 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="cc9043cf-7f7a-426e-b2cc-8d1980618113">
+    <topic>ruby -- Heap Overflow in Floating Point Parsing</topic>
+    <affects>
+      <package>
+	<name>ruby19</name>
+	<range><lt>1.9.3.484,1</lt></range>
+      </package>
+      <package>
+	<name>ruby20</name>
+	<range><lt>2.0.0.353,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Ruby developers report:</p>
+	<blockquote cite="https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/">
+	  <p>Any time a string is converted to a floating point value, a
+	     specially crafted string can cause a heap overflow. This can lead
+	     to a denial of service attack via segmentation faults and possibly
+	     arbitrary code execution. Any program that converts input of
+	     unknown origin to floating point values (especially common when
+	     accepting JSON) are vulnerable.
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/</url>
+      <url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/</url>
+      <cvename>CVE-2013-4164</cvename>
+    </references>
+    <dates>
+      <discovery>2013-11-22</discovery>
+      <entry>2013-11-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="479efd57-516e-11e3-9b62-000c292e4fd8">
     <topic>samba -- Private key in key.pem world readable</topic>
     <affects>