[ruby/f16] Also backport fix for the left part of CVE-2011-1005 (causing the
Mamoru Tasaka
mtasaka at fedoraproject.org
Fri Oct 5 09:33:29 UTC 2012
commit f95865cef3d0a40481629ea3233aba84b3eac0ca
Author: TASAKA Mamoru <mtasaka at localhost.localdomain>
Date: Fri Oct 5 18:26:21 2012 +0900
Also backport fix for the left part of CVE-2011-1005 (causing the
same issue as CVE-2012-4464)
(Vít Ondruch <vondruch at redhat.com>)
ruby-1.8.7-p358-CVE-2012-4464-4466.patch | 29 +++++++++++++++++++++++++++++
ruby-1.8.7-p358-CVE-2012-4466.patch | 13 -------------
ruby.spec | 9 +++++++--
3 files changed, 36 insertions(+), 15 deletions(-)
---
diff --git a/ruby-1.8.7-p358-CVE-2012-4464-4466.patch b/ruby-1.8.7-p358-CVE-2012-4464-4466.patch
new file mode 100644
index 0000000..6787d6f
--- /dev/null
+++ b/ruby-1.8.7-p358-CVE-2012-4464-4466.patch
@@ -0,0 +1,29 @@
+Backported fix for CVE-2012-4464,4466 on trunk:rev37068 to 1.8.7 branch.
+Note that for ruby-1.8 branch, there was a fix for CVE-2011-1005 on rev 30903,
+however the fix proved to be incomplete.
+
+Mamoru Tasaka <mtasaka at fedoraproject.org>
+
+
+--- ruby-1.8.7-p358/error.c.sec 2011-02-18 21:32:35.000000000 +0900
++++ ruby-1.8.7-p358/error.c 2012-10-04 23:58:12.000000000 +0900
+@@ -665,9 +665,11 @@
+
+ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+ StringValue(str);
++#if 0
+ if (str != mesg) {
+ OBJ_INFECT(str, mesg);
+ }
++#endif
+ return str;
+ }
+
+@@ -757,7 +759,6 @@
+ args[2] = d;
+ mesg = rb_f_sprintf(3, args);
+ }
+- if (OBJ_TAINTED(obj)) OBJ_TAINT(mesg);
+ return mesg;
+ }
+
diff --git a/ruby.spec b/ruby.spec
index e1c2cdd..b021b11 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -17,7 +17,7 @@
Name: ruby
Version: %{rubyver}%{?dotpatchlevel}
-Release: 3%{?dist}
+Release: 4%{?dist}
# Please check if ruby upstream changes this to "Ruby or GPLv2+"
License: Ruby or GPLv2
URL: http://www.ruby-lang.org/
@@ -64,7 +64,7 @@ Patch33: ruby-1.8.7-p249-mkmf-use-shared.patch
# bug 718695
Patch34: ruby-1.8.7-p352-path-uniq.patch
# Backported fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch
-Patch35: ruby-1.8.7-p358-CVE-2012-4466.patch
+Patch35: ruby-1.8.7-p358-CVE-2012-4464-4466.patch
# Change ruby load path to conform to Fedora/ruby
# library placement (various 1.8.6 patches consolidated into this)
Patch100: ruby-1.8.7-lib-paths.patch
@@ -547,6 +547,11 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/ri
%changelog
+* Fri Oct 04 2012 Mamoru Tasaka <mtasaka at fedoraproject.org> - 1.8.7.358-4
+- Also backport fix for the left part of CVE-2011-1005 (causing the
+ same issue as CVE-2012-4464)
+ (Vít Ondruch <vondruch at redhat.com>)
+
* Thu Oct 04 2012 Mamoru Tasaka <mtasaka at fedoraproject.org> - 1.8.7.358-3
- Backport fix for CVE-2012-4466 on trunk:rev37068 to 1.8.7 branch
More information about the scm-commits
mailing list