Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 67CE584D80
	for <pkgsrc-changes@NetBSD.org>; Thu, 29 Jun 2023 15:39:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1])
	by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025)
	with ESMTP id TtTpAQ74B8Vt for <pkgsrc-changes@netbsd.org>;
	Thu, 29 Jun 2023 15:39:12 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 83ECD84CE8
	for <pkgsrc-changes@NetBSD.org>; Thu, 29 Jun 2023 15:39:12 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 7B6EEFA89; Thu, 29 Jun 2023 15:39:12 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1688053152250"
MIME-Version: 1.0
Date: Thu, 29 Jun 2023 15:39:12 +0000
From: "Takahiro Kambe" <taca@netbsd.org>
Subject: CVS commit: pkgsrc/lang
To: pkgsrc-changes@NetBSD.org
Approved: commit_and_comment
Reply-To: taca@netbsd.org
X-Mailer: log_accum
Message-Id: <20230629153912.7B6EEFA89@cvs.NetBSD.org>

This is a multi-part message in MIME format.

--_----------=_1688053152250
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	taca
Date:		Thu Jun 29 15:39:12 UTC 2023

Modified Files:
	pkgsrc/lang/ruby: rubyversion.mk
	pkgsrc/lang/ruby31-base: Makefile distinfo
Added Files:
	pkgsrc/lang/ruby31-base/patches: patch-lib_uri_rfc2396__parser.rb
	    patch-lib_uri_rfc3986__parser.rb patch-lib_uri_version.rb

Log Message:
lang/ruby31-base: update bundled gem uri to 0.12.2

Fix CVE-2023-36617: ReDoS vulnerability in URI.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.266 -r1.267 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/ruby31-base/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/ruby31-base/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc2396__parser.rb \
    pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc3986__parser.rb \
    pkgsrc/lang/ruby31-base/patches/patch-lib_uri_version.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1688053152250
Content-Disposition: inline
Content-Length: 5423
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.266 pkgsrc/lang/ruby/rubyversion.mk:1.267
--- pkgsrc/lang/ruby/rubyversion.mk:1.266	Thu Jun 29 15:37:17 2023
+++ pkgsrc/lang/ruby/rubyversion.mk	Thu Jun 29 15:39:12 2023
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.266 2023/06/29 15:37:17 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.267 2023/06/29 15:39:12 taca Exp $
 #
 
 # This file determines which Ruby version is used as a dependency for
@@ -435,7 +435,7 @@ RUBY_TIMEOUT_VER=		0.2.0
 RUBY_TMPDIR_VER=		0.1.2
 RUBY_TSORT_VER=			0.1.0
 RUBY_UN_VER=			0.2.0
-RUBY_URI_VER=			0.12.1
+RUBY_URI_VER=			0.12.2
 RUBY_WEAKREF_VER=		0.1.1
 RUBY_YAML_VER=			0.2.0
 RUBY_ZLIB_VER=			2.1.1

Index: pkgsrc/lang/ruby31-base/Makefile
diff -u pkgsrc/lang/ruby31-base/Makefile:1.8 pkgsrc/lang/ruby31-base/Makefile:1.9
--- pkgsrc/lang/ruby31-base/Makefile:1.8	Mon Jan 16 06:33:51 2023
+++ pkgsrc/lang/ruby31-base/Makefile	Thu Jun 29 15:39:12 2023
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.8 2023/01/16 06:33:51 dholland Exp $
+# $NetBSD: Makefile,v 1.9 2023/06/29 15:39:12 taca Exp $
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
+PKGREVISION=	1
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 

Index: pkgsrc/lang/ruby31-base/distinfo
diff -u pkgsrc/lang/ruby31-base/distinfo:1.10 pkgsrc/lang/ruby31-base/distinfo:1.11
--- pkgsrc/lang/ruby31-base/distinfo:1.10	Sat Apr  1 09:17:14 2023
+++ pkgsrc/lang/ruby31-base/distinfo	Thu Jun 29 15:39:12 2023
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2023/04/01 09:17:14 taca Exp $
+$NetBSD: distinfo,v 1.11 2023/06/29 15:39:12 taca Exp $
 
 BLAKE2s (ruby-3.1.4.tar.xz) = cefa8daefd26c8da56db3e114f27cb1b0af8c427d4ba9b650ef60034cb7b413c
 SHA512 (ruby-3.1.4.tar.xz) = a627bb629a10750b8b2081ad451a41faea0fc85d95aa1e267e3d2a0f56a35bb58195d4a8d13bbdbd82f4197a96dae22b1cee1dfc83861ec33a67ece07aef5633
@@ -16,6 +16,9 @@ SHA1 (patch-lib_rubygems_dependency__ins
 SHA1 (patch-lib_rubygems_install__update__options.rb) = 0cd0816e1cd7c84c1dab1e091787c4dc38d28273
 SHA1 (patch-lib_rubygems_installer.rb) = 1c94047a24362b3597dac7ea156982a09cb93234
 SHA1 (patch-lib_rubygems_platform.rb) = ea9d0972fb788799d7d8c07b223ac75cbab23158
+SHA1 (patch-lib_uri_rfc2396__parser.rb) = 2c48e781bdad2be2416655c4d81e438136d93f19
+SHA1 (patch-lib_uri_rfc3986__parser.rb) = 8b1bba9338a0e56325140baa1f45e4ee74830aec
+SHA1 (patch-lib_uri_version.rb) = 16ef6469b63b74032a91358cdc7fd70fb5bce87a
 SHA1 (patch-template_Makefile.in) = a4b94293de165e87021b79a0a7f683ba76e168d9
 SHA1 (patch-test_rubygems_test__gem.rb) = 32f7c7d7f8a024c045d78c2bce93944fc3113d04
 SHA1 (patch-thread__pthread.c) = 7c1231933a2d6ce9d56891ab512371841697fbca

Added files:

Index: pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc2396__parser.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc2396__parser.rb:1.1
--- /dev/null	Thu Jun 29 15:39:12 2023
+++ pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc2396__parser.rb	Thu Jun 29 15:39:12 2023
@@ -0,0 +1,17 @@
+$NetBSD: patch-lib_uri_rfc2396__parser.rb,v 1.1 2023/06/29 15:39:12 taca Exp $
+
+Fix for CVE-2023-36617 updating uri to 0.12.2.
+
+--- lib/uri/rfc2396_parser.rb.orig	2023-03-30 10:53:51.000000000 +0000
++++ lib/uri/rfc2396_parser.rb
+@@ -497,8 +497,8 @@ module URI
+       ret = {}
+ 
+       # for URI::split
+-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
++      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ 
+       # for URI::extract
+       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
Index: pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc3986__parser.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc3986__parser.rb:1.1
--- /dev/null	Thu Jun 29 15:39:12 2023
+++ pkgsrc/lang/ruby31-base/patches/patch-lib_uri_rfc3986__parser.rb	Thu Jun 29 15:39:12 2023
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_uri_rfc3986__parser.rb,v 1.1 2023/06/29 15:39:12 taca Exp $
+
+Fix for CVE-2023-36617 updating uri to 0.12.2.
+
+--- lib/uri/rfc3986_parser.rb.orig	2023-03-30 10:53:51.000000000 +0000
++++ lib/uri/rfc3986_parser.rb
+@@ -100,7 +100,7 @@ module URI
+         QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         OPAQUE: /\A(?:[^\/].*)?\z/,
+-        PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
++        PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
+       }
+     end
+ 
Index: pkgsrc/lang/ruby31-base/patches/patch-lib_uri_version.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-lib_uri_version.rb:1.1
--- /dev/null	Thu Jun 29 15:39:12 2023
+++ pkgsrc/lang/ruby31-base/patches/patch-lib_uri_version.rb	Thu Jun 29 15:39:12 2023
@@ -0,0 +1,14 @@
+$NetBSD: patch-lib_uri_version.rb,v 1.1 2023/06/29 15:39:12 taca Exp $
+
+Fix for CVE-2023-36617 updating uri to 0.12.2.
+
+--- lib/uri/version.rb.orig	2023-03-30 10:53:51.000000000 +0000
++++ lib/uri/version.rb
+@@ -1,6 +1,6 @@
+ module URI
+   # :stopdoc:
+-  VERSION_CODE = '001201'.freeze
++  VERSION_CODE = '001202'.freeze
+   VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze
+   # :startdoc:
+ end


--_----------=_1688053152250--