Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A095784E5B for ; Wed, 5 Jul 2023 11:58:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id vwv0Ml1aGsUP for ; Wed, 5 Jul 2023 11:58:41 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id BCFBA84CD8 for ; Wed, 5 Jul 2023 11:58:41 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id B152EFA89; Wed, 5 Jul 2023 11:58:41 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1688558321108600" MIME-Version: 1.0 Date: Wed, 5 Jul 2023 11:58:41 +0000 From: "Benny Siegert" Subject: CVS commit: [pkgsrc-2023Q2] pkgsrc/lang To: pkgsrc-changes@NetBSD.org Approved: commit_and_comment Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20230705115841.B152EFA89@cvs.NetBSD.org> This is a multi-part message in MIME format. --_----------=_1688558321108600 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: bsiegert Date: Wed Jul 5 11:58:41 UTC 2023 Modified Files: pkgsrc/lang/ruby [pkgsrc-2023Q2]: rubyversion.mk pkgsrc/lang/ruby32-base [pkgsrc-2023Q2]: Makefile distinfo Added Files: pkgsrc/lang/ruby32-base/patches [pkgsrc-2023Q2]: patch-lib_uri_rfc2396__parser.rb patch-lib_uri_rfc3986__parser.rb patch-lib_uri_version.rb Log Message: Pullup ticket #6770 - requested by taca lang/ruby32-base: security fix Revisions pulled up: - lang/ruby/rubyversion.mk 1.268 - lang/ruby32-base/Makefile 1.3 - lang/ruby32-base/distinfo 1.5 - lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb 1.1 - lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb 1.1 - lang/ruby32-base/patches/patch-lib_uri_version.rb 1.1 --- Module Name: pkgsrc Committed By: taca Date: Thu Jun 29 15:42:07 UTC 2023 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby32-base: Makefile distinfo Added Files: pkgsrc/lang/ruby32-base/patches: patch-lib_uri_rfc2396__parser.rb patch-lib_uri_rfc3986__parser.rb patch-lib_uri_version.rb Log Message: lang/ruby32-base: update bundled gem uri to 0.12.2 Fix CVE-2023-36617: ReDoS vulnerability in URI. Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.265.2.2 -r1.265.2.3 pkgsrc/lang/ruby/rubyversion.mk cvs rdiff -u -r1.2 -r1.2.2.1 pkgsrc/lang/ruby32-base/Makefile cvs rdiff -u -r1.4 -r1.4.2.1 pkgsrc/lang/ruby32-base/distinfo cvs rdiff -u -r0 -r1.1.2.2 \ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb \ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb \ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1688558321108600 Content-Disposition: inline Content-Length: 5511 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/lang/ruby/rubyversion.mk diff -u pkgsrc/lang/ruby/rubyversion.mk:1.265.2.2 pkgsrc/lang/ruby/rubyversion.mk:1.265.2.3 --- pkgsrc/lang/ruby/rubyversion.mk:1.265.2.2 Wed Jul 5 11:48:45 2023 +++ pkgsrc/lang/ruby/rubyversion.mk Wed Jul 5 11:58:41 2023 @@ -1,4 +1,4 @@ -# $NetBSD: rubyversion.mk,v 1.265.2.2 2023/07/05 11:48:45 bsiegert Exp $ +# $NetBSD: rubyversion.mk,v 1.265.2.3 2023/07/05 11:58:41 bsiegert Exp $ # # This file determines which Ruby version is used as a dependency for @@ -531,7 +531,7 @@ RUBY_TIMEOUT_VER= 0.3.1 RUBY_TMPDIR_VER= 0.1.3 RUBY_TSORT_VER= 0.1.1 RUBY_UN_VER= 0.2.1 -RUBY_URI_VER= 0.12.1 +RUBY_URI_VER= 0.12.2 RUBY_WEAKREF_VER= 0.1.2 RUBY_YAML_VER= 0.2.1 RUBY_ZLIB_VER= 3.0.0 Index: pkgsrc/lang/ruby32-base/Makefile diff -u pkgsrc/lang/ruby32-base/Makefile:1.2 pkgsrc/lang/ruby32-base/Makefile:1.2.2.1 --- pkgsrc/lang/ruby32-base/Makefile:1.2 Tue May 30 15:54:36 2023 +++ pkgsrc/lang/ruby32-base/Makefile Wed Jul 5 11:58:41 2023 @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.2 2023/05/30 15:54:36 taca Exp $ +# $NetBSD: Makefile,v 1.2.2.1 2023/07/05 11:58:41 bsiegert Exp $ DISTNAME= ${RUBY_DISTNAME} PKGNAME= ${RUBY_PKGPREFIX}-base-${RUBY_VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= lang ruby MASTER_SITES= ${MASTER_SITE_RUBY} Index: pkgsrc/lang/ruby32-base/distinfo diff -u pkgsrc/lang/ruby32-base/distinfo:1.4 pkgsrc/lang/ruby32-base/distinfo:1.4.2.1 --- pkgsrc/lang/ruby32-base/distinfo:1.4 Sat Apr 1 09:26:57 2023 +++ pkgsrc/lang/ruby32-base/distinfo Wed Jul 5 11:58:41 2023 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.4 2023/04/01 09:26:57 taca Exp $ +$NetBSD: distinfo,v 1.4.2.1 2023/07/05 11:58:41 bsiegert Exp $ BLAKE2s (ruby-3.2.2.tar.xz) = 880e96fbdec90238299174d0abb7be507f04b8036386d70b61769d339bb2b609 SHA512 (ruby-3.2.2.tar.xz) = a29f24cd80f563f6368952d06d6273f7241a409fa9ab2f60e03dde2ac58ca06bee1750715b6134caebf4c061d3503446dc37a6059e19860bb0010eef34951935 @@ -16,6 +16,9 @@ SHA1 (patch-lib_rubygems_dependency__ins SHA1 (patch-lib_rubygems_install__update__options.rb) = 0cd0816e1cd7c84c1dab1e091787c4dc38d28273 SHA1 (patch-lib_rubygems_installer.rb) = 1c94047a24362b3597dac7ea156982a09cb93234 SHA1 (patch-lib_rubygems_platform.rb) = 58094b26520623f258ecf035084f4aa7226e9686 +SHA1 (patch-lib_uri_rfc2396__parser.rb) = f078cf329b50e157366225fffcb7d390c91edff7 +SHA1 (patch-lib_uri_rfc3986__parser.rb) = 2d50b1bdea0252ac92f81bb080b423de289a65bb +SHA1 (patch-lib_uri_version.rb) = 3f8384570199b67f625a71d7f211c1d8dabde1e2 SHA1 (patch-test_rubygems_test__gem.rb) = 32f7c7d7f8a024c045d78c2bce93944fc3113d04 SHA1 (patch-thread__pthread.c) = 7c1231933a2d6ce9d56891ab512371841697fbca SHA1 (patch-tool_ifchange) = 1814cd41f0b0a93b181799cb117bd1f57068cf33 Added files: Index: pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb:1.1.2.2 --- /dev/null Wed Jul 5 11:58:41 2023 +++ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb Wed Jul 5 11:58:41 2023 @@ -0,0 +1,17 @@ +$NetBSD: patch-lib_uri_rfc2396__parser.rb,v 1.1.2.2 2023/07/05 11:58:41 bsiegert Exp $ + +Fix for CVE-2023-36617 updating uri to 0.12.2. + +--- lib/uri/rfc2396_parser.rb.orig 2023-03-30 11:06:29.000000000 +0000 ++++ lib/uri/rfc2396_parser.rb +@@ -497,8 +497,8 @@ module URI + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) Index: pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb:1.1.2.2 --- /dev/null Wed Jul 5 11:58:41 2023 +++ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb Wed Jul 5 11:58:41 2023 @@ -0,0 +1,15 @@ +$NetBSD: patch-lib_uri_rfc3986__parser.rb,v 1.1.2.2 2023/07/05 11:58:41 bsiegert Exp $ + +Fix for CVE-2023-36617 updating uri to 0.12.2. + +--- lib/uri/rfc3986_parser.rb.orig 2023-03-30 11:06:29.000000000 +0000 ++++ lib/uri/rfc3986_parser.rb +@@ -100,7 +100,7 @@ module URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + Index: pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb:1.1.2.2 --- /dev/null Wed Jul 5 11:58:41 2023 +++ pkgsrc/lang/ruby32-base/patches/patch-lib_uri_version.rb Wed Jul 5 11:58:41 2023 @@ -0,0 +1,14 @@ +$NetBSD: patch-lib_uri_version.rb,v 1.1.2.2 2023/07/05 11:58:41 bsiegert Exp $ + +Fix for CVE-2023-36617 updating uri to 0.12.2. + +--- lib/uri/version.rb.orig 2023-03-30 11:06:29.000000000 +0000 ++++ lib/uri/version.rb +@@ -1,6 +1,6 @@ + module URI + # :stopdoc: +- VERSION_CODE = '001201'.freeze ++ VERSION_CODE = '001202'.freeze + VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze + # :startdoc: + end --_----------=_1688558321108600--