Authentication-Results: name.execsw.org;
	dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=UajLN/ER;
	dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=XFvOqdWN
Received: by mail.netbsd.org (Postfix, from userid 605)
	id ABC7984EB7; Sat, 23 Mar 2024 14:28:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
	s=20240131; t=1711204131;
	bh=tOfwK55X5u5dF8qgpNerB8cQKHvSRBLBVNfn8Cwnlpc=;
	h=Date:From:Subject:To:Reply-To:List-Id:List-Unsubscribe;
	b=UajLN/ER8XiYJYmPeFVMyHDy7RKI92OB5GCOow8iDufon32GiTNxZKOHz1zV2h+Df
	 h6vP1z5SpKxbMaRMcikSTl0D0P1mPdQI9PxaqsEJthQZlhwbNQUDf4MRrskAnnU4KP
	 eTyFr94maqzvYDKKbtRUSuIoRsGmdUgvePUmk+T4=
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 9AFD884E5A
	for <pkgsrc-changes@NetBSD.org>; Sat, 23 Mar 2024 14:28:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id DXb9QLnPONtN for <pkgsrc-changes@netbsd.org>;
	Sat, 23 Mar 2024 14:28:49 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 6E28584CD7
	for <pkgsrc-changes@NetBSD.org>; Sat, 23 Mar 2024 14:28:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
	s=20240131; t=1711204129;
	bh=tOfwK55X5u5dF8qgpNerB8cQKHvSRBLBVNfn8Cwnlpc=;
	h=Date:From:Subject:To:Reply-To;
	b=XFvOqdWNOldidRYqzAVV/B9n/la/q4B9yUm46aD09LXuWN+I6SlDaAs5wuL2+KOyS
	 Kx2udKrWpWgMIvxP0vmnvmBNGoKOfs+M6DykGh6iRgwUIl6fhD4n7GP8uKeSj/d4SB
	 iPUWLFrr/K5zXCKAr5nHUsQvFqZ3SSLkEVw3JC7o=
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id E2ABDFA2C; Sat, 23 Mar 2024 14:28:48 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1711204128261080"
MIME-Version: 1.0
Date: Sat, 23 Mar 2024 14:28:48 +0000
From: "Takahiro Kambe" <taca@netbsd.org>
Subject: CVS commit: pkgsrc/lang
To: pkgsrc-changes@NetBSD.org
Reply-To: taca@netbsd.org
X-Mailer: log_accum
Message-Id: <20240323142848.E2ABDFA2C@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1711204128261080
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	taca
Date:		Sat Mar 23 14:28:48 UTC 2024

Modified Files:
	pkgsrc/lang/ruby: rubyversion.mk
	pkgsrc/lang/ruby31-base: Makefile distinfo
Added Files:
	pkgsrc/lang/ruby31-base/patches: patch-ext_stringio_stringio.c
	    patch-lib_rdoc_store.rb patch-lib_rdoc_version.rb
	    patch-test_stringio_test__stringio.rb

Log Message:
lang/ruby31-base: fix CVE-2024-27280 and CVE-2024-27281

Update rdoc to 6.4.1.1 to fix for CVE-2024-27281.
Update stringio to 3.0.1.2 to fix for CVE-2024-27280.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.272 -r1.273 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/ruby31-base/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/ruby31-base/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c \
    pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb \
    pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb \
    pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1711204128261080
Content-Disposition: inline
Content-Length: 10502
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.272 pkgsrc/lang/ruby/rubyversion.mk:1.273
--- pkgsrc/lang/ruby/rubyversion.mk:1.272	Sat Feb 10 14:41:47 2024
+++ pkgsrc/lang/ruby/rubyversion.mk	Sat Mar 23 14:28:48 2024
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.272 2024/02/10 14:41:47 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.273 2024/03/23 14:28:48 taca Exp $
 #
 
 # This file determines which Ruby version is used as a dependency for
@@ -318,7 +318,7 @@ RUBY_PRETTYPRINT_VER=		0.1.1
 RUBY_PSTORE_VER=		0.1.1
 RUBY_PSYCH_VER=			4.0.4
 RUBY_RACC_VER=			1.6.0
-RUBY_RDOC_VER=			6.4.0
+RUBY_RDOC_VER=			6.4.1.1
 RUBY_READLINE_VER=		0.0.3
 RUBY_READLINE_EXT_VER=		0.1.4
 RUBY_RELINE_VER=		0.3.1
@@ -331,7 +331,7 @@ RUBY_SECURERANDOM_VER=		0.2.0
 RUBY_SET_VER=			1.0.2
 RUBY_SHELLWORDS_VER=		0.1.0
 RUBY_SINGLETON_VER=		0.1.1
-RUBY_STRINGIO_VER=		3.0.1
+RUBY_STRINGIO_VER=		3.0.1.2
 RUBY_STRSCAN_VER=		3.0.1
 RUBY_SYSLOG_VER=		0.1.0
 RUBY_TEMPFILE_VER=		0.1.2

Index: pkgsrc/lang/ruby31-base/Makefile
diff -u pkgsrc/lang/ruby31-base/Makefile:1.12 pkgsrc/lang/ruby31-base/Makefile:1.13
--- pkgsrc/lang/ruby31-base/Makefile:1.12	Tue Jan 16 15:14:53 2024
+++ pkgsrc/lang/ruby31-base/Makefile	Sat Mar 23 14:28:48 2024
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.12 2024/01/16 15:14:53 taca Exp $
+# $NetBSD: Makefile,v 1.13 2024/03/23 14:28:48 taca Exp $
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 

Index: pkgsrc/lang/ruby31-base/distinfo
diff -u pkgsrc/lang/ruby31-base/distinfo:1.11 pkgsrc/lang/ruby31-base/distinfo:1.12
--- pkgsrc/lang/ruby31-base/distinfo:1.11	Thu Jun 29 15:39:12 2023
+++ pkgsrc/lang/ruby31-base/distinfo	Sat Mar 23 14:28:48 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.11 2023/06/29 15:39:12 taca Exp $
+$NetBSD: distinfo,v 1.12 2024/03/23 14:28:48 taca Exp $
 
 BLAKE2s (ruby-3.1.4.tar.xz) = cefa8daefd26c8da56db3e114f27cb1b0af8c427d4ba9b650ef60034cb7b413c
 SHA512 (ruby-3.1.4.tar.xz) = a627bb629a10750b8b2081ad451a41faea0fc85d95aa1e267e3d2a0f56a35bb58195d4a8d13bbdbd82f4197a96dae22b1cee1dfc83861ec33a67ece07aef5633
@@ -6,10 +6,13 @@ Size (ruby-3.1.4.tar.xz) = 15316604 byte
 SHA1 (patch-common.mk) = c23eed58427b2fd4ba8fdb3692f609701a666c6d
 SHA1 (patch-configure) = 7bce8e1de07e3ff81cc984faef9ba12518557b7a
 SHA1 (patch-ext_openssl_openssl__missing.h) = 3f8d79736fd14806dfaf76e333eec63ff3ff5890
+SHA1 (patch-ext_stringio_stringio.c) = b771382484fdfc1b40b13b8dcb1a94e3f32a546e
 SHA1 (patch-include_ruby_internal_static__assert.h) = 7d5c3ae7ff674b9b34639924fcf08237164de9f8
 SHA1 (patch-lib_mkmf.rb) = 4a3cd18548dbdf43a13695d4e76f817c0347e335
 SHA1 (patch-lib_rdoc_encoding.rb) = 0e82d2942d9bfcb67dc7c994889d7bc5ec2ae85a
 SHA1 (patch-lib_rdoc_ri_driver.rb) = f4d3e59e35b608acd4edc17916142c7f033e6198
+SHA1 (patch-lib_rdoc_store.rb) = 890352671278d21c0040f1b3bac34a8ac76ee0dc
+SHA1 (patch-lib_rdoc_version.rb) = fd715eb2cf9d9bbeaaca4ed407c497040394eacd
 SHA1 (patch-lib_rubygems.rb) = 060549c43b84f73c77432a72cdcf22941be4eb17
 SHA1 (patch-lib_rubygems_commands_setup__command.rb) = 66c475a5308deb2ed5096b88cf65549732f87421
 SHA1 (patch-lib_rubygems_dependency__installer.rb) = 1776508907f17547ffe93f637d6f18d335061d76
@@ -21,6 +24,7 @@ SHA1 (patch-lib_uri_rfc3986__parser.rb) 
 SHA1 (patch-lib_uri_version.rb) = 16ef6469b63b74032a91358cdc7fd70fb5bce87a
 SHA1 (patch-template_Makefile.in) = a4b94293de165e87021b79a0a7f683ba76e168d9
 SHA1 (patch-test_rubygems_test__gem.rb) = 32f7c7d7f8a024c045d78c2bce93944fc3113d04
+SHA1 (patch-test_stringio_test__stringio.rb) = 20ca6e512a99e176547d6599ac7dfc7b9db42c36
 SHA1 (patch-thread__pthread.c) = 7c1231933a2d6ce9d56891ab512371841697fbca
 SHA1 (patch-tool_ifchange) = 1814cd41f0b0a93b181799cb117bd1f57068cf33
 SHA1 (patch-tool_runruby.rb) = 5dd8a3bea5e9776f7521f85955dddd2127e4c4d0

Added files:

Index: pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c:1.1
--- /dev/null	Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-ext_stringio_stringio.c	Sat Mar 23 14:28:48 2024
@@ -0,0 +1,24 @@
+$NetBSD: patch-ext_stringio_stringio.c,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update stringio to 3.0.1.2 to fix for CVE-2024-27280.
+
+--- ext/stringio/stringio.c.orig	2023-03-30 10:53:51.000000000 +0000
++++ ext/stringio/stringio.c
+@@ -12,7 +12,7 @@
+ 
+ **********************************************************************/
+ 
+-#define STRINGIO_VERSION "3.0.1"
++#define STRINGIO_VERSION "3.0.1.2"
+ 
+ #include "ruby.h"
+ #include "ruby/io.h"
+@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, 
+     len = RSTRING_LEN(str);
+     rest = pos - len;
+     if (cl > pos) {
+-	long ex = (rest < 0 ? cl-pos : cl+rest);
++	long ex = cl - (rest < 0 ? pos : len);
+ 	rb_str_modify_expand(str, ex);
+ 	rb_str_set_len(str, len + ex);
+ 	s = RSTRING_PTR(str);
Index: pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb:1.1
--- /dev/null	Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_store.rb	Sat Mar 23 14:28:48 2024
@@ -0,0 +1,84 @@
+$NetBSD: patch-lib_rdoc_store.rb,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update rdoc to 6.4.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/store.rb.orig	2023-03-30 10:53:51.000000000 +0000
++++ lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ class RDoc::Store
+   def load_cache
+     #orig_enc = @encoding
+ 
+-    File.open cache_path, 'rb' do |io|
+-      @cache = Marshal.load io.read
+-    end
++    @cache = marshal_load(cache_path)
+ 
+     load_enc = @cache[:encoding]
+ 
+@@ -615,9 +613,7 @@ class RDoc::Store
+   def load_class_data klass_name
+     file = class_file klass_name
+ 
+-    File.open file, 'rb' do |io|
+-      Marshal.load io.read
+-    end
++    marshal_load(file)
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name)
+     error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ class RDoc::Store
+   def load_method klass_name, method_name
+     file = method_file klass_name, method_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj.parent =
+-        find_class_or_module(klass_name) || load_class(klass_name) unless
+-          obj.parent
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name + method_name)
+     error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ class RDoc::Store
+   def load_page page_name
+     file = page_file page_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj
+-    end
++    obj = marshal.load(file)
++    obj.store = self
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, page_name)
+     error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ class RDoc::Store
+     @unique_modules
+   end
+ 
++  private
++  def marshal_load(file)
++    File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++    case obj
++    when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++    else
++      unless obj.class.name.start_with?("RDoc::")
++        raise TypeError, "not permitted class: #{obj.class.name}"
++      end
++    end
++    obj
++  end
++  private_constant :MarshalFilter
++
+ end
Index: pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb:1.1
--- /dev/null	Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-lib_rdoc_version.rb	Sat Mar 23 14:28:48 2024
@@ -0,0 +1,14 @@
+$NetBSD: patch-lib_rdoc_version.rb,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update rdoc to 6.4.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/version.rb.orig	2023-03-30 10:53:51.000000000 +0000
++++ lib/rdoc/version.rb
+@@ -3,6 +3,6 @@ module RDoc
+   ##
+   # RDoc version you are using
+ 
+-  VERSION = '6.4.0'
++  VERSION = '6.4.1.1'
+ 
+ end
Index: pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb
diff -u /dev/null pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb:1.1
--- /dev/null	Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby31-base/patches/patch-test_stringio_test__stringio.rb	Sat Mar 23 14:28:48 2024
@@ -0,0 +1,60 @@
+$NetBSD: patch-test_stringio_test__stringio.rb,v 1.1 2024/03/23 14:28:48 taca Exp $
+
+Update stringio to 3.0.1.2 to fix for CVE-2024-27280.
+
+--- test/stringio/test_stringio.rb.orig	2023-03-30 10:53:51.000000000 +0000
++++ test/stringio/test_stringio.rb
+@@ -759,6 +759,15 @@ class TestStringIO < Test::Unit::TestCas
+     assert_equal("b""\0""a", s.string)
+   end
+ 
++  def test_ungetc_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetc('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_ungetbyte_pos
+     b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
+     s = StringIO.new( b )
+@@ -784,6 +793,15 @@ class TestStringIO < Test::Unit::TestCas
+     assert_equal("b""\0""a", s.string)
+   end
+ 
++  def test_ungetbyte_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetbyte('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_frozen
+     s = StringIO.new
+     s.freeze
+@@ -827,18 +845,17 @@ class TestStringIO < Test::Unit::TestCas
+   end
+ 
+   def test_overflow
+-    omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
++    return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+     limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
+     assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+     begin;
+       limit = #{limit}
+       ary = []
+-      while true
++      begin
+         x = "a"*0x100000
+         break if [x].pack("p").unpack("i!")[0] < 0
+         ary << x
+-        omit if ary.size > 100
+-      end
++      end while ary.size <= 100
+       s = StringIO.new(x)
+       s.gets("xxx", limit)
+       assert_equal(0x100000, s.pos)


--_----------=_1711204128261080--