Authentication-Results: name.execsw.org;
	dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=KeaU4xdM;
	dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=vdpz8PrW
Received: by mail.netbsd.org (Postfix, from userid 605)
	id 511B784EEF; Sat, 23 Mar 2024 14:47:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
	s=20240131; t=1711205235;
	bh=R0pks3Qtz4AHqnqVsRS0q0DQGnhB6xpIWT4hjBGTD14=;
	h=Date:From:Subject:To:Reply-To:List-Id:List-Unsubscribe;
	b=KeaU4xdMGkG6GsEAwF6pa6+XCU1BQUxK/Q2hCwpZZvWht/2LGs110YXCL4mmzMMa2
	 U7GKJK/Qxt/FWT5ds//plqenkU0PN16doc5tn/ltGTP43TceVzQV8nRdPPdoF1tGqX
	 Y3EuYykHTu1tKksFWCVHlfLPydPeT6exiv5ToymY=
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 42F5484EB7
	for <pkgsrc-changes@NetBSD.org>; Sat, 23 Mar 2024 14:47:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=netbsd.org
Received: from mail.netbsd.org ([IPv6:::1])
	by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025)
	with ESMTP id QZQoKYBzJVQ0 for <pkgsrc-changes@netbsd.org>;
	Sat, 23 Mar 2024 14:47:13 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 67CB984E5A
	for <pkgsrc-changes@NetBSD.org>; Sat, 23 Mar 2024 14:47:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
	s=20240131; t=1711205233;
	bh=R0pks3Qtz4AHqnqVsRS0q0DQGnhB6xpIWT4hjBGTD14=;
	h=Date:From:Subject:To:Reply-To;
	b=vdpz8PrWEOaLC2v8M159Apl9dDW8WCE9masKf+36S6pVmKuEuv7mpIdUSyxCuntaK
	 7H+ZFj6KX04KWsQqRXdsHraA2P1ona3eahXYxyPxlD7+Lia4BKRp2XUWbzBzMciXzI
	 dscWi6HiGRKQ2ukC5AJYrAPbfOgdsGPcS5hPBR88=
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 59EA6FA2C; Sat, 23 Mar 2024 14:47:13 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1711205233231970"
MIME-Version: 1.0
Date: Sat, 23 Mar 2024 14:47:13 +0000
From: "Takahiro Kambe" <taca@netbsd.org>
Subject: CVS commit: pkgsrc/lang
To: pkgsrc-changes@NetBSD.org
Reply-To: taca@netbsd.org
X-Mailer: log_accum
Message-Id: <20240323144713.59EA6FA2C@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1711205233231970
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	taca
Date:		Sat Mar 23 14:47:13 UTC 2024

Modified Files:
	pkgsrc/lang/ruby: rubyversion.mk
	pkgsrc/lang/ruby32-base: Makefile distinfo
Added Files:
	pkgsrc/lang/ruby32-base/patches: patch-lib_rdoc_store.rb
	    patch-lib_rdoc_version.rb

Log Message:
lang/ruby32-base: fix CVE-2024-27281

Update rdoc to 6.5.1.1 to fix for CVE-2024-27281.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.273 -r1.274 pkgsrc/lang/ruby/rubyversion.mk
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/ruby32-base/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/ruby32-base/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb \
    pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1711205233231970
Content-Disposition: inline
Content-Length: 5972
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/lang/ruby/rubyversion.mk
diff -u pkgsrc/lang/ruby/rubyversion.mk:1.273 pkgsrc/lang/ruby/rubyversion.mk:1.274
--- pkgsrc/lang/ruby/rubyversion.mk:1.273	Sat Mar 23 14:28:48 2024
+++ pkgsrc/lang/ruby/rubyversion.mk	Sat Mar 23 14:47:12 2024
@@ -1,4 +1,4 @@
-# $NetBSD: rubyversion.mk,v 1.273 2024/03/23 14:28:48 taca Exp $
+# $NetBSD: rubyversion.mk,v 1.274 2024/03/23 14:47:12 taca Exp $
 #
 
 # This file determines which Ruby version is used as a dependency for
@@ -414,7 +414,7 @@ RUBY_PRETTYPRINT_VER=		0.1.1
 RUBY_PSTORE_VER=		0.1.2
 RUBY_PSYCH_VER=			5.0.1
 RUBY_RACC_VER=			1.6.2
-RUBY_RDOC_VER=			6.5.0
+RUBY_RDOC_VER=			6.5.1.1
 RUBY_READLINE_VER=		0.0.3
 RUBY_READLINE_EXT_VER=		0.1.5
 RUBY_RELINE_VER=		0.3.2

Index: pkgsrc/lang/ruby32-base/Makefile
diff -u pkgsrc/lang/ruby32-base/Makefile:1.7 pkgsrc/lang/ruby32-base/Makefile:1.8
--- pkgsrc/lang/ruby32-base/Makefile:1.7	Sun Jan 21 08:35:39 2024
+++ pkgsrc/lang/ruby32-base/Makefile	Sat Mar 23 14:47:12 2024
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.7 2024/01/21 08:35:39 taca Exp $
+# $NetBSD: Makefile,v 1.8 2024/03/23 14:47:12 taca Exp $
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
+PKGREVISION=	1
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
 

Index: pkgsrc/lang/ruby32-base/distinfo
diff -u pkgsrc/lang/ruby32-base/distinfo:1.6 pkgsrc/lang/ruby32-base/distinfo:1.7
--- pkgsrc/lang/ruby32-base/distinfo:1.6	Sun Jan 21 08:35:39 2024
+++ pkgsrc/lang/ruby32-base/distinfo	Sat Mar 23 14:47:12 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2024/01/21 08:35:39 taca Exp $
+$NetBSD: distinfo,v 1.7 2024/03/23 14:47:12 taca Exp $
 
 BLAKE2s (ruby-3.2.3.tar.xz) = 19e7b48f2d1790297e731bcc624e40f2fc6c0bca522f727d4b051f1eb790f256
 SHA512 (ruby-3.2.3.tar.xz) = d2a1897c2f4e801a28acb869322abfee76775115016252cecad90639485ed51deda1446cb16edb387f10a2e188602d646ef9b008b57f27bd745071277c535f3b
@@ -9,6 +9,8 @@ SHA1 (patch-ext_openssl_openssl__missing
 SHA1 (patch-include_ruby_internal_static__assert.h) = 7d5c3ae7ff674b9b34639924fcf08237164de9f8
 SHA1 (patch-lib_mkmf.rb) = 4a3cd18548dbdf43a13695d4e76f817c0347e335
 SHA1 (patch-lib_rdoc_encoding.rb) = 0e82d2942d9bfcb67dc7c994889d7bc5ec2ae85a
+SHA1 (patch-lib_rdoc_store.rb) = b72582d5e3a21fb7e87db8f2b743bc8fb09cf04d
+SHA1 (patch-lib_rdoc_version.rb) = 3f96abdf5fe2ef1f9a1d111eeba1394bf3ca12e8
 SHA1 (patch-lib_rubygems.rb) = 060549c43b84f73c77432a72cdcf22941be4eb17
 SHA1 (patch-lib_rubygems_commands_setup__command.rb) = 66c475a5308deb2ed5096b88cf65549732f87421
 SHA1 (patch-lib_rubygems_config__file.rb) = 1da55a32d931f91321636401e94d89f78f9fa622

Added files:

Index: pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb
diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb:1.1
--- /dev/null	Sat Mar 23 14:47:13 2024
+++ pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_store.rb	Sat Mar 23 14:47:13 2024
@@ -0,0 +1,84 @@
+$NetBSD: patch-lib_rdoc_store.rb,v 1.1 2024/03/23 14:47:13 taca Exp $
+
+Update rdoc to 6.5.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/store.rb.orig	2024-01-18 06:26:39.000000000 +0000
++++ lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ class RDoc::Store
+   def load_cache
+     #orig_enc = @encoding
+ 
+-    File.open cache_path, 'rb' do |io|
+-      @cache = Marshal.load io
+-    end
++    @cache = marshal_load(cache_path)
+ 
+     load_enc = @cache[:encoding]
+ 
+@@ -615,9 +613,7 @@ class RDoc::Store
+   def load_class_data klass_name
+     file = class_file klass_name
+ 
+-    File.open file, 'rb' do |io|
+-      Marshal.load io
+-    end
++    marshal_load(file)
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name)
+     error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ class RDoc::Store
+   def load_method klass_name, method_name
+     file = method_file klass_name, method_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io
+-      obj.store = self
+-      obj.parent =
+-        find_class_or_module(klass_name) || load_class(klass_name) unless
+-          obj.parent
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name + method_name)
+     error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ class RDoc::Store
+   def load_page page_name
+     file = page_file page_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io
+-      obj.store = self
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, page_name)
+     error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ class RDoc::Store
+     @unique_modules
+   end
+ 
++  private
++  def marshal_load(file)
++    File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++    case obj
++    when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++    else
++      unless obj.class.name.start_with?("RDoc::")
++        raise TypeError, "not permitted class: #{obj.class.name}"
++      end
++    end
++    obj
++  end
++  private_constant :MarshalFilter
++
+ end
Index: pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb
diff -u /dev/null pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb:1.1
--- /dev/null	Sat Mar 23 14:47:13 2024
+++ pkgsrc/lang/ruby32-base/patches/patch-lib_rdoc_version.rb	Sat Mar 23 14:47:13 2024
@@ -0,0 +1,14 @@
+$NetBSD: patch-lib_rdoc_version.rb,v 1.1 2024/03/23 14:47:13 taca Exp $
+
+Update rdoc to 6.5.1.1 to fix for CVE-2024-27281.
+
+--- lib/rdoc/version.rb.orig	2024-01-18 06:26:39.000000000 +0000
++++ lib/rdoc/version.rb
+@@ -5,6 +5,6 @@ module RDoc
+   ##
+   # RDoc version you are using
+ 
+-  VERSION = '6.5.0'
++  VERSION = '6.5.1.1'
+ 
+ end


--_----------=_1711205233231970--