From 86805c1ba39d15637e69fd4cf74839ba9af0e174 Mon Sep 17 00:00:00 2001 From: Ben Woodcroft Date: Sun, 17 Sep 2017 20:06:22 +1000 Subject: gnu: ruby-2.2: Update to 2.2.8. Fix CVE-2017-{0898,10784,14033,14064}. * gnu/packages/ruby.scm (ruby-2.2): Update to 2.2.8. [source]: Remove patch. * gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../patches/ruby-2.2.7-rubygems-2613-ruby22.patch | 355 --------------------- gnu/packages/ruby.scm | 5 +- 3 files changed, 2 insertions(+), 359 deletions(-) delete mode 100644 gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch diff --git a/gnu/local.mk b/gnu/local.mk index 76bf1f792f..7c1ffba00d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1012,7 +1012,6 @@ dist_patch_DATA = \ %D%/packages/patches/rsem-makefile.patch \ %D%/packages/patches/ruby-concurrent-ignore-broken-test.patch \ %D%/packages/patches/ruby-concurrent-test-arm.patch \ - %D%/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/rxvt-unicode-escape-sequences.patch \ diff --git a/gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch b/gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch deleted file mode 100644 index d68b836c71..0000000000 --- a/gnu/packages/patches/ruby-2.2.7-rubygems-2613-ruby22.patch +++ /dev/null @@ -1,355 +0,0 @@ -diff --git lib/rubygems.rb lib/rubygems.rb -index f48496aa31..0e1855b148 100644 ---- ruby-2.2.7/lib/rubygems.rb -+++ ruby-2.2.7/lib/rubygems.rb -@@ -9,7 +9,7 @@ require 'rbconfig' - require 'thread' - - module Gem -- VERSION = '2.4.5.2' -+ VERSION = '2.4.5.3' - end - - # Must be first since it unloads the prelude from 1.9.2 -diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb -index 432250e033..44364cfab2 100644 ---- ruby-2.2.7/lib/rubygems/commands/query_command.rb -+++ ruby-2.2.7/lib/rubygems/commands/query_command.rb -@@ -218,7 +218,7 @@ is too hard to use. - end - end - -- output << make_entry(matching_tuples, platforms) -+ output << clean_text(make_entry(matching_tuples, platforms)) - end - end - -@@ -336,7 +336,8 @@ is too hard to use. - end - - def spec_summary entry, spec -- entry << "\n\n" << format_text(spec.summary, 68, 4) -+ summary = truncate_text(spec.summary, "the summary for #{spec.full_name}") -+ entry << "\n\n" << format_text(summary, 68, 4) - end - - end -diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb -index 10fc1a34a5..a27569fe2e 100644 ---- ruby-2.2.7/lib/rubygems/installer.rb -+++ ruby-2.2.7/lib/rubygems/installer.rb -@@ -646,6 +646,11 @@ class Gem::Installer - unpack or File.writable?(gem_home) - end - -+ def verify_spec_name -+ return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN -+ raise Gem::InstallError, "#{spec} has an invalid name" -+ end -+ - ## - # Return the text for an application file. - -@@ -771,6 +776,8 @@ TEXT - - ensure_loadable_spec - -+ verify_spec_name -+ - if options[:install_as_default] - Gem.ensure_default_gem_subdirectories gem_home - else -diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb -index b1f6dd17fc..2b9d61c0a1 100644 ---- ruby-2.2.7/lib/rubygems/remote_fetcher.rb -+++ ruby-2.2.7/lib/rubygems/remote_fetcher.rb -@@ -96,7 +96,7 @@ class Gem::RemoteFetcher - else - target = res.target.to_s.strip - -- if /\.#{Regexp.quote(host)}\z/ =~ target -+ if URI("http://" + target).host.end_with?(".#{host}") - return URI.parse "#{uri.scheme}://#{target}#{uri.path}" - end - -diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb -index ab1cd92270..faca837128 100644 ---- ruby-2.2.7/lib/rubygems/specification.rb -+++ ruby-2.2.7/lib/rubygems/specification.rb -@@ -106,6 +106,8 @@ class Gem::Specification < Gem::BasicSpecification - - private_constant :LOAD_CACHE if defined? private_constant - -+ VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc: -+ - # :startdoc: - - ## -@@ -2477,9 +2479,15 @@ class Gem::Specification < Gem::BasicSpecification - end - end - -- unless String === name then -+ if !name.is_a?(String) then - raise Gem::InvalidSpecificationException, -- "invalid value for attribute name: \"#{name.inspect}\"" -+ "invalid value for attribute name: \"#{name.inspect}\" must be a string" -+ elsif name !~ /[a-zA-Z]/ then -+ raise Gem::InvalidSpecificationException, -+ "invalid value for attribute name: #{name.dump} must include at least one letter" -+ elsif name !~ VALID_NAME_PATTERN then -+ raise Gem::InvalidSpecificationException, -+ "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores" - end - - if raw_require_paths.empty? then -diff --git lib/rubygems/text.rb lib/rubygems/text.rb -index 5c9287ad2e..86a722ffc0 100644 ---- ruby-2.2.7/lib/rubygems/text.rb -+++ ruby-2.2.7/lib/rubygems/text.rb -@@ -5,13 +5,26 @@ require 'rubygems' - - module Gem::Text - -+ ## -+ # Remove any non-printable characters and make the text suitable for -+ # printing. -+ def clean_text(text) -+ text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze) -+ end -+ -+ def truncate_text(text, description, max_length = 100_000) -+ raise ArgumentError, "max_length must be positive" unless max_length > 0 -+ return text if text.size <= max_length -+ "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length] -+ end -+ - ## - # Wraps +text+ to +wrap+ characters and optionally indents by +indent+ - # characters - - def format_text(text, wrap, indent=0) - result = [] -- work = text.dup -+ work = clean_text(text) - - while work.length > wrap do - if work =~ /^(.{0,#{wrap}})[ \n]/ then -diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb -index 43fa82571d..ccd2621874 100644 ---- ruby-2.2.7/test/rubygems/test_gem_commands_query_command.rb -+++ ruby-2.2.7/test/rubygems/test_gem_commands_query_command.rb -@@ -147,6 +147,86 @@ a (2) - This is a lot of text. This is a lot of text. This is a lot of text. - This is a lot of text. - -+pl (1) -+ Platform: i386-linux -+ Author: A User -+ Homepage: http://example.com -+ -+ this is a summary -+ EOF -+ -+ assert_equal expected, @ui.output -+ assert_equal '', @ui.error -+ end -+ -+ def test_execute_details_cleans_text -+ spec_fetcher do |fetcher| -+ fetcher.spec 'a', 2 do |s| -+ s.summary = 'This is a lot of text. ' * 4 -+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] -+ s.homepage = "http://a.example.com/\x03" -+ end -+ -+ fetcher.legacy_platform -+ end -+ -+ @cmd.handle_options %w[-r -d] -+ -+ use_ui @ui do -+ @cmd.execute -+ end -+ -+ expected = <<-EOF -+ -+*** REMOTE GEMS *** -+ -+a (2) -+ Authors: Abraham Lincoln ., . Hirohito -+ Homepage: http://a.example.com/. -+ -+ This is a lot of text. This is a lot of text. This is a lot of text. -+ This is a lot of text. -+ -+pl (1) -+ Platform: i386-linux -+ Author: A User -+ Homepage: http://example.com -+ -+ this is a summary -+ EOF -+ -+ assert_equal expected, @ui.output -+ assert_equal '', @ui.error -+ end -+ -+ def test_execute_details_truncates_summary -+ spec_fetcher do |fetcher| -+ fetcher.spec 'a', 2 do |s| -+ s.summary = 'This is a lot of text. ' * 10_000 -+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"] -+ s.homepage = "http://a.example.com/\x03" -+ end -+ -+ fetcher.legacy_platform -+ end -+ -+ @cmd.handle_options %w[-r -d] -+ -+ use_ui @ui do -+ @cmd.execute -+ end -+ -+ expected = <<-EOF -+ -+*** REMOTE GEMS *** -+ -+a (2) -+ Authors: Abraham Lincoln ., . Hirohito -+ Homepage: http://a.example.com/. -+ -+ Truncating the summary for a-2 to 100,000 characters: -+#{" This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449} This is a lot of te -+ - pl (1) - Platform: i386-linux - Author: A User -diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb -index 6f8012feb8..aba73af181 100644 ---- ruby-2.2.7/test/rubygems/test_gem_installer.rb -+++ ruby-2.2.7/test/rubygems/test_gem_installer.rb -@@ -1214,6 +1214,26 @@ gem 'other', version - end - end - -+ def test_pre_install_checks_malicious_name -+ spec = util_spec '../malicious', '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate; end -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal '# has an invalid name', e.message -+ end -+ end -+ - def test_shebang - util_make_exec @spec, "#!/usr/bin/ruby" - -diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb -index 63dd8feb38..ca4627810b 100644 ---- ruby-2.2.7/test/rubygems/test_gem_remote_fetcher.rb -+++ ruby-2.2.7/test/rubygems/test_gem_remote_fetcher.rb -@@ -181,6 +181,21 @@ gems: - dns.verify - end - -+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path -+ uri = URI.parse "http://example.com/foo" -+ target = MiniTest::Mock.new -+ target.expect :target, "evil.com/a.example.com" -+ -+ dns = MiniTest::Mock.new -+ dns.expect :getresource, target, [String, Object] -+ -+ fetch = Gem::RemoteFetcher.new nil, dns -+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) -+ -+ target.verify -+ dns.verify -+ end -+ - def test_api_endpoint_ignores_trans_domain_values - uri = URI.parse "http://gems.example.com/foo" - target = MiniTest::Mock.new -diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb -index 3cadc55d5d..4f7076a03a 100644 ---- ruby-2.2.7/test/rubygems/test_gem_specification.rb -+++ ruby-2.2.7/test/rubygems/test_gem_specification.rb -@@ -2610,7 +2610,37 @@ http://opensource.org/licenses/alphabetical - @a1.validate - end - -- assert_equal 'invalid value for attribute name: ":json"', e.message -+ assert_equal 'invalid value for attribute name: ":json" must be a string', e.message -+ -+ @a1.name = [] -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message -+ -+ @a1.name = "" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message -+ -+ @a1.name = "12345" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message -+ -+ @a1.name = "../malicious" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message -+ -+ @a1.name = "\ba\t" -+ e = assert_raises Gem::InvalidSpecificationException do -+ @a1.validate -+ end -+ assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message - end - - def test_validate_non_nil -diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb -index e5cfc41e61..9b270b481b 100644 ---- ruby-2.2.7/test/rubygems/test_gem_text.rb -+++ ruby-2.2.7/test/rubygems/test_gem_text.rb -@@ -35,6 +35,10 @@ Without the wrapping, the text might not look good in the RSS feed. - assert_equal expected, format_text(text, 78) - end - -+ def test_format_removes_nonprintable_characters -+ assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40) -+ end -+ - def test_min3 - assert_equal 1, min3(1, 1, 1) - assert_equal 1, min3(1, 1, 2) -@@ -71,4 +75,11 @@ Without the wrapping, the text might not look good in the RSS feed. - assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest") - assert_equal 7, levenshtein_distance("zentest", "xxxxxxx") - end -+ -+ def test_truncate_text -+ assert_equal "abc", truncate_text("abc", "desc") -+ assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2) -+ s = "ab" * 500_001 -+ assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000) -+ end - end diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 8adc836672..80d3bffd84 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -144,17 +144,16 @@ a focus on simplicity and productivity.") (define-public ruby-2.2 (package (inherit ruby) - (version "2.2.7") + (version "2.2.8") (source (origin (method url-fetch) (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" (version-major+minor version) "/ruby-" version ".tar.xz")) - (patches (search-patches "ruby-2.2.7-rubygems-2613-ruby22.patch")) (sha256 (base32 - "0lyb7gnbbhs3a3v9grsjgbaixm20wxz6x3h0czyrxnj3cpp8lk13")))))) + "1c31slidv2bdnnir3qfmdjs193b5s2ycb9pnf1lc55kk0cazrsip")))))) (define-public ruby-2.1 (package (inherit ruby) -- cgit v1.2.3