Backport security fix.

Package-Manager: portage-2.2.18/cvs/Linux x86_64 Manifest-Sign-Key: 0x8883FA56A308A8D7!
author: Hans de Graaff <graaff@gentoo.org> 2015-06-17 06:12:02 +0000
committer: Hans de Graaff <graaff@gentoo.org> 2015-06-17 06:12:02 +0000
commit: 96f261ed831f7f657419708561b2337a0c403289 (patch)
tree: a4cf4796418ae5e3cbafd79deb45e7ecccf0b6fa /dev-ruby/activesupport
parent: Bump, add new deps (diff)
download: historical-96f261ed831f7f657419708561b2337a0c403289.tar.gz
historical-96f261ed831f7f657419708561b2337a0c403289.tar.bz2
historical-96f261ed831f7f657419708561b2337a0c403289.zip
4 files changed, 190 insertions, 5 deletions
diff --git a/dev-ruby/activesupport/ChangeLog b/dev-ruby/activesupport/ChangeLog
index 30059d8d6d37..e80c3d09d661 100644
--- a/dev-ruby/activesupport/ChangeLog
+++ b/dev-ruby/activesupport/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for dev-ruby/activesupport
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-ruby/activesupport/ChangeLog,v 1.285 2015/06/16 21:57:42 graaff Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-ruby/activesupport/ChangeLog,v 1.286 2015/06/17 06:11:55 graaff Exp $
+
+*activesupport-4.0.13-r1 (17 Jun 2015)
+
+  17 Jun 2015; Hans de Graaff <graaff@gentoo.org>
+  +activesupport-4.0.13-r1.ebuild, +files/4-1-xml_depth.patch:
+  Backport security fix.
 
 *activesupport-4.2.2 (16 Jun 2015)
 
diff --git a/dev-ruby/activesupport/Manifest b/dev-ruby/activesupport/Manifest
index 9f403ba4ef44..ee47dad20aa1 100644
--- a/dev-ruby/activesupport/Manifest
+++ b/dev-ruby/activesupport/Manifest
@@ -1,6 +1,7 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX 4-1-xml_depth.patch 4462 SHA256 abde06fe17f59f0e2e451d1f9fbbe070d2e1e44f8de079fa440b379cf912385c SHA512 13ff7ac5fda1a5cfdcc6dfc739e845823661a8ee8675d3c7248825b6654ec8219ddeb362323c4d389bf6889190d3fe9552f4738f99e29238ce3e6a5b9619fc9c WHIRLPOOL b7ec67a1845a86924055d0a1610ebe2e707afb576cafe953648ea5b348395802cf00d39f2329c16ad4b6978706b0752b6ef816fa308f8b5123a6d0461d45f86a
 DIST rails-3.2.21.tgz 3568729 SHA256 95dcf2a848a7fd09acbb12c47e6901baeea08645c32c37e2ae04e2650cf01deb SHA512 952c799736dd2a48532a4340d97ffbbbdc2451fc509e7f86ca47c09f5c6a3f4e5cb9b87c3e803692bc8a810bc178513bbe74f3037fdf8f786c30f0c85dd26948 WHIRLPOOL a2c79df0091ea0ca6f3969a91b4d73c14f79cab9d31ec30591a640321487aedafd0318326080ad4d9be0523002eab2c3c5e9e49b2c6b0b5ef6f5dac8da0bfab5
 DIST rails-3.2.22.tgz 3569215 SHA256 a14fbd69cd1750589cb6f4a79926058595de832dab89372fb479feadc99f0aba SHA512 7321e5fa12cc3f7d6e7c2284f37c183c9bcbe1c9f067c2be5ebdd10f550b0eff561b20558cf885f30b24951bfa88287b3e0fb421eee14579a88a2bcffeaff3ce WHIRLPOOL de54798cbcbf9a0c6d66346267cfbb15991478cc6b4982f9e3a3a80db734af6553f9749b18188c4dc5fa82c60c0294312f648a0e4b5bcb46896bfee75be4dbc0
 DIST rails-4.0.13.tgz 3761572 SHA256 a693a8c5f767d153e765634cecb6356855ca51b6554b3af1a38888023a204a51 SHA512 3f2cca90187f800d1ec57fc6cbc58c1f3213113a94d1dee7d9cfd3dc0264b7f3a9c6cfc6dd95ef2fb3aa7d8ca5d6da50cedecc288ff8ff7e5305dc0309b4365d WHIRLPOOL a5b3f7f828a88d04b5687b3217b40903192ccea5eca36ca58cbb2baeec7471241fe5529f13688bd1f6396a384cf282c94bfaf54ee1cfafdf5ef400707dee7d01
@@ -10,17 +11,18 @@ DIST rails-4.2.1.tgz 4149447 SHA256 11237cc395c5d4a7f64636f2043cf8c248e862e1946f
 DIST rails-4.2.2.tgz 4149494 SHA256 e8a0b1f96e2bf0bf24b2f28a5b5eabed7886b056119bd51c01ed451db4f35932 SHA512 707fddfcabf960ebccac9aa8c88067b1adedee341eed80a60c07044145f67047a91eb6d52b05c18d0693f0e575ec51b494b3095df755067f7cacd3a62275189f WHIRLPOOL 6b9296edbcaf95c20adf2981f877cf0b6febc4e2f33873826ab36ff0cdff68308c8e748bd9fdfb56f1d4e72c1588e25b826103ab7df9d74dd0e4e756d61d648a
 EBUILD activesupport-3.2.21.ebuild 1831 SHA256 91de72aae7a831c834da153924fd4cb65296d4b1b627eed7cb716cb3b2ca4405 SHA512 46a29b1a697630f3bb18f4cef9ecf19c1e3050818475c75b8ae8e383d372d6030006ebdb1c762a5072337133108edda1802dcdbd2f580158e880200444fb082c WHIRLPOOL ffd53172125dfc73d732dd68a0dd0902d868b8324bdf85422344dca28b2f0e9da4b71317fcb0beffdfee8b6a03632c2f087756460f0e5612c6232c2af13ff4b1
 EBUILD activesupport-3.2.22.ebuild 2013 SHA256 ea8b89b98f22fcbaaedf0d6092e80e97d0067c25137de4354a83ffe59b32f39c SHA512 603d17428a5f7c2e26eec085cda5cef261136332c61d6033308930999f5653b5c7bb5517b6425a3b1d0808c4aeafdcca45a94711da2e07b2ab73450d7fcb3e69 WHIRLPOOL 4a1a4731a271b271ad178c7705c712d727f5a18f3b845102f01c841ee215644f3fb721ce616339e654a24787b21c659db966db3b4657a59116407edede981e59
+EBUILD activesupport-4.0.13-r1.ebuild 1939 SHA256 c4c2a5fe7ad0df6b8de1592562f1421c47d93c35db546ba8311d9ec570062dfb SHA512 a3fb256c7a0ccd816ac24f451c945f43d4140fa4fc63eb37352d9202e150647a9eeb65d2d3f19ff42de6e1c5fea7e43e0d10ccd3e032cbeb07e8cfb4c6b25c4c WHIRLPOOL da9925aafc6de4240c0ac24a8defce262461ad2ca08be13b1bad07385553a53b1b9b8a2e039a3705d72738baa240c9d91645abe30fca40ce32af3ca133a485e6
 EBUILD activesupport-4.0.13.ebuild 1896 SHA256 99bbd0543d756c792a172a871e64adb84c9cd8a989e39e67ac9a4588d883329e SHA512 74c5335003ceb368de71014d198e16354aebb0f2702bc65cd57a2d4f20395dfa85e551a07c8f520878a0e05ec27400afda4c12fd6193e72970d299ef7954b0fc WHIRLPOOL 84133b2ac6750299c1d3ff5f1d0c4fc98e2e5c73f2fd1aa004753b7d56746e72c3f6c841d16483c3cc3fe8cb5c43cb04bba86c00e15a7705959d55b9a70363ad
 EBUILD activesupport-4.1.10.ebuild 1878 SHA256 9166ad6a7f0cb38bde9bbcd9847f5d2e3f6abe58ea2deb02d589150796090802 SHA512 8f5bc1a1de7c7967ce1eea19f4d33dafd9ec3db71297fd6e1a11ca8d0c0fc7c9c26f66c2fa3dbb760f43a8c0cf7363bfb3fccb919cd91063bdbe5d9ee84c995d WHIRLPOOL ad1f2d2199481b88be03392208be54dca64db2b2c40134c93519dfbd054f435d1bcfb95ff1470d6415f725ae222558a9bd0711e745a53e6ce71550ec40834505
 EBUILD activesupport-4.1.11.ebuild 1878 SHA256 e36fa4a7cfdfc1b0740b13235e9fd608cedabcf388cf2f27c581d4e650464609 SHA512 8f416b9e070e0d7fb35a0c2101c7c5680a62a5ad1a227e1df753e77f291acbdc3623b5c256b159906d7d4d3482bfb6606196ee5b50a3c5d588ae5f29993d55b2 WHIRLPOOL 5aab477a5f1b79e051aa9946a07f73400243153e51546987ec3921676683082489b5552fd1fc314d49c5ad96fcc4557382741c31f204879a5fd4dff85e937855
 EBUILD activesupport-4.2.1.ebuild 1877 SHA256 6a2ecc6b25df84cebacc6e91fbcbbc80ca0d23d2b6158d01b27ffc288d87341e SHA512 f34884cdc8153877c9caa989c61272f5e9e240e72c0c4394ad98751734b4c0c077cb0517f30bbf445d19cd25d18974f5fc79ec965823d987b3eb5acee28a4995 WHIRLPOOL b08b3f85dcddd31ea6c4365aa4960b672148479b34722a4fd74cc8bf486deb0d03fe44ac477e045b98272acd7768b19d59c1d663f4a483d69715fa57bbae3a0f
 EBUILD activesupport-4.2.2.ebuild 1877 SHA256 eb8058812993dcc96b14bf973c6db6ccbccc198373d2c23ae4a2bcc3cb7d2183 SHA512 7c7d5d6da7ab4d111d598dbc6f40498631143bd957a3c6e43977c79647a12e40b1f336e4e360326988629ff8b3cfb5956dbade8acc290ebccaa87a20fc03311e WHIRLPOOL 9278f7badedea1274ff2695f0a45bbb6ab31ac720357b1c4b53a18088447a0cdb495dfc99e0d8073b11efa3e39ed6af216f31b13eee8edc049782651fe37d52e
-MISC ChangeLog 41657 SHA256 307a9482d44b9f6652c20f87eb756ccc60363b69378ffdc73f4bb4f65f75d6e2 SHA512 563d857e0fd9131e75ca42edc782dc761a0ec702e57d25e0f9c90c546b62b2ac5aa487257da314bcde430fdb222195404e409c3fc995fb2cfffbce66d752d837 WHIRLPOOL 736c808b3c3814995490cb5aeb3dfd6fe4fdbd15c014242d76e41e297a1c80c2f6762e652032ec8ec8aabbbf4b6c05f4c453722161ff559d4130fae8f1bac0c9
+MISC ChangeLog 41836 SHA256 d5dd15c76e9662c35f935e578f46823be63309d238659e61e983ca3bf5a37a56 SHA512 5361363c1774096eb0fad74d8c80e32bc09045fd7ce5ed7ec92ea05a53249268f11fc4507abe33a3aa7596cbb508c5d2416269e268a92a2db95545887c9fa072 WHIRLPOOL e081d087fc2e0c94ce81b46239df77d5316cac2a23f568f0a154355d78bf0de9fddf5fdde37e605b5e3dd289062534f90295051bf004c0f3240bee61e9bfe720
 MISC metadata.xml 239 SHA256 601a5b0fce4b301bb2c349bd1132c36c4a6504f8fadc36403aceb00d3fe45634 SHA512 56fb328eed48436d955df5dafd091e1be8345692fae2d30793166b6d5e2a70a4ba78ec0319601facd2e2c206d4c4089ff6392dd2c25efc26fa084b6b0d1663cb WHIRLPOOL 8a394bfb78d7fdca910776e32b6ca9c9e7c140173d73a2dbdceb03b6e101554650f025034ba2385a0dc1f8b7ce70914308fe15db0a2aa550baa365181f24f2c6
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
-iF4EAREIAAYFAlWAm9cACgkQiIP6VqMIqNfdoQD9HkIvivjcsWd6pVpZ0MZegGF2
-foQaBroO0gr4oMuJ6q8A/ikzcMgZhQzFMRhQiNqZTR6K55ykj5g+Z8Ns6TNsY4eJ
-=ml0U
+iF4EAREIAAYFAlWBD7IACgkQiIP6VqMIqNftagD+JBcX6VznBGXFe9XtDaRju61j
+XBJQ5J2mpVS0fe7YGyQA/iWIPeME+tBSHtdOoRso5hQeoANWDmT5Ko4tpivv87bT
+=1riW
 -----END PGP SIGNATURE-----
diff --git a/dev-ruby/activesupport/activesupport-4.0.13-r1.ebuild b/dev-ruby/activesupport/activesupport-4.0.13-r1.ebuild
new file mode 100644
index 000000000000..5b333cb35aed
--- /dev/null
+++ b/dev-ruby/activesupport/activesupport-4.0.13-r1.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-ruby/activesupport/activesupport-4.0.13-r1.ebuild,v 1.1 2015/06/17 06:11:55 graaff Exp $
+
+EAPI=5
+
+USE_RUBY="ruby19 ruby20 ruby21"
+
+RUBY_FAKEGEM_TASK_DOC=""
+
+RUBY_FAKEGEM_EXTRADOC="CHANGELOG.md README.rdoc"
+
+RUBY_FAKEGEM_GEMSPEC="activesupport.gemspec"
+
+RUBY_FAKEGEM_BINWRAP=""
+
+inherit ruby-fakegem versionator
+
+DESCRIPTION="Utility Classes and Extension to the Standard Library"
+HOMEPAGE="https://github.com/rails/rails"
+SRC_URI="https://github.com/rails/rails/archive/v${PV}.tar.gz -> rails-${PV}.tgz"
+
+LICENSE="MIT"
+SLOT="$(get_version_component_range 1-2)"
+KEYWORDS="~amd64 ~arm ~hppa ~ppc ~ppc64 ~x86"
+IUSE=""
+
+RUBY_S="rails-${PV}/${PN}"
+
+ruby_add_rdepend "
+	>=dev-ruby/multi_json-1.3:0
+	>=dev-ruby/i18n-0.6.9:0.6
+	>=dev-ruby/tzinfo-0.3.37:0
+	>=dev-ruby/minitest-4.2:0
+	>=dev-ruby/thread_safe-0.1:0
+	!!<dev-ruby/activesupport-3.0.11-r1:3.0"
+
+# memcache-client, nokogiri, and builder are not strictly
+# needed, but there are tests using this code.
+ruby_add_bdepend "test? (
+	>=dev-ruby/dalli-2.2.1
+	>=dev-ruby/nokogiri-1.4.5
+	>=dev-ruby/builder-3.1.0
+	>=dev-ruby/libxml-2.0.0
+	)"
+
+RUBY_PATCHES=( "4-1-xml_depth.patch" )
+
+all_ruby_prepare() {
+	# Set the secure permissions that tests expect.
+	chmod 0755 "${HOME}" || die "Failed to fix permissions on home"
+
+	# Set test environment to our hand.
+#	rm "${S}/../Gemfile" || die "Unable to remove Gemfile"
+	sed -i -e '/load_paths/d' test/abstract_unit.rb || die "Unable to remove load paths"
+
+	# Make sure a compatible version of minitest is used everywhere.
+	sed -i -e "s/gem 'minitest'/gem 'minitest', '~> 4.2'/" lib/active_support/test_case.rb || die
+	sed -i -e "1igem 'minitest', '~> 4.2'" test/abstract_unit.rb || die
+
+	# Avoid test that seems to be broken by lack of DST.
+	sed -i -e '324 s:^:#:' test/core_ext/string_ext_test.rb || die
+}
diff --git a/dev-ruby/activesupport/files/4-1-xml_depth.patch b/dev-ruby/activesupport/files/4-1-xml_depth.patch
new file mode 100644
index 000000000000..29bc4d2ec723
--- /dev/null
+++ b/dev-ruby/activesupport/files/4-1-xml_depth.patch
@@ -0,0 +1,114 @@
+From eb4f1d6a02e9557b97cdbed76157dc5a625cdb82 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson@gmail.com>
+Date: Tue, 9 Jun 2015 11:24:25 -0700
+Subject: [PATCH] enforce a depth limit on XML documents
+
+XML documents that are too deep can cause an stack overflow, which in
+turn will cause a potential DoS attack.
+
+CVE-2015-3227
+---
+ activesupport/lib/active_support/xml_mini.rb       |  3 +++
+ activesupport/lib/active_support/xml_mini/jdom.rb  | 11 ++++++-----
+ activesupport/lib/active_support/xml_mini/rexml.rb | 11 ++++++-----
+ 3 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/activesupport/lib/active_support/xml_mini.rb b/activesupport/lib/active_support/xml_mini.rb
+index 009ee4d..df7b081 100644
+--- a/activesupport/lib/active_support/xml_mini.rb
++++ b/activesupport/lib/active_support/xml_mini.rb
+@@ -78,6 +78,9 @@ module ActiveSupport
+       )
+     end
+ 
++    attr_accessor :depth
++    self.depth = 100
++
+     delegate :parse, :to => :backend
+ 
+     def backend
+diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb
+index 27c64c4..cdc5490 100644
+--- a/activesupport/lib/active_support/xml_mini/jdom.rb
++++ b/activesupport/lib/active_support/xml_mini/jdom.rb
+@@ -46,7 +46,7 @@ module ActiveSupport
+         xml_string_reader = StringReader.new(data)
+         xml_input_source = InputSource.new(xml_string_reader)
+         doc = @dbf.new_document_builder.parse(xml_input_source)
+-        merge_element!({CONTENT_KEY => ''}, doc.document_element)
++        merge_element!({CONTENT_KEY => ''}, doc.document_element, XmlMini.depth)
+       end
+     end
+ 
+@@ -58,9 +58,10 @@ module ActiveSupport
+     #   Hash to merge the converted element into.
+     # element::
+     #   XML element to merge into hash
+-    def merge_element!(hash, element)
++    def merge_element!(hash, element, depth)
++      raise 'Document too deep!' if depth == 0
+       delete_empty(hash)
+-      merge!(hash, element.tag_name, collapse(element))
++      merge!(hash, element.tag_name, collapse(element, depth))
+     end
+ 
+     def delete_empty(hash)
+@@ -71,14 +72,14 @@ module ActiveSupport
+     #
+     # element::
+     #   The document element to be collapsed.
+-    def collapse(element)
++    def collapse(element, depth)
+       hash = get_attributes(element)
+ 
+       child_nodes = element.child_nodes
+       if child_nodes.length > 0
+         (0...child_nodes.length).each do |i|
+           child = child_nodes.item(i)
+-          merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE
++          merge_element!(hash, child, depth - 1) unless child.node_type == Node.TEXT_NODE
+         end
+         merge_texts!(hash, element) unless empty_content?(element)
+         hash
+diff --git a/activesupport/lib/active_support/xml_mini/rexml.rb b/activesupport/lib/active_support/xml_mini/rexml.rb
+index 5c7c78b..924ed72 100644
+--- a/activesupport/lib/active_support/xml_mini/rexml.rb
++++ b/activesupport/lib/active_support/xml_mini/rexml.rb
+@@ -29,7 +29,7 @@ module ActiveSupport
+         doc = REXML::Document.new(data)
+ 
+         if doc.root
+-          merge_element!({}, doc.root)
++          merge_element!({}, doc.root, XmlMini.depth)
+         else
+           raise REXML::ParseException,
+             "The document #{doc.to_s.inspect} does not have a valid root"
+@@ -44,19 +44,20 @@ module ActiveSupport
+       #   Hash to merge the converted element into.
+       # element::
+       #   XML element to merge into hash
+-      def merge_element!(hash, element)
+-        merge!(hash, element.name, collapse(element))
++      def merge_element!(hash, element, depth)
++        raise REXML::ParseException, "The document is too deep" if depth == 0
++        merge!(hash, element.name, collapse(element, depth))
+       end
+ 
+       # Actually converts an XML document element into a data structure.
+       #
+       # element::
+       #   The document element to be collapsed.
+-      def collapse(element)
++      def collapse(element, depth)
+         hash = get_attributes(element)
+ 
+         if element.has_elements?
+-          element.each_element {|child| merge_element!(hash, child) }
++          element.each_element {|child| merge_element!(hash, child, depth - 1) }
+           merge_texts!(hash, element) unless empty_content?(element)
+           hash
+         else
+-- 
+2.2.1
+
+
+\ No newline at end of file
author	Hans de Graaff <graaff@gentoo.org>	2015-06-17 06:12:02 +0000
committer	Hans de Graaff <graaff@gentoo.org>	2015-06-17 06:12:02 +0000
commit	96f261ed831f7f657419708561b2337a0c403289 (patch)
tree	a4cf4796418ae5e3cbafd79deb45e7ecccf0b6fa /dev-ruby/activesupport
parent	Bump, add new deps (diff)
download	historical-96f261ed831f7f657419708561b2337a0c403289.tar.gz historical-96f261ed831f7f657419708561b2337a0c403289.tar.bz2 historical-96f261ed831f7f657419708561b2337a0c403289.zip