summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2020-03-23 22:14:43 -0500
committerMax Rees <maxcrees@me.com>2020-03-23 22:14:43 -0500
commit85fd60643dcfdcc871af86aaeac45d158466af26 (patch)
tree6b5e4f8c7ff5d089aeb635b25a7ec9a5fff9660f
parentcf52fe9940f6e2205819493b5c8e18834239fe0b (diff)
downloadpackages-85fd60643dcfdcc871af86aaeac45d158466af26.tar.gz
packages-85fd60643dcfdcc871af86aaeac45d158466af26.tar.bz2
packages-85fd60643dcfdcc871af86aaeac45d158466af26.tar.xz
packages-85fd60643dcfdcc871af86aaeac45d158466af26.zip
system/ruby: patch CVE-2020-8130
-rw-r--r--system/ruby/APKBUILD8
-rw-r--r--system/ruby/CVE-2020-8130.patch18
2 files changed, 24 insertions, 2 deletions
diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD
index 537c1010a..0cb185852 100644
--- a/system/ruby/APKBUILD
+++ b/system/ruby/APKBUILD
@@ -38,11 +38,13 @@
# - CVE-2019-16201
# - CVE-2019-16254
# - CVE-2019-16255
+# 2.5.7-r1:
+# - CVE-2020-8130
#
pkgname=ruby
pkgver=2.5.7
_abiver="${pkgver%.*}.0"
-pkgrel=0
+pkgrel=1
pkgdesc="An object-oriented language for quick and easy programming"
url="https://www.ruby-lang.org/"
arch="all"
@@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x
test_insns-lower-recursion-depth.patch
fix-get_main_stack.patch
libedit-compat.patch
+ CVE-2020-8130.patch
"
replaces="ruby-etc ruby-gems"
@@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef
20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb rubygems-avoid-platform-specific-gems.patch
814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch
e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe fix-get_main_stack.patch
-6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch"
+6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch
+50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc CVE-2020-8130.patch"
diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch
new file mode 100644
index 000000000..3cb6e4adf
--- /dev/null
+++ b/system/ruby/CVE-2020-8130.patch
@@ -0,0 +1,18 @@
+Note: adjusted paths since it's being vendored inside ruby.
+
+From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Mon, 22 Jul 2019 10:23:43 +0900
+Subject: [PATCH] Use File.open explicitly.
+
+--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@ def egrep(pattern, *options)
+ matched = 0
+ each do |fn|
+ begin
+- open(fn, "r", *options) do |inf|
++ File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+ count += 1