diff options
-rw-r--r-- | system/ruby/APKBUILD | 12 | ||||
-rw-r--r-- | system/ruby/fix-get_main_stack.patch | 4 | ||||
-rw-r--r-- | system/ruby/ruby-2.5.3-rubygems-v2.patch | 408 | ||||
-rw-r--r-- | system/ruby/rubygems-avoid-platform-specific-gems.patch | 2 |
4 files changed, 8 insertions, 418 deletions
diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD index 7f949cc04..306f47ce7 100644 --- a/system/ruby/APKBUILD +++ b/system/ruby/APKBUILD @@ -33,9 +33,9 @@ # - CVE-2019-8325 # pkgname=ruby -pkgver=2.5.3 +pkgver=2.5.5 _abiver="${pkgver%.*}.0" -pkgrel=2 +pkgrel=0 pkgdesc="An object-oriented language for quick and easy programming" url="https://www.ruby-lang.org/" arch="all" @@ -69,7 +69,6 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x rubygems-avoid-platform-specific-gems.patch test_insns-lower-recursion-depth.patch fix-get_main_stack.patch - ruby-2.5.3-rubygems-v2.patch " replaces="ruby-gems" @@ -316,8 +315,7 @@ _mvgem() { done } -sha512sums="6dcae0e8d0bacdb2cbde636e2030596308b5af53f2eb85d3adccb67b02e6f8f9751e8117d12f8484829fdd9d995f6e327f701d9b433bcf94f1f59d13a1fd7518 ruby-2.5.3.tar.xz -cfdc5ea3b2e2ea69c51f38e8e2180cb1dc27008ca55cc6301f142ebafdbab31c3379b3b6bba9ff543153876dd98ed2ad194df3255b7ea77a62e931c935f80538 rubygems-avoid-platform-specific-gems.patch +sha512sums="06b1d58536ebfacb7b56c1e6ed4b8ab816fadc4f48c845a452554cd262e7908199a30e5793f3cbaec2db56a8803aa5c6089abf7bf06c8fc47867e97870b7dfec ruby-2.5.5.tar.xz +20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb rubygems-avoid-platform-specific-gems.patch 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch -8d730f02f76e53799f1c220eb23e3d2305940bb31216a7ab1e42d3256149c0721c7d173cdbfe505023b1af2f5cb3faa233dcc1b5d560fa8f980c17c2d29a9d81 fix-get_main_stack.patch -4f374a8bce1f5137e155d79aa06086d25c3be45f90d8dbebc9f4ee2fb71dd5fe4a3bc1f7b922e784cbb9054f575155c1ad921062b762eb372306dabe9ff7951e ruby-2.5.3-rubygems-v2.patch" +e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe fix-get_main_stack.patch" diff --git a/system/ruby/fix-get_main_stack.patch b/system/ruby/fix-get_main_stack.patch index 4bb9a0932..4b1a101ab 100644 --- a/system/ruby/fix-get_main_stack.patch +++ b/system/ruby/fix-get_main_stack.patch @@ -2,7 +2,7 @@ diff --git a/thread_pthread.c b/thread_pthread.c index 951885ffa0..cf90321d1d 100644 --- a/thread_pthread.c +++ b/thread_pthread.c -@@ -530,9 +530,6 @@ hpux_attr_getstackaddr(const pthread_attr_t *attr, void **addr) +@@ -552,9 +552,6 @@ hpux_attr_getstackaddr(const pthread_attr_t *attr, void **addr) # define MAINSTACKADDR_AVAILABLE 0 # endif #endif @@ -12,7 +12,7 @@ index 951885ffa0..cf90321d1d 100644 #ifdef STACKADDR_AVAILABLE /* -@@ -614,6 +611,55 @@ get_stack(void **addr, size_t *size) +@@ -632,6 +629,55 @@ get_stack(void **addr, size_t *size) return 0; #undef CHECK_ERR } diff --git a/system/ruby/ruby-2.5.3-rubygems-v2.patch b/system/ruby/ruby-2.5.3-rubygems-v2.patch deleted file mode 100644 index cf2b2c7f1..000000000 --- a/system/ruby/ruby-2.5.3-rubygems-v2.patch +++ /dev/null @@ -1,408 +0,0 @@ -diff --git lib/rubygems.rb lib/rubygems.rb -index 2762bfcb88..cd7434ca87 100644 ---- a/lib/rubygems.rb -+++ b/lib/rubygems.rb -@@ -10,7 +10,7 @@ - require 'thread' - - module Gem -- VERSION = "2.7.6" -+ VERSION = "2.7.6.1" - end - - # Must be first since it unloads the prelude from 1.9.2 -diff --git lib/rubygems/command_manager.rb lib/rubygems/command_manager.rb -index 887272378e..3bee1c30a4 100644 ---- a/lib/rubygems/command_manager.rb -+++ b/lib/rubygems/command_manager.rb -@@ -7,6 +7,7 @@ - - require 'rubygems/command' - require 'rubygems/user_interaction' -+require 'rubygems/text' - - ## - # The command manager registers and installs all the individual sub-commands -@@ -32,6 +33,7 @@ - - class Gem::CommandManager - -+ include Gem::Text - include Gem::UserInteraction - - BUILTIN_COMMANDS = [ # :nodoc: -@@ -140,12 +142,12 @@ def command_names - def run(args, build_args=nil) - process_args(args, build_args) - rescue StandardError, Timeout::Error => ex -- alert_error "While executing gem ... (#{ex.class})\n #{ex}" -+ alert_error clean_text("While executing gem ... (#{ex.class})\n #{ex}") - ui.backtrace ex - - terminate_interaction(1) - rescue Interrupt -- alert_error "Interrupted" -+ alert_error clean_text("Interrupted") - terminate_interaction(1) - end - -@@ -163,7 +165,7 @@ def process_args(args, build_args=nil) - say Gem::VERSION - terminate_interaction 0 - when /^-/ then -- alert_error "Invalid option: #{args.first}. See 'gem --help'." -+ alert_error clean_text("Invalid option: #{args.first}. See 'gem --help'.") - terminate_interaction 1 - else - cmd_name = args.shift.downcase -@@ -212,7 +214,7 @@ def load_and_instantiate(command_name) - rescue Exception => e - e = load_error if load_error - -- alert_error "Loading command: #{command_name} (#{e.class})\n\t#{e}" -+ alert_error clean_text("Loading command: #{command_name} (#{e.class})\n\t#{e}") - ui.backtrace e - end - end -diff --git lib/rubygems/commands/owner_command.rb lib/rubygems/commands/owner_command.rb -index 637b5bdc4d..cac6c5a17d 100644 ---- a/lib/rubygems/commands/owner_command.rb -+++ b/lib/rubygems/commands/owner_command.rb -@@ -2,8 +2,11 @@ - require 'rubygems/command' - require 'rubygems/local_remote_options' - require 'rubygems/gemcutter_utilities' -+require 'rubygems/text' - - class Gem::Commands::OwnerCommand < Gem::Command -+ -+ include Gem::Text - include Gem::LocalRemoteOptions - include Gem::GemcutterUtilities - -@@ -64,7 +67,7 @@ def show_owners name - end - - with_response response do |resp| -- owners = Gem::SafeYAML.load resp.body -+ owners = Gem::SafeYAML.load clean_text(resp.body) - - say "Owners for gem: #{name}" - owners.each do |owner| -diff --git lib/rubygems/gemcutter_utilities.rb lib/rubygems/gemcutter_utilities.rb -index 7c6d6bb364..623d9301b5 100644 ---- a/lib/rubygems/gemcutter_utilities.rb -+++ b/lib/rubygems/gemcutter_utilities.rb -@@ -1,11 +1,14 @@ - # frozen_string_literal: true - require 'rubygems/remote_fetcher' -+require 'rubygems/text' - - ## - # Utility methods for using the RubyGems API. - - module Gem::GemcutterUtilities - -+ include Gem::Text -+ - # TODO: move to Gem::Command - OptionParser.accept Symbol do |value| - value.to_sym -@@ -145,13 +148,13 @@ def with_response response, error_prefix = nil - if block_given? then - yield response - else -- say response.body -+ say clean_text(response.body) - end - else - message = response.body - message = "#{error_prefix}: #{message}" if error_prefix - -- say message -+ say clean_text(message) - terminate_interaction 1 # TODO: question this - end - end -diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb -index ee5fedeb64..904d5a0c7c 100644 ---- a/lib/rubygems/installer.rb -+++ b/lib/rubygems/installer.rb -@@ -707,9 +707,26 @@ def verify_gem_home(unpack = false) # :nodoc: - unpack or File.writable?(gem_home) - end - -- def verify_spec_name -- return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN -- raise Gem::InstallError, "#{spec} has an invalid name" -+ def verify_spec -+ unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN -+ raise Gem::InstallError, "#{spec} has an invalid name" -+ end -+ -+ if spec.raw_require_paths.any?{|path| path =~ /\r\n|\r|\n/ } -+ raise Gem::InstallError, "#{spec} has an invalid require_paths" -+ end -+ -+ if spec.extensions.any?{|ext| ext =~ /\r\n|\r|\n/ } -+ raise Gem::InstallError, "#{spec} has an invalid extensions" -+ end -+ -+ unless spec.specification_version.to_s =~ /\A\d+\z/ -+ raise Gem::InstallError, "#{spec} has an invalid specification_version" -+ end -+ -+ if spec.dependencies.any? {|dep| dep.type =~ /\r\n|\r|\n/ || dep.name =~ /\r\n|\r|\n/ } -+ raise Gem::InstallError, "#{spec} has an invalid dependencies" -+ end - end - - ## -@@ -836,10 +853,12 @@ def dir - def pre_install_checks - verify_gem_home options[:unpack] - -+ # The name and require_paths must be verified first, since it could contain -+ # ruby code that would be eval'ed in #ensure_loadable_spec -+ verify_spec -+ - ensure_loadable_spec - -- verify_spec_name -- - if options[:install_as_default] - Gem.ensure_default_gem_subdirectories gem_home - else -diff --git lib/rubygems/package.rb lib/rubygems/package.rb -index b924122827..b472b97a07 100644 ---- a/lib/rubygems/package.rb -+++ b/lib/rubygems/package.rb -@@ -425,6 +425,16 @@ def install_location filename, destination_dir # :nodoc: - raise Gem::Package::PathError.new(destination, destination_dir) unless - destination.start_with? destination_dir + '/' - -+ begin -+ real_destination = File.expand_path(File.realpath(destination)) -+ rescue -+ # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage -+ nil -+ else -+ raise Gem::Package::PathError.new(real_destination, destination_dir) unless -+ real_destination.start_with? destination_dir + '/' -+ end -+ - destination.untaint - destination - end -diff --git lib/rubygems/user_interaction.rb lib/rubygems/user_interaction.rb -index cacd782e08..eff8f9533c 100644 ---- a/lib/rubygems/user_interaction.rb -+++ b/lib/rubygems/user_interaction.rb -@@ -6,6 +6,7 @@ - #++ - - require 'rubygems/util' -+require 'rubygems/text' - - ## - # Module that defines the default UserInteraction. Any class including this -@@ -13,6 +14,8 @@ - - module Gem::DefaultUserInteraction - -+ include Gem::Text -+ - ## - # The default UI is a class variable of the singleton class for this - # module. -@@ -160,8 +163,8 @@ def terminate_interaction exit_code = 0 - # Calls +say+ with +msg+ or the results of the block if really_verbose - # is true. - -- def verbose msg = nil -- say(msg || yield) if Gem.configuration.really_verbose -+ def verbose(msg = nil) -+ say(clean_text(msg || yield)) if Gem.configuration.really_verbose - end - end - -diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb -index 93b0482407..a47a307049 100644 ---- a/test/rubygems/test_gem_installer.rb -+++ b/test/rubygems/test_gem_installer.rb -@@ -1474,6 +1474,114 @@ def spec.validate; end - end - end - -+ def test_pre_install_checks_malicious_name_before_eval -+ spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate(*args); end -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message -+ end -+ refute defined?(::Object::FROM_EVAL) -+ end -+ -+ def test_pre_install_checks_malicious_require_paths_before_eval -+ spec = util_spec "malicious", '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate(*args); end -+ spec.require_paths = ["malicious\n``"] -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message -+ end -+ end -+ -+ def test_pre_install_checks_malicious_extensions_before_eval -+ skip "mswin environment disallow to create file contained the carriage return code." if Gem.win_platform? -+ -+ spec = util_spec "malicious", '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate(*args); end -+ spec.extensions = ["malicious\n``"] -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message -+ end -+ end -+ -+ def test_pre_install_checks_malicious_specification_version_before_eval -+ spec = util_spec "malicious", '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate(*args); end -+ spec.specification_version = "malicious\n``" -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message -+ end -+ end -+ -+ def test_pre_install_checks_malicious_dependencies_before_eval -+ spec = util_spec "malicious", '1' -+ def spec.full_name # so the spec is buildable -+ "malicious-1" -+ end -+ def spec.validate(*args); end -+ spec.add_dependency "b\nfoo", '> 5' -+ -+ util_build_gem spec -+ -+ gem = File.join(@gemhome, 'cache', spec.file_name) -+ -+ use_ui @ui do -+ @installer = Gem::Installer.at gem -+ @installer.ignore_dependencies = true -+ e = assert_raises Gem::InstallError do -+ @installer.pre_install_checks -+ end -+ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message -+ end -+ end -+ - def test_shebang - util_make_exec @spec, "#!/usr/bin/ruby" - -diff --git test/rubygems/test_gem_package.rb test/rubygems/test_gem_package.rb -index d1664cf285..0b03ee2e0c 100644 ---- a/test/rubygems/test_gem_package.rb -+++ b/test/rubygems/test_gem_package.rb -@@ -480,6 +480,42 @@ def test_extract_symlink_parent - "#{destination_subdir} is not allowed", e.message) - end - -+ def test_extract_symlink_parent_doesnt_delete_user_dir -+ skip if RUBY_VERSION <= "1.8.7" -+ -+ package = Gem::Package.new @gem -+ -+ # Extract into a subdirectory of @destination; if this test fails it writes -+ # a file outside destination_subdir, but we want the file to remain inside -+ # @destination so it will be cleaned up. -+ destination_subdir = File.join @destination, 'subdir' -+ FileUtils.mkdir_p destination_subdir -+ -+ destination_user_dir = File.join @destination, 'user' -+ destination_user_subdir = File.join destination_user_dir, 'dir' -+ FileUtils.mkdir_p destination_user_subdir -+ -+ tgz_io = util_tar_gz do |tar| -+ tar.add_symlink 'link', destination_user_dir, 16877 -+ tar.add_symlink 'link/dir', '.', 16877 -+ end -+ -+ e = assert_raises(Gem::Package::PathError, Errno::EACCES) do -+ package.extract_tar_gz tgz_io, destination_subdir -+ end -+ -+ assert_path_exists destination_user_subdir -+ -+ if Gem::Package::PathError === e -+ assert_equal("installing into parent path #{destination_user_subdir} of " + -+ "#{destination_subdir} is not allowed", e.message) -+ elsif win_platform? -+ skip "symlink - must be admin with no UAC on Windows" -+ else -+ raise e -+ end -+ end -+ - def test_extract_tar_gz_directory - package = Gem::Package.new @gem - -diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb -index 04f3f605e8..8ce6df94bb 100644 ---- a/test/rubygems/test_gem_text.rb -+++ b/test/rubygems/test_gem_text.rb -@@ -85,4 +85,9 @@ def test_truncate_text - s = "ab" * 500_001 - assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000) - end -+ -+ def test_clean_text -+ assert_equal ".]2;nyan.", clean_text("\e]2;nyan\a") -+ end -+ - end diff --git a/system/ruby/rubygems-avoid-platform-specific-gems.patch b/system/ruby/rubygems-avoid-platform-specific-gems.patch index 74a536558..da6884d09 100644 --- a/system/ruby/rubygems-avoid-platform-specific-gems.patch +++ b/system/ruby/rubygems-avoid-platform-specific-gems.patch @@ -17,7 +17,7 @@ a platform-agnostic (source) gem. Users can override it using --- a/lib/rubygems.rb +++ b/lib/rubygems.rb -@@ -743,7 +743,10 @@ +@@ -764,7 +764,10 @@ def self.platforms @platforms ||= [] if @platforms.empty? |