From 85fd60643dcfdcc871af86aaeac45d158466af26 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 23 Mar 2020 22:14:43 -0500 Subject: system/ruby: patch CVE-2020-8130 --- system/ruby/APKBUILD | 8 ++++++-- system/ruby/CVE-2020-8130.patch | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 system/ruby/CVE-2020-8130.patch diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD index 537c1010a..0cb185852 100644 --- a/system/ruby/APKBUILD +++ b/system/ruby/APKBUILD @@ -38,11 +38,13 @@ # - CVE-2019-16201 # - CVE-2019-16254 # - CVE-2019-16255 +# 2.5.7-r1: +# - CVE-2020-8130 # pkgname=ruby pkgver=2.5.7 _abiver="${pkgver%.*}.0" -pkgrel=0 +pkgrel=1 pkgdesc="An object-oriented language for quick and easy programming" url="https://www.ruby-lang.org/" arch="all" @@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x test_insns-lower-recursion-depth.patch fix-get_main_stack.patch libedit-compat.patch + CVE-2020-8130.patch " replaces="ruby-etc ruby-gems" @@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef 20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb rubygems-avoid-platform-specific-gems.patch 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe fix-get_main_stack.patch -6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch" +6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch +50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc CVE-2020-8130.patch" diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch new file mode 100644 index 000000000..3cb6e4adf --- /dev/null +++ b/system/ruby/CVE-2020-8130.patch @@ -0,0 +1,18 @@ +Note: adjusted paths since it's being vendored inside ruby. + +From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Mon, 22 Jul 2019 10:23:43 +0900 +Subject: [PATCH] Use File.open explicitly. + +--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb ++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb +@@ -294,7 +294,7 @@ def egrep(pattern, *options) + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 -- cgit v1.2.3-70-g09d2