From 85fd60643dcfdcc871af86aaeac45d158466af26 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Mon, 23 Mar 2020 22:14:43 -0500
Subject: system/ruby: patch CVE-2020-8130

---
 system/ruby/APKBUILD            |  8 ++++++--
 system/ruby/CVE-2020-8130.patch | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 system/ruby/CVE-2020-8130.patch

(limited to 'system')

diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD
index 537c1010a..0cb185852 100644
--- a/system/ruby/APKBUILD
+++ b/system/ruby/APKBUILD
@@ -38,11 +38,13 @@
 #     - CVE-2019-16201
 #     - CVE-2019-16254
 #     - CVE-2019-16255
+#   2.5.7-r1:
+#     - CVE-2020-8130
 #
 pkgname=ruby
 pkgver=2.5.7
 _abiver="${pkgver%.*}.0"
-pkgrel=0
+pkgrel=1
 pkgdesc="An object-oriented language for quick and easy programming"
 url="https://www.ruby-lang.org/"
 arch="all"
@@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x
 	test_insns-lower-recursion-depth.patch
 	fix-get_main_stack.patch
 	libedit-compat.patch
+	CVE-2020-8130.patch
 	"
 replaces="ruby-etc ruby-gems"
 
@@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef
 20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb  rubygems-avoid-platform-specific-gems.patch
 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150  test_insns-lower-recursion-depth.patch
 e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe  fix-get_main_stack.patch
-6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch"
+6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch
+50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc  CVE-2020-8130.patch"
diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch
new file mode 100644
index 000000000..3cb6e4adf
--- /dev/null
+++ b/system/ruby/CVE-2020-8130.patch
@@ -0,0 +1,18 @@
+Note: adjusted paths since it's being vendored inside ruby.
+
+From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Mon, 22 Jul 2019 10:23:43 +0900
+Subject: [PATCH] Use File.open explicitly.
+
+--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@ def egrep(pattern, *options)
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1
-- 
cgit v1.2.3-60-g2f50