head 1.12; access; symbols pkgsrc-2017Q1:1.11.0.54 pkgsrc-2017Q1-base:1.11 pkgsrc-2016Q4:1.11.0.52 pkgsrc-2016Q4-base:1.11 pkgsrc-2016Q3:1.11.0.50 pkgsrc-2016Q3-base:1.11 pkgsrc-2016Q2:1.11.0.48 pkgsrc-2016Q2-base:1.11 pkgsrc-2016Q1:1.11.0.46 pkgsrc-2016Q1-base:1.11 pkgsrc-2015Q4:1.11.0.44 pkgsrc-2015Q4-base:1.11 pkgsrc-2015Q3:1.11.0.42 pkgsrc-2015Q3-base:1.11 pkgsrc-2015Q2:1.11.0.40 pkgsrc-2015Q2-base:1.11 pkgsrc-2015Q1:1.11.0.38 pkgsrc-2015Q1-base:1.11 pkgsrc-2014Q4:1.11.0.36 pkgsrc-2014Q4-base:1.11 pkgsrc-2014Q3:1.11.0.34 pkgsrc-2014Q3-base:1.11 pkgsrc-2014Q2:1.11.0.32 pkgsrc-2014Q2-base:1.11 pkgsrc-2014Q1:1.11.0.30 pkgsrc-2014Q1-base:1.11 pkgsrc-2013Q4:1.11.0.28 pkgsrc-2013Q4-base:1.11 pkgsrc-2013Q3:1.11.0.26 pkgsrc-2013Q3-base:1.11 pkgsrc-2013Q2:1.11.0.24 pkgsrc-2013Q2-base:1.11 pkgsrc-2013Q1:1.11.0.22 pkgsrc-2013Q1-base:1.11 pkgsrc-2012Q4:1.11.0.20 pkgsrc-2012Q4-base:1.11 pkgsrc-2012Q3:1.11.0.18 pkgsrc-2012Q3-base:1.11 pkgsrc-2012Q2:1.11.0.16 pkgsrc-2012Q2-base:1.11 pkgsrc-2012Q1:1.11.0.14 pkgsrc-2012Q1-base:1.11 pkgsrc-2011Q4:1.11.0.12 pkgsrc-2011Q4-base:1.11 pkgsrc-2011Q3:1.11.0.10 pkgsrc-2011Q3-base:1.11 pkgsrc-2011Q2:1.11.0.8 pkgsrc-2011Q2-base:1.11 pkgsrc-2011Q1:1.11.0.6 pkgsrc-2011Q1-base:1.11 pkgsrc-2010Q4:1.11.0.4 pkgsrc-2010Q4-base:1.11 pkgsrc-2010Q3:1.11.0.2 pkgsrc-2010Q3-base:1.11 pkgsrc-2009Q4:1.10.0.8 pkgsrc-2009Q4-base:1.10 pkgsrc-2008Q4:1.10.0.6 pkgsrc-2008Q4-base:1.10 pkgsrc-2008Q3:1.10.0.4 pkgsrc-2008Q3-base:1.10 cube-native-xorg:1.10.0.2 cube-native-xorg-base:1.10 pkgsrc-2008Q2:1.9.0.4 pkgsrc-2008Q2-base:1.9 cwrapper:1.9.0.2 pkgsrc-2008Q1:1.7.0.6 pkgsrc-2008Q1-base:1.7 pkgsrc-2007Q4:1.7.0.4 pkgsrc-2007Q4-base:1.7 pkgsrc-2007Q3:1.7.0.2 pkgsrc-2007Q3-base:1.7 pkgsrc-2007Q2:1.6.0.8 pkgsrc-2007Q2-base:1.6 pkgsrc-2007Q1:1.6.0.6 pkgsrc-2007Q1-base:1.6 pkgsrc-2006Q4:1.6.0.4 pkgsrc-2006Q4-base:1.6 pkgsrc-2006Q3:1.6.0.2 pkgsrc-2006Q3-base:1.6 pkgsrc-2006Q2:1.4.0.4 pkgsrc-2006Q2-base:1.4 pkgsrc-2006Q1:1.4.0.2 pkgsrc-2006Q1-base:1.4 pkgsrc-2005Q4:1.3.0.2 pkgsrc-2005Q4-base:1.3 pkgsrc-2005Q3:1.2.0.2 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.1.0.2; locks; strict; comment @# @; 1.12 date 2017.04.22.18.23.55; author taca; state dead; branches; next 1.11; commitid tDoWtAVFTjPkJyOz; 1.11 date 2010.09.10.03.29.00; author taca; state Exp; branches; next 1.10; 1.10 date 2008.08.08.12.42.44; author taca; state dead; branches; next 1.9; 1.9 date 2008.07.03.21.06.10; author tonnerre; state Exp; branches 1.9.4.1; next 1.8; 1.8 date 2008.06.19.14.35.37; author taca; state dead; branches; next 1.7; 1.7 date 2007.10.02.15.59.23; author taca; state Exp; branches 1.7.6.1; next 1.6; 1.6 date 2006.09.07.15.40.01; author taca; state dead; branches; next 1.5; 1.5 date 2006.07.30.23.12.50; author taca; state Exp; branches; next 1.4; 1.4 date 2006.01.03.14.37.24; author taca; state Exp; branches 1.4.4.1; next 1.3; 1.3 date 2005.11.02.08.56.40; author taca; state Exp; branches; next 1.2; 1.2 date 2005.09.23.12.01.44; author taca; state dead; branches; next 1.1; 1.1 date 2005.09.21.14.03.22; author taca; state Exp; branches 1.1.2.1; next ; 1.9.4.1 date 2008.08.08.14.37.50; author ghen; state dead; branches; next ; 1.7.6.1 date 2008.06.28.11.54.07; author tron; state Exp; branches; next ; 1.4.4.1 date 2006.07.31.22.43.13; author salo; state Exp; branches; next ; 1.1.2.1 date 2005.09.21.14.03.22; author salo; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2005.09.22.16.45.00; author salo; state Exp; branches; next ; desc @@ 1.12 log @Remove ruby18 which is EOL almost 4 years ago. @ text @$NetBSD: patch-ad,v 1.11 2010/09/10 03:29:00 taca Exp $ * Fix warnings. * Fix for pthread: r26440 --- eval.c.orig 2010-06-10 04:38:43.000000000 +0000 +++ eval.c @@@@ -779,7 +779,7 @@@@ static unsigned long frame_unique = 0; _frame.argc = 0; \ _frame.flags = 0; \ _frame.uniq = frame_unique++; \ - ruby_frame = &_frame + ruby_frame = (struct FRAME *)&_frame #define POP_FRAME() \ ruby_current_node = _frame.node; \ @@@@ -12250,7 +12250,9 @@@@ rb_thread_alloc(klass) return th; } +#if defined(HAVE_SETITIMER) || defined(_THREAD_SAFE) static int thread_init; +#endif #if defined(POSIX_SIGNAL) #define CATCH_VTALRM() posix_signal(SIGVTALRM, catch_timer) @ 1.11 log @Update ruby18-base to 1.8.7.302 (Ruby 1.8.7 patchlevel 302). Since many changes from previous release, please refer http://www.ruby-lang.org/en/news/2010/08/16/ruby-1-8-7-p302-is-released/. Note: Since all security updates are already in previous package, This update dosen't include any securify fix. @ text @d1 1 a1 1 $NetBSD$ @ 1.10 log @Update ruby18-base to 1.8.7.71. pkgsrc change: Apply fix for sunpro compilre, provided by PR pkg/37771 from Naoto Morishima. This release includes fix for multiple vulnerabilities. http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ * Several vulnerabilities in safe level * DoS vulnerability in WEBrick * Lack of taintness check in dl * DNS spoofing vulnerability in resolv.rb Full changes are too many, please refer ChangeLog file. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.9 2008/07/03 21:06:10 tonnerre Exp $ d3 2 a4 2 Avoid memory size integer overflow memory exhaustion DoS in filling arrays (SN-2008-02). d6 21 a26 15 --- array.c.orig 2008-07-03 22:56:32.000000000 +0200 +++ array.c @@@@ -2416,10 +2416,10 @@@@ rb_ary_fill(argc, argv, ary) break; } rb_ary_modify(ary); - end = beg + len; - if (end < 0) { + if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) { rb_raise(rb_eArgError, "argument too big"); } + end = beg + len; if (end > RARRAY(ary)->len) { if (end >= RARRAY(ary)->aux.capa) { REALLOC_N(RARRAY(ary)->ptr, VALUE, end); @ 1.9 log @Add a patch to fix the integer overflow in rb_ary_fill() in Ruby 1.8 which can be exploited to cause a denial of service through memory exhaustion. (SN-2008-02) @ text @d1 1 a1 1 $NetBSD$ @ 1.9.4.1 log @Pullup ticket 2473 - requested by taca security update for ruby - pkgsrc/devel/ruby-curses/distinfo 1.16 - pkgsrc/lang/ruby/rubyversion.mk 1.43 - pkgsrc/lang/ruby18-base/Makefile 1.46 - pkgsrc/lang/ruby18-base/distinfo 1.32 - pkgsrc/lang/ruby18-base/patches/patch-ad removed - pkgsrc/x11/ruby-tk/distinfo 1.19 Module Name: pkgsrc Committed By: taca Date: Fri Aug 8 12:38:59 UTC 2008 Modified Files: pkgsrc/lang/ruby: rubyversion.mk Log Message: Start update of Ruby 1.8.7 patchlevel 71. --- Module Name: pkgsrc Committed By: taca Date: Fri Aug 8 12:42:44 UTC 2008 Modified Files: pkgsrc/lang/ruby18-base: Makefile distinfo Removed Files: pkgsrc/lang/ruby18-base/patches: patch-ad Log Message: Update ruby18-base to 1.8.7.71. pkgsrc change: Apply fix for sunpro compilre, provided by PR pkg/37771 from Naoto Morishima. This release includes fix for multiple vulnerabilities. http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ * Several vulnerabilities in safe level * DoS vulnerability in WEBrick * Lack of taintness check in dl * DNS spoofing vulnerability in resolv.rb Full changes are too many, please refer ChangeLog file. --- Module Name: pkgsrc Committed By: taca Date: Fri Aug 8 12:43:51 UTC 2008 Modified Files: pkgsrc/devel/ruby-curses: distinfo Log Message: Update ruby-curses package to 1.8.7.71. This is version update only, no functional change in this ruby extention. --- Module Name: pkgsrc Committed By: taca Date: Fri Aug 8 12:44:51 UTC 2008 Modified Files: pkgsrc/x11/ruby-tk: distinfo Log Message: Update ruby-tk package to 1.8.7.71. This is version update only, no functional change in this ruby extention. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.9 2008/07/03 21:06:10 tonnerre Exp $ @ 1.8 log @Update ruby18-base package to 1.8.7. Since chanes are too much to write here, please refer http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7/NEWS http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7/ChangeLog http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_17/NEWS http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_17/ChangeLog @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.7 2007/10/02 15:59:23 taca Exp $ d3 18 a20 12 --- eval.c.orig 2007-09-23 09:01:50.000000000 +0900 +++ eval.c @@@@ -11944,7 +11944,9 @@@@ rb_thread_start_0(fn, arg, th) #ifdef _THREAD_SAFE pthread_create(&time_thread, 0, thread_timer, 0); time_thread_alive_p = 1; +#ifndef __DragonFly__ pthread_atfork(0, 0, rb_child_atfork); +#endif #else rb_thread_start_timer(); #endif @ 1.7 log @Try to fix build problem on DraonFly BSD. (I tested on old DragonFly 1.7.0-DEVELOPMENT.) @ text @d1 1 a1 1 $NetBSD$ @ 1.7.6.1 log @Pullup ticket #2436 - requested by taca Security update for ruby packages Apply patches to update Ruby to version 1.8.6 patchlevel 230 to fix the security vulnerability reported in CVE-2008-2726. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.7 2007/10/02 15:59:23 taca Exp $ d3 1 a3 1 --- eval.c.orig 2008-06-16 15:43:48.000000000 +0900 d5 1 a5 1 @@@@ -11962,7 +11962,9 @@@@ rb_thread_start_0(fn, arg, th) @ 1.6 log @Update Ruby to 1.8.5 (+ ruby-1-8 branch on 2006-09-07). pkgsrc changes: * Add RUBY_DYNAMIC_DIRS which cause generating dynamic PLIST entries. * Move using buildlinks to rubyversion.mk. * Merge converters/ruby-iconv to ruby18-base. Ruby changes: * too may, see ChangeLog file or http://eigenclass.org/hiki.rb?ruby+1.8.5+changelog @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.5 2006/07/30 23:12:50 taca Exp $ d3 1 a3 3 # now contains fix for JVN#83768862 (part of CVE-2006-3694) --- eval.c.orig 2005-12-20 22:41:47.000000000 +0900 d5 10 a14 99 @@@@ -1810,12 +1810,13 @@@@ ev_const_defined(cref, id, self) while (cbase && cbase->nd_next) { struct RClass *klass = RCLASS(cbase->nd_clss); - if (NIL_P(klass)) return rb_const_defined(CLASS_OF(self), id); - if (klass->iv_tbl && st_lookup(klass->iv_tbl, id, &result)) { - if (result == Qundef && NIL_P(rb_autoload_p((VALUE)klass, id))) { - return Qfalse; + if (!NIL_P(klass)) { + if (klass->iv_tbl && st_lookup(klass->iv_tbl, id, &result)) { + if (result == Qundef && NIL_P(rb_autoload_p((VALUE)klass, id))) { + return Qfalse; + } + return Qtrue; } - return Qtrue; } cbase = cbase->nd_next; } @@@@ -1834,13 +1835,15 @@@@ ev_const_get(cref, id, self) while (cbase && cbase->nd_next) { VALUE klass = cbase->nd_clss; - if (NIL_P(klass)) return rb_const_get(CLASS_OF(self), id); - while (RCLASS(klass)->iv_tbl && st_lookup(RCLASS(klass)->iv_tbl, id, &result)) { - if (result == Qundef) { - if (!RTEST(rb_autoload_load(klass, id))) break; - continue; + if (!NIL_P(klass)) { + while (RCLASS(klass)->iv_tbl && + st_lookup(RCLASS(klass)->iv_tbl, id, &result)) { + if (result == Qundef) { + if (!RTEST(rb_autoload_load(klass, id))) break; + continue; + } + return result; } - return result; } cbase = cbase->nd_next; } @@@@ -2097,7 +2100,8 @@@@ rb_alias(klass, name, def) } } st_insert(RCLASS(klass)->m_tbl, name, - (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), orig->nd_noex)); + (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), + NOEX_WITH_SAFE(orig->nd_noex))); if (singleton) { rb_funcall(singleton, singleton_added, 1, ID2SYM(name)); } @@@@ -3886,7 +3890,7 @@@@ rb_eval(self, n) if (NIL_P(ruby_class)) { rb_raise(rb_eTypeError, "no class to undef method"); } - rb_undef(ruby_class, node->nd_mid); + rb_undef(ruby_class, rb_to_id(rb_eval(self, node->u2.node))); result = Qnil; break; @@@@ -3894,12 +3898,13 @@@@ rb_eval(self, n) if (NIL_P(ruby_class)) { rb_raise(rb_eTypeError, "no class to make alias"); } - rb_alias(ruby_class, node->nd_new, node->nd_old); + rb_alias(ruby_class, rb_to_id(rb_eval(self, node->u1.node)), + rb_to_id(rb_eval(self, node->u2.node))); result = Qnil; break; case NODE_VALIAS: - rb_alias_variable(node->nd_new, node->nd_old); + rb_alias_variable(node->u1.id, node->u2.id); result = Qnil; break; @@@@ -5638,6 +5643,11 @@@@ rb_call0(klass, recv, id, oid, argc, arg TMP_PROTECT; volatile int safe = -1; + if (NOEX_SAFE(flags) > ruby_safe_level && + !(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } switch (ruby_iter->iter) { case ITER_PRE: case ITER_PAS: @@@@ -5742,10 +5752,6 @@@@ rb_call0(klass, recv, id, oid, argc, arg b2 = body = body->nd_next; if (NOEX_SAFE(flags) > ruby_safe_level) { - if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { - rb_raise(rb_eSecurityError, "calling insecure method: %s", - rb_id2name(id)); - } safe = ruby_safe_level; ruby_safe_level = NOEX_SAFE(flags); } @ 1.5 log @- Security fix for CVE-2006-3694 (JVN#13947696 and JVN#83768862). - Import yaml problem and fix document generation for ri(1). - minor clean up to pkgsrc. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.4 2006/01/03 14:37:24 taca Exp $ @ 1.4 log @Update ruby18-base package to Ruby 1.8.4. Ruby 1.8.4 are maintainous release of Ruby programming language. Changes are too huge to list here, please see http://www.ruby-lang.org/. And this package contains some bug fixes after release of 1.8.4. Tue Dec 27 08:29:18 2005 GOTOU Yuuzou * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket#post_connection_chech): treat wildcard character in commonName. [ruby-dev:28121] Mon Dec 26 22:32:47 2005 Nobuyoshi Nakada * eval.c (rb_eval), gc.c (gc_mark_children), node.h (NEW_ALIAS, NEW_VALIAS), parse.y (fitem): allow dynamic symbols to NODE_UNDEF and NODE_ALIAS. backported from trunk. fixed: [ruby-dev:28105] Mon Dec 26 08:50:36 2005 Yukihiro Matsumoto * eval.c (ev_const_get): fixed a bug in constant reference during instance_eval. [yarv-dev:707] * eval.c (ev_const_defined): ditto. * lib/yaml.rb (YAML::add_domain_type): typo fixed. a patch from Joel VanderWerf . [ruby-talk:165285] [ruby-core:6995] @ text @d1 3 a3 1 $NetBSD$ d48 11 a58 1 @@@@ -3886,7 +3889,7 @@@@ rb_eval(self, n) d67 1 a67 1 @@@@ -3894,12 +3897,13 @@@@ rb_eval(self, n) d83 23 @ 1.4.4.1 log @Pullup ticket 1764 - requested by taca security fix for ruby18-base Module Name: pkgsrc Committed By: taca Date: Sun Jul 30 23:12:50 UTC 2006 Modified Files: pkgsrc/lang/ruby18-base: Makefile PLIST distinfo pkgsrc/lang/ruby18-base/patches: patch-ad patch-cc Added Files: pkgsrc/lang/ruby18-base/patches: patch-ck patch-cl patch-cm patch-cn patch-co Log Message: - Security fix for CVE-2006-3694 (JVN#13947696 and JVN#83768862). - Import yaml problem and fix document generation for ri(1). - minor clean up to pkgsrc. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Mon Jul 31 11:29:03 UTC 2006 Modified Files: pkgsrc/lang/ruby18-base: Makefile PLIST distinfo pkgsrc/lang/ruby18-base/patches: patch-cm Log Message: - Fix PLIST problem; a extra entry. - Reduce warning of optparse.rb when generating ri(1) database. Bump PKGREVISION. @ text @d1 1 a1 3 $NetBSD: patch-ad,v 1.5 2006/07/30 23:12:50 taca Exp $ # now contains fix for JVN#83768862 (part of CVE-2006-3694) d46 1 a46 11 @@@@ -2097,7 +2100,8 @@@@ rb_alias(klass, name, def) } } st_insert(RCLASS(klass)->m_tbl, name, - (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), orig->nd_noex)); + (st_data_t)NEW_METHOD(NEW_FBODY(body, def, origin), + NOEX_WITH_SAFE(orig->nd_noex))); if (singleton) { rb_funcall(singleton, singleton_added, 1, ID2SYM(name)); } @@@@ -3886,7 +3890,7 @@@@ rb_eval(self, n) d55 1 a55 1 @@@@ -3894,12 +3898,13 @@@@ rb_eval(self, n) a70 23 @@@@ -5638,6 +5643,11 @@@@ rb_call0(klass, recv, id, oid, argc, arg TMP_PROTECT; volatile int safe = -1; + if (NOEX_SAFE(flags) > ruby_safe_level && + !(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } switch (ruby_iter->iter) { case ITER_PRE: case ITER_PAS: @@@@ -5742,10 +5752,6 @@@@ rb_call0(klass, recv, id, oid, argc, arg b2 = body = body->nd_next; if (NOEX_SAFE(flags) > ruby_safe_level) { - if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { - rb_raise(rb_eSecurityError, "calling insecure method: %s", - rb_id2name(id)); - } safe = ruby_safe_level; ruby_safe_level = NOEX_SAFE(flags); } @ 1.3 log @- Update to Ruby 1.8.3 with several fixes after its release (see CHANGES.pkgsrc file). - Merge databases/ruby-dbm, devel/ruby-zlib, security/ruby-digest and ruby-openssl, conflicting with these packages. - Better handling for RI directories. - Use pkgsrc's TOOLS framework. @ text @d3 1 a3 1 --- eval.c.orig 2005-09-20 18:26:35.000000000 +0900 d5 14 a18 7 @@@@ -1837,7 +1837,7 @@@@ ev_const_get(cref, id, self) if (NIL_P(klass)) return rb_const_get(CLASS_OF(self), id); while (RCLASS(klass)->iv_tbl && st_lookup(RCLASS(klass)->iv_tbl, id, &result)) { if (result == Qundef) { - rb_autoload_load(klass, id); + if (!RTEST(rb_autoload_load(klass, id))) break; continue; d20 3 a22 115 return result; @@@@ -2545,6 +2545,7 @@@@ set_trace_func(obj, trace) { rb_event_hook_t *hook; + rb_secure(4); if (NIL_P(trace)) { trace_func = 0; rb_remove_event_hook(call_trace_func); @@@@ -2814,7 +2815,15 @@@@ unknown_node(node) NODE *volatile node; { ruby_current_node = 0; - rb_bug("unknown node type %d", nd_type(node)); + if (node->flags == 0) { + rb_bug("terminated node (0x%lx)", node); + } + else if (BUILTIN_TYPE(node) != T_NODE) { + rb_bug("not a node 0x%02lx (0x%lx)", BUILTIN_TYPE(node), node); + } + else { + rb_bug("unknown node type %d (0x%lx)", nd_type(node), node); + } } static VALUE @@@@ -4091,21 +4100,32 @@@@ module_setup(module, n) static NODE *basic_respond_to = 0; int -rb_respond_to(obj, id) +rb_obj_respond_to(obj, id, priv) VALUE obj; ID id; + int priv; { VALUE klass = CLASS_OF(obj); - if (rb_method_node(klass, respond_to) == basic_respond_to && - rb_method_boundp(klass, id, 0)) { - return Qtrue; + + if (rb_method_node(klass, respond_to) == basic_respond_to) { + return rb_method_boundp(klass, id, !priv); } - else{ - return rb_funcall(obj, respond_to, 1, ID2SYM(id)); + else { + VALUE args[2]; + int n = 0; + args[n++] = ID2SYM(id); + if (priv) args[n++] = Qtrue; + return rb_funcall2(obj, respond_to, n, args); } - return Qfalse; } +int +rb_respond_to(obj, id) + VALUE obj; + ID id; +{ + return rb_obj_respond_to(obj, id, Qfalse); +} /* * call-seq: @@@@ -4117,7 +4137,7 @@@@ rb_respond_to(obj, id) */ static VALUE -rb_obj_respond_to(argc, argv, obj) +obj_respond_to(argc, argv, obj) int argc; VALUE *argv; VALUE obj; @@@@ -5921,7 +5941,7 @@@@ rb_apply(recv, mid, args) * obj.__send__(symbol [, args...]) => obj * * Invokes the method identified by _symbol_, passing it any - * arguments specified. You can use __send__ if the name + * arguments specified. You can use \_\_send__ if the name * +send+ clashes with an existing method in _obj_. * * class Klass @@@@ -6060,6 +6080,9 @@@@ rb_call_super(argc, argv) self = ruby_frame->self; klass = ruby_frame->last_class; + if (RCLASS(klass)->super == 0) { + return method_missing(self, ruby_frame->last_func, argc, argv, CSTAT_SUPER); + } PUSH_ITER(ruby_iter->iter ? ITER_PRE : ITER_NOT); result = rb_call(RCLASS(klass)->super, self, ruby_frame->orig_func, argc, argv, 3); @@@@ -6419,14 +6442,16 @@@@ exec_under(func, under, cbase, args) VALUE val = Qnil; /* OK */ int state; int mode; + struct FRAME *f = ruby_frame->prev; PUSH_CLASS(under); PUSH_FRAME(); - ruby_frame->self = _frame.prev->self; - ruby_frame->last_func = _frame.prev->last_func; - ruby_frame->last_class = _frame.prev->last_class; - ruby_frame->argc = _frame.prev->argc; - ruby_frame->argv = _frame.prev->argv; + ruby_frame->self = f->self; + ruby_frame->last_func = f->last_func; + ruby_frame->orig_func = f->orig_func; + ruby_frame->last_class = f->last_class; + ruby_frame->argc = f->argc; + ruby_frame->argv = f->argv; if (cbase) { PUSH_CREF(cbase); d24 17 a40 33 @@@@ -6844,19 +6869,19 @@@@ rb_provide(feature) rb_provide_feature(rb_str_new2(feature)); } -static void +static int load_wait(ftptr) char *ftptr; { st_data_t th; - if (!loading_tbl) return; - if (!st_lookup(loading_tbl, (st_data_t)ftptr, &th)) return; - if ((rb_thread_t)th == curr_thread) return; + if (!loading_tbl) return Qfalse; + if (!st_lookup(loading_tbl, (st_data_t)ftptr, &th)) return Qfalse; do { + if ((rb_thread_t)th == curr_thread) return Qtrue; CHECK_INTS; - rb_thread_schedule(); } while (st_lookup(loading_tbl, (st_data_t)ftptr, &th)); + return Qtrue; } /* @@@@ -6987,8 +7012,7 @@@@ rb_require_safe(fname, safe) ruby_safe_level = safe; found = search_required(fname, &feature, &path); if (found) { - if (!path) { - load_wait(RSTRING(feature)->ptr); + if (!path || load_wait(RSTRING(path)->ptr)) { result = Qfalse; d42 3 a44 12 else { @@@@ -7751,7 +7775,7 @@@@ Init_eval() rb_define_global_function("method_missing", rb_method_missing, -1); rb_define_global_function("loop", rb_f_loop, 0); - rb_define_method(rb_mKernel, "respond_to?", rb_obj_respond_to, -1); + rb_define_method(rb_mKernel, "respond_to?", obj_respond_to, -1); respond_to = rb_intern("respond_to?"); basic_respond_to = rb_method_node(rb_cObject, respond_to); rb_global_variable((VALUE*)&basic_respond_to); @@@@ -9383,6 +9407,7 @@@@ rb_mod_define_method(argc, argv, mod) noex = NOEX_PUBLIC; d46 24 a69 8 rb_add_method(mod, id, node, noex); + rb_define_method(rb_cBinding, "dup", proc_dup, 0); return body; } @@@@ -12549,7 +12574,7 @@@@ thgroup_list(group) * ThreadError: can't move from the enclosed thread group */ a70 5 -VALUE +static VALUE thgroup_enclose(group) VALUE group; { @ 1.2 log @Use security patch in official Ruby's ftp server instead of adding locally. This dosen't change anything to installed binaries nor built package. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.1 2005/09/21 14:03:22 taca Exp $ d3 1 a3 1 --- eval.c.orig 2004-12-18 11:07:29.000000000 +0900 d5 19 a23 11 @@@@ -252,6 +252,11 @@@@ struct cache_entry { /* method hash tab static struct cache_entry cache[CACHE_SIZE]; static int ruby_running = 0; +#define NOEX_TAINTED 8 +#define NOEX_SAFE(n) ((n) >> 4) +#define NOEX_WITH(n, v) ((n) | (v) << 4) +#define NOEX_WITH_SAFE(n) NOEX_WITH(n, ruby_safe_level) + void rb_clear_cache() d25 11 a35 10 @@@@ -344,7 +349,7 @@@@ rb_add_method(klass, mid, node, noex) } if (OBJ_FROZEN(klass)) rb_error_frozen("class/module"); rb_clear_cache_by_id(mid); - body = NEW_METHOD(node, noex); + body = NEW_METHOD(node, NOEX_WITH_SAFE(noex)); st_insert(RCLASS(klass)->m_tbl, mid, (st_data_t)body); if (node && mid != ID_ALLOCATOR && ruby_running) { if (FL_TEST(klass, FL_SINGLETON)) { @@@@ -5456,20 +5461,21 @@@@ call_cfunc(func, recv, len, argc, argv) d39 9 a47 10 -rb_call0(klass, recv, id, oid, argc, argv, body, nosuper) +rb_call0(klass, recv, id, oid, argc, argv, body, flags) VALUE klass, recv; ID id; ID oid; int argc; /* OK */ VALUE *argv; /* OK */ NODE *body; /* OK */ - int nosuper; + int flags; d49 32 a80 29 NODE *b2; /* OK */ volatile VALUE result = Qnil; int itr; static int tick; TMP_PROTECT; + volatile int safe = -1; switch (ruby_iter->iter) { case ITER_PRE: @@@@ -5491,7 +5497,7 @@@@ rb_call0(klass, recv, id, oid, argc, arg ruby_frame->last_func = id; ruby_frame->orig_func = oid; - ruby_frame->last_class = nosuper?0:klass; + ruby_frame->last_class = (flags & NOEX_UNDEF)?0:klass; ruby_frame->self = recv; ruby_frame->argc = argc; ruby_frame->argv = argv; @@@@ -5553,7 +5559,6 @@@@ rb_call0(klass, recv, id, oid, argc, arg NODE *saved_cref = 0; PUSH_SCOPE(); - if (body->nd_rval) { saved_cref = ruby_cref; ruby_cref = (NODE*)body->nd_rval; @@@@ -5572,9 +5577,16 @@@@ rb_call0(klass, recv, id, oid, argc, arg } b2 = body = body->nd_next; d82 46 a127 24 + if (NOEX_SAFE(flags) > ruby_safe_level) { + if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } + safe = ruby_safe_level; + ruby_safe_level = NOEX_SAFE(flags); + } PUSH_VARS(); PUSH_TAG(PROT_FUNC); - if ((state = EXEC_TAG()) == 0) { NODE *node = 0; int i; @@@@ -5653,6 +5665,7 @@@@ rb_call0(klass, recv, id, oid, argc, arg result = prot_tag->retval; state = 0; } + if (safe >= 0) ruby_safe_level = safe; POP_TAG(); POP_VARS(); POP_CLASS(); @@@@ -5740,7 +5753,7 @@@@ rb_call(klass, recv, mid, argc, argv, sc } d129 3 d133 18 a150 2 - return rb_call0(klass, recv, mid, id, argc, argv, body, noex & NOEX_NOSUPER); + return rb_call0(klass, recv, mid, id, argc, argv, body, noex); d153 22 a174 43 VALUE @@@@ -8530,6 +8543,7 @@@@ struct METHOD { VALUE klass, rklass; VALUE recv; ID id, oid; + int safe_level; NODE *body; }; @@@@ -8577,6 +8591,7 @@@@ mnew(klass, obj, id, mklass) data->body = body; data->rklass = rklass; data->oid = oid; + data->safe_level = NOEX_WITH_SAFE(0); OBJ_INFECT(method, klass); return method; @@@@ -8661,6 +8676,7 @@@@ method_unbind(obj) data->body = orig->body; data->rklass = orig->rklass; data->oid = orig->oid; + data->safe_level = NOEX_WITH_SAFE(0); OBJ_INFECT(method, obj); return method; @@@@ -8782,26 +8798,21 @@@@ method_call(argc, argv, method) { VALUE result = Qnil; /* OK */ struct METHOD *data; - int state; - volatile int safe = -1; + int safe; Data_Get_Struct(method, struct METHOD, data); if (data->recv == Qundef) { rb_raise(rb_eTypeError, "you cannot call unbound method; bind first"); } - PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT); - PUSH_TAG(PROT_NONE); if (OBJ_TAINTED(method)) { - safe = ruby_safe_level; - if (ruby_safe_level < 4) ruby_safe_level = 4; + safe = NOEX_WITH(data->safe_level, 4)|NOEX_TAINTED; d176 3 a178 12 - if ((state = EXEC_TAG()) == 0) { - result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,0); + else { + safe = data->safe_level; } - POP_TAG(); + PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT); + result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,safe); POP_ITER(); - if (safe >= 0) ruby_safe_level = safe; - if (state) JUMP_TAG(state); return result; d181 9 @ 1.1 log @Add a patch for fix the security problem which allows an arbitrary code to run bypassing the safe level check. The patch was provided by Yukihiro Matsumoto on ruby-dev mailing list. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ad was added on branch pkgsrc-2005Q2 on 2005-09-21 14:03:22 +0000 @ text @d1 158 @ 1.1.2.2 log @Pullup ticket #769 - requested by Takahiro Kambe security and portability fixes for ruby18-base Revisions pulled up: - pkgsrc/lang/ruby18-base/Makefile 1.7, 1.8 - pkgsrc/lang/ruby18-base/distinfo 1.3, 1.4, 1.5 - pkgsrc/lang/ruby18-base/patches/patch-aa 1.2 - pkgsrc/lang/ruby18-base/patches/patch-ab 1.2 - pkgsrc/lang/ruby18-base/patches/patch-ad 1.1 - pkgsrc/lang/ruby18-base/patches/patch-au 1.1 - pkgsrc/lang/ruby18-base/patches/patch-av 1.1 - pkgsrc/lang/ruby18-base/patches/patch-aw 1.1 - pkgsrc/lang/ruby18-base/patches/patch-ax 1.1 - pkgsrc/lang/ruby18-base/patches/patch-ay 1.1 - pkgsrc/lang/ruby18-base/patches/patch-az 1.1 Module Name: pkgsrc Committed By: taca Date: Sun Sep 18 13:38:50 UTC 2005 Modified Files: pkgsrc/lang/ruby18-base: Makefile distinfo Added Files: pkgsrc/lang/ruby18-base/patches: patch-au patch-av patch-aw patch-ax patch-ay patch-az Log Message: Adding DrafonFly BSD support based on patch provided by Joerg Sonnenberger. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Mon Sep 19 15:19:13 UTC 2005 Modified Files: pkgsrc/lang/ruby18-base: distinfo pkgsrc/lang/ruby18-base/patches: patch-aa patch-ab Log Message: Rearrange configure script a little: - Correct case statement moving "interix3*)" to before "interrix*)" since "interix3*)" wouldn't match and always match to "interix*)". - Remove "interix3*" in the case condition which always "interix*" pattern. This dosen't fix anything bulding on Interix3 (SFU 3.5) and on other platforms, but fix obvious mistake in configure script. --- Module Name: pkgsrc Committed By: taca Date: Wed Sep 21 14:03:22 UTC 2005 Modified Files: pkgsrc/lang/ruby18-base: Makefile distinfo Added Files: pkgsrc/lang/ruby18-base/patches: patch-ad Log Message: Add a patch for fix the security problem which allows an arbitrary code to run bypassing the safe level check. The patch was provided by Yukihiro Matsumoto on ruby-dev mailing list. Bump PKGREVISION. @ text @a0 158 $NetBSD: patch-ad,v 1.1.2.1 2005/09/22 16:45:00 salo Exp $ --- eval.c.orig 2004-12-18 11:07:29.000000000 +0900 +++ eval.c @@@@ -252,6 +252,11 @@@@ struct cache_entry { /* method hash tab static struct cache_entry cache[CACHE_SIZE]; static int ruby_running = 0; +#define NOEX_TAINTED 8 +#define NOEX_SAFE(n) ((n) >> 4) +#define NOEX_WITH(n, v) ((n) | (v) << 4) +#define NOEX_WITH_SAFE(n) NOEX_WITH(n, ruby_safe_level) + void rb_clear_cache() { @@@@ -344,7 +349,7 @@@@ rb_add_method(klass, mid, node, noex) } if (OBJ_FROZEN(klass)) rb_error_frozen("class/module"); rb_clear_cache_by_id(mid); - body = NEW_METHOD(node, noex); + body = NEW_METHOD(node, NOEX_WITH_SAFE(noex)); st_insert(RCLASS(klass)->m_tbl, mid, (st_data_t)body); if (node && mid != ID_ALLOCATOR && ruby_running) { if (FL_TEST(klass, FL_SINGLETON)) { @@@@ -5456,20 +5461,21 @@@@ call_cfunc(func, recv, len, argc, argv) } static VALUE -rb_call0(klass, recv, id, oid, argc, argv, body, nosuper) +rb_call0(klass, recv, id, oid, argc, argv, body, flags) VALUE klass, recv; ID id; ID oid; int argc; /* OK */ VALUE *argv; /* OK */ NODE *body; /* OK */ - int nosuper; + int flags; { NODE *b2; /* OK */ volatile VALUE result = Qnil; int itr; static int tick; TMP_PROTECT; + volatile int safe = -1; switch (ruby_iter->iter) { case ITER_PRE: @@@@ -5491,7 +5497,7 @@@@ rb_call0(klass, recv, id, oid, argc, arg ruby_frame->last_func = id; ruby_frame->orig_func = oid; - ruby_frame->last_class = nosuper?0:klass; + ruby_frame->last_class = (flags & NOEX_UNDEF)?0:klass; ruby_frame->self = recv; ruby_frame->argc = argc; ruby_frame->argv = argv; @@@@ -5553,7 +5559,6 @@@@ rb_call0(klass, recv, id, oid, argc, arg NODE *saved_cref = 0; PUSH_SCOPE(); - if (body->nd_rval) { saved_cref = ruby_cref; ruby_cref = (NODE*)body->nd_rval; @@@@ -5572,9 +5577,16 @@@@ rb_call0(klass, recv, id, oid, argc, arg } b2 = body = body->nd_next; + if (NOEX_SAFE(flags) > ruby_safe_level) { + if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } + safe = ruby_safe_level; + ruby_safe_level = NOEX_SAFE(flags); + } PUSH_VARS(); PUSH_TAG(PROT_FUNC); - if ((state = EXEC_TAG()) == 0) { NODE *node = 0; int i; @@@@ -5653,6 +5665,7 @@@@ rb_call0(klass, recv, id, oid, argc, arg result = prot_tag->retval; state = 0; } + if (safe >= 0) ruby_safe_level = safe; POP_TAG(); POP_VARS(); POP_CLASS(); @@@@ -5740,7 +5753,7 @@@@ rb_call(klass, recv, mid, argc, argv, sc } } - return rb_call0(klass, recv, mid, id, argc, argv, body, noex & NOEX_NOSUPER); + return rb_call0(klass, recv, mid, id, argc, argv, body, noex); } VALUE @@@@ -8530,6 +8543,7 @@@@ struct METHOD { VALUE klass, rklass; VALUE recv; ID id, oid; + int safe_level; NODE *body; }; @@@@ -8577,6 +8591,7 @@@@ mnew(klass, obj, id, mklass) data->body = body; data->rklass = rklass; data->oid = oid; + data->safe_level = NOEX_WITH_SAFE(0); OBJ_INFECT(method, klass); return method; @@@@ -8661,6 +8676,7 @@@@ method_unbind(obj) data->body = orig->body; data->rklass = orig->rklass; data->oid = orig->oid; + data->safe_level = NOEX_WITH_SAFE(0); OBJ_INFECT(method, obj); return method; @@@@ -8782,26 +8798,21 @@@@ method_call(argc, argv, method) { VALUE result = Qnil; /* OK */ struct METHOD *data; - int state; - volatile int safe = -1; + int safe; Data_Get_Struct(method, struct METHOD, data); if (data->recv == Qundef) { rb_raise(rb_eTypeError, "you cannot call unbound method; bind first"); } - PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT); - PUSH_TAG(PROT_NONE); if (OBJ_TAINTED(method)) { - safe = ruby_safe_level; - if (ruby_safe_level < 4) ruby_safe_level = 4; + safe = NOEX_WITH(data->safe_level, 4)|NOEX_TAINTED; } - if ((state = EXEC_TAG()) == 0) { - result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,0); + else { + safe = data->safe_level; } - POP_TAG(); + PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT); + result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,safe); POP_ITER(); - if (safe >= 0) ruby_safe_level = safe; - if (state) JUMP_TAG(state); return result; } @