Version bump for security issue #236060

(Portage version: 2.1.4.4)

3 files changed, 272 insertions, 1 deletions

diff --git a/dev-lang/ruby/ChangeLog b/dev-lang/ruby/ChangeLog
index deea41309494..e5f2ea8fa8c0 100644
--- a/dev-lang/ruby/ChangeLog
+++ b/dev-lang/ruby/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-lang/ruby
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-lang/ruby/ChangeLog,v 1.346 2008/08/23 05:41:32 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-lang/ruby/ChangeLog,v 1.347 2008/08/29 06:25:34 graaff Exp $
+
+*ruby-1.8.6_p287-r1 (29 Aug 2008)
+
+  29 Aug 2008; Hans de Graaff <graaff@gentoo.org>
+  +files/ruby-1.8.6_p287-entity_expansion_limit.diff,
+  +ruby-1.8.6_p287-r1.ebuild:
+  Fix REXML security issues, bug #236060.
 
   23 Aug 2008; Jeroen Roovers <jer@gentoo.org> metadata.xml:
   Add GLEP 56 USE flag descriptions.
diff --git a/dev-lang/ruby/files/ruby-1.8.6_p287-entity_expansion_limit.diff b/dev-lang/ruby/files/ruby-1.8.6_p287-entity_expansion_limit.diff
new file mode 100644
index 000000000000..fdd0112d5b44
--- /dev/null
+++ b/dev-lang/ruby/files/ruby-1.8.6_p287-entity_expansion_limit.diff
@@ -0,0 +1,103 @@
+Fix for a security issue in the REXML library from the ruby-core list:
+http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/18414
+https://bugs.gentoo.org/show_bug.cgi?id=236060
+
+Index: lib/rexml/document.rb
+===================================================================
+--- lib/rexml/document.rb	(revision 18834)
++++ lib/rexml/document.rb	(working copy)
+@@ -32,6 +32,7 @@
+ 	  # @param context if supplied, contains the context of the document;
+ 	  # this should be a Hash.
+ 		def initialize( source = nil, context = {} )
++      @entity_expansion_count = 0
+ 			super()
+ 			@context = context
+ 			return if source.nil?
+@@ -200,6 +201,27 @@
+ 			Parsers::StreamParser.new( source, listener ).parse
+ 		end
+ 
++    @@entity_expansion_limit = 10_000
++
++    # Set the entity expansion limit. By defualt the limit is set to 10000.
++    def Document::entity_expansion_limit=( val )
++      @@entity_expansion_limit = val
++    end
++
++    # Get the entity expansion limit. By defualt the limit is set to 10000.
++    def Document::entity_expansion_limit
++      return @@entity_expansion_limit
++    end
++
++    attr_reader :entity_expansion_count
++    
++    def record_entity_expansion
++      @entity_expansion_count += 1
++      if @entity_expansion_count > @@entity_expansion_limit
++        raise "number of entity expansions exceeded, processing aborted."
++      end
++    end
++
+ 		private
+ 		def build( source )
+       Parsers::TreeParser.new( source, self ).parse
+Index: lib/rexml/entity.rb
+===================================================================
+--- lib/rexml/entity.rb	(revision 18834)
++++ lib/rexml/entity.rb	(working copy)
+@@ -73,6 +73,7 @@
+ 		# all entities -- both %ent; and &ent; entities.  This differs from
+ 		# +value()+ in that +value+ only replaces %ent; entities.
+ 		def unnormalized
++      document.record_entity_expansion
+ 			v = value()
+ 			return nil if v.nil?
+ 			@unnormalized = Text::unnormalize(v, parent)
+Index: test/rexml/test_document.rb
+===================================================================
+--- test/rexml/test_document.rb	(revision 0)
++++ test/rexml/test_document.rb	(revision 0)
+@@ -0,0 +1,42 @@
++require "rexml/document"
++require "test/unit"
++
++class REXML::TestDocument < Test::Unit::TestCase
++  def test_new
++    doc = REXML::Document.new(<<EOF)
++<?xml version="1.0" encoding="UTF-8"?>
++<message>Hello world!</message>
++EOF
++    assert_equal("Hello world!", doc.root.children.first.value)
++  end
++
++  XML_WITH_NESTED_ENTITY = <<EOF
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE member [
++  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
++  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
++  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
++  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
++  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
++  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
++  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
++]>
++<member>
++&a;
++</member>
++EOF
++
++  def test_entity_expansion_limit
++    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    REXML::Document.entity_expansion_limit = 100
++    assert_equal(100, REXML::Document.entity_expansion_limit)
++    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
++    assert_raise(RuntimeError) do
++      doc.root.children.first.value
++    end
++    assert_equal(101, doc.entity_expansion_count)
++  end
++end
diff --git a/dev-lang/ruby/ruby-1.8.6_p287-r1.ebuild b/dev-lang/ruby/ruby-1.8.6_p287-r1.ebuild
new file mode 100644
index 000000000000..03142dcbc906
--- /dev/null
+++ b/dev-lang/ruby/ruby-1.8.6_p287-r1.ebuild
@@ -0,0 +1,161 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-lang/ruby/ruby-1.8.6_p287-r1.ebuild,v 1.1 2008/08/29 06:25:34 graaff Exp $
+
+WANT_AUTOCONF="latest"
+WANT_AUTOMAKE="latest"
+
+ONIGURUMA="onigd2_5_9"
+
+inherit autotools eutils flag-o-matic multilib versionator
+
+MY_P="${PN}-$(replace_version_separator 3 '-')"
+S=${WORKDIR}/${MY_P}
+
+SLOT=$(get_version_component_range 1-2)
+MY_SUFFIX=$(delete_version_separator 1 ${SLOT})
+
+DESCRIPTION="An object-oriented scripting language"
+HOMEPAGE="http://www.ruby-lang.org/"
+SRC_URI="ftp://ftp.ruby-lang.org/pub/ruby/${SLOT}/${MY_P}.tar.bz2"
+
+LICENSE="Ruby"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
+IUSE="berkdb debug doc emacs examples gdbm ipv6 rubytests socks5 ssl threads tk xemacs"
+
+RDEPEND="
+	berkdb? ( sys-libs/db )
+	gdbm? ( sys-libs/gdbm )
+	ssl? ( dev-libs/openssl )
+	socks5? ( >=net-proxy/dante-1.1.13 )
+	tk? ( dev-lang/tk )
+	>=dev-ruby/ruby-config-0.3.1
+	!=dev-lang/ruby-cvs-${SLOT}*
+	!dev-ruby/rdoc
+	!dev-ruby/rexml"
+DEPEND="${RDEPEND}"
+PDEPEND="emacs? ( app-emacs/ruby-mode )
+	xemacs? ( app-xemacs/ruby-modes )"
+
+PROVIDE="virtual/ruby"
+
+src_unpack() {
+	unpack ${A}
+
+	cd "${S}/ext/dl"
+	epatch "${FILESDIR}/${PN}-1.8.6-memory-leak.diff"
+	cd "${S}"
+
+	epatch "${FILESDIR}/${P}-entity_expansion_limit.diff"
+
+	# Fix a hardcoded lib path in configure script
+	sed -i -e "s:\(RUBY_LIB_PREFIX=\"\${prefix}/\)lib:\1$(get_libdir):" \
+		configure.in || die "sed failed"
+
+	eautoreconf
+}
+
+src_compile() {
+	# -fomit-frame-pointer makes ruby segfault, see bug #150413.
+	filter-flags -fomit-frame-pointer
+	# In many places aliasing rules are broken; play it safe
+	# as it's risky with newer compilers to leave it as it is.
+	append-flags -fno-strict-aliasing
+
+	# Socks support via dante
+	if use socks5 ; then
+		# Socks support can't be disabled as long as SOCKS_SERVER is
+		# set and socks library is present, so need to unset
+		# SOCKS_SERVER in that case.
+		unset SOCKS_SERVER
+	fi
+
+	# Increase GC_MALLOC_LIMIT if set (default is 8000000)
+	if [ -n "${RUBY_GC_MALLOC_LIMIT}" ] ; then
+		append-flags "-DGC_MALLOC_LIMIT=${RUBY_GC_MALLOC_LIMIT}"
+	fi
+
+	econf --program-suffix=$MY_SUFFIX --enable-shared \
+		$(use_enable socks5 socks) \
+		$(use_enable doc install-doc) \
+		$(use_enable threads pthread) \
+		$(use_enable ipv6) \
+		$(use_enable debug) \
+		$(use_with berkdb dbm) \
+		$(use_with gdbm) \
+		$(use_with ssl openssl) \
+		$(use_with tk) \
+		${myconf} \
+		--with-sitedir=/usr/$(get_libdir)/ruby/site_ruby \
+		|| die "econf failed"
+
+	emake EXTLDFLAGS="${LDFLAGS}" || die "emake failed"
+}
+
+src_test() {
+	emake -j1 test || die "make test failed"
+
+	elog "Ruby's make test has been run. Ruby also ships with a make check"
+	elog "that cannot be run until after ruby has been installed."
+	elog
+	if use rubytests; then
+		elog "You have enabled rubytests, so they will be installed to"
+		elog "/usr/share/${PN}-${SLOT}/test. To run them you must be a user other"
+		elog "than root, and you must place them into a writeable directory."
+		elog "Then call: "
+		elog
+		elog "ruby -C /location/of/tests runner.rb"
+	else
+		elog "Enable the rubytests USE flag to install the make check tests"
+	fi
+}
+
+src_install() {
+	LD_LIBRARY_PATH="${D}/usr/$(get_libdir)"
+	RUBYLIB="${S}:${D}/usr/$(get_libdir)/ruby/${SLOT}"
+	for d in $(find "${S}/ext" -type d) ; do
+		RUBYLIB="${RUBYLIB}:$d"
+	done
+	export LD_LIBRARY_PATH RUBYLIB
+
+	emake DESTDIR="${D}" install || die "make install failed"
+
+	MINIRUBY=$(echo -e 'include Makefile\ngetminiruby:\n\t@echo $(MINIRUBY)'|make -f - getminiruby)
+	keepdir $(${MINIRUBY} -rrbconfig -e "print Config::CONFIG['sitelibdir']")
+	keepdir $(${MINIRUBY} -rrbconfig -e "print Config::CONFIG['sitearchdir']")
+
+	if use doc; then
+		make DESTDIR="${D}" install-doc || die "make install-doc failed"
+	fi
+
+	if use examples; then
+		dodir /usr/share/doc/${PF}
+		cp -pPR sample "${D}/usr/share/doc/${PF}"
+	fi
+
+	dosym libruby$MY_SUFFIX$(get_libname ${PV%_*}) /usr/$(get_libdir)/libruby$(get_libname ${PV%.*})
+	dosym libruby$MY_SUFFIX$(get_libname ${PV%_*}) /usr/$(get_libdir)/libruby$(get_libname ${PV%_*})
+
+	dodoc ChangeLog NEWS README* ToDo
+
+	if use rubytests; then
+		dodir /usr/share/${PN}-${SLOT}
+		cp -pPR test "${D}/usr/share/${PN}-${SLOT}"
+	fi
+}
+
+pkg_postinst() {
+
+	if [[ ! -n $(readlink "${ROOT}"usr/bin/ruby) ]] ; then
+		"${ROOT}usr/sbin/ruby-config" ruby$MY_SUFFIX
+	fi
+	elog
+	elog "You can change the default ruby interpreter by ${ROOT}usr/sbin/ruby-config"
+	elog
+}
+
+pkg_postrm() {
+	if [[ ! -n $(readlink "${ROOT}"usr/bin/ruby) ]] ; then
+		"${ROOT}usr/sbin/ruby-config" ruby$MY_SUFFIX
+	fi
+}