From c934437856bf6c0d00c319c56ce5bc348cc4cf2e Mon Sep 17 00:00:00 2001 From: Hans de Graaff Date: Fri, 1 Sep 2017 09:10:59 +0200 Subject: dev-ruby/json: fix security bug 629484 Package-Manager: Portage-2.3.6, Repoman-2.3.2 --- dev-ruby/json/files/json-1.8.6-heap-exposure.patch | 82 ++++++++++++++++++++++ dev-ruby/json/json-1.8.6-r1.ebuild | 70 ++++++++++++++++++ 2 files changed, 152 insertions(+) create mode 100644 dev-ruby/json/files/json-1.8.6-heap-exposure.patch create mode 100644 dev-ruby/json/json-1.8.6-r1.ebuild diff --git a/dev-ruby/json/files/json-1.8.6-heap-exposure.patch b/dev-ruby/json/files/json-1.8.6-heap-exposure.patch new file mode 100644 index 000000000000..d3da7a0f86f9 --- /dev/null +++ b/dev-ruby/json/files/json-1.8.6-heap-exposure.patch @@ -0,0 +1,82 @@ +diff --git ext/json/generator/generator.c ext/json/generator/generator.c +index a135e28348..2cdca5685f 100644 +--- a/ext/json/ext/generator/generator.c ++++ b/ext/json/ext/generator/generator.c +@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) { + char *result; + if (len <= 0) return NULL; + result = ALLOC_N(char, len); +- memccpy(result, ptr, 0, len); ++ memcpy(result, ptr, len); + return result; + } + +@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent) + } + } else { + if (state->indent) ruby_xfree(state->indent); +- state->indent = strdup(RSTRING_PTR(indent)); ++ state->indent = fstrndup(RSTRING_PTR(indent), len); + state->indent_len = len; + } + return Qnil; +@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space) + } + } else { + if (state->space) ruby_xfree(state->space); +- state->space = strdup(RSTRING_PTR(space)); ++ state->space = fstrndup(RSTRING_PTR(space), len); + state->space_len = len; + } + return Qnil; +@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before) + } + } else { + if (state->space_before) ruby_xfree(state->space_before); +- state->space_before = strdup(RSTRING_PTR(space_before)); ++ state->space_before = fstrndup(RSTRING_PTR(space_before), len); + state->space_before_len = len; + } + return Qnil; +@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl) + } + } else { + if (state->object_nl) ruby_xfree(state->object_nl); +- state->object_nl = strdup(RSTRING_PTR(object_nl)); ++ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len); + state->object_nl_len = len; + } + return Qnil; +@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl) + } + } else { + if (state->array_nl) ruby_xfree(state->array_nl); +- state->array_nl = strdup(RSTRING_PTR(array_nl)); ++ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); + state->array_nl_len = len; + } + return Qnil; +diff --git ext/json/generator/generator.h ext/json/generator/generator.h +index 298c0a4965..6bbf817b7d 100644 +--- a/ext/json/ext/generator/generator.h ++++ b/ext/json/ext/generator/generator.h +@@ -1,7 +1,6 @@ + #ifndef _GENERATOR_H_ + #define _GENERATOR_H_ + +-#include + #include + #include + +diff --git ext/json/lib/json/version.rb ext/json/lib/json/version.rb +index b5748334b9..cd7ddf8777 100644 +--- a/lib/json/version.rb ++++ b/lib/json/version.rb +@@ -1,7 +1,7 @@ + module JSON + # JSON version +- VERSION = '1.8.6' ++ VERSION = '1.8.6.1' + VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc: + VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc: + VERSION_MINOR = VERSION_ARRAY[1] # :nodoc: diff --git a/dev-ruby/json/json-1.8.6-r1.ebuild b/dev-ruby/json/json-1.8.6-r1.ebuild new file mode 100644 index 000000000000..ab9cfddf39e9 --- /dev/null +++ b/dev-ruby/json/json-1.8.6-r1.ebuild @@ -0,0 +1,70 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +USE_RUBY="ruby22 ruby23 ruby24" + +RUBY_FAKEGEM_RECIPE_DOC="rdoc" +RUBY_FAKEGEM_EXTRADOC="CHANGES TODO README.md README-json-jruby.markdown" + +RUBY_FAKEGEM_GEMSPEC="json.gemspec" + +inherit multilib ruby-fakegem + +DESCRIPTION="A JSON implementation as a Ruby extension" +HOMEPAGE="https://github.com/flori/json" +LICENSE="|| ( Ruby GPL-2 )" + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +SLOT="0" +IUSE="" + +RDEPEND="${RDEPEND}" +DEPEND="${DEPEND} + dev-util/ragel" + +ruby_add_bdepend "dev-ruby/rake + doc? ( dev-ruby/rdoc )" + +PATCHES=( "${FILESDIR}/${P}-heap-exposure.patch" ) + +all_ruby_prepare() { + # Avoid building the extension twice! + # And use rdoc instead of sdoc which we don't have packaged + # And don't call git to list files. We're using the pregenerated spec anyway. + sed -i \ + -e 's| => :compile||' \ + -e 's| => :clean||' \ + -e 's|sdoc|rdoc|' \ + -e 's|`git ls-files`|""|' \ + Rakefile || die "rakefile fix failed" + + # Remove hardcoded and broken -O setting. + sed -i -e '/^ \(if\|unless\)/,/^ end/ s:^:#:' \ + -e '/^unless/,/^end/ s:^:#:' ext/json/ext/*/extconf.rb || die +} + +each_ruby_compile() { + # Since 1.5.0 a Java extension is provided but it does not compile. + if [[ $(basename ${RUBY}) != "jruby" ]]; then + ${RUBY} -S rake compile || die "extension compile failed" + fi +} + +each_ruby_test() { + JSON=pure \ + ${RUBY} -Iext:lib -S testrb-2 tests/test_*.rb || die "pure ruby tests failed" + + if [[ $(basename ${RUBY}) != "jruby" ]]; then + JSON=ext \ + ${RUBY} -Iext:lib -S testrb-2 tests/test_*.rb || die "ext ruby tests failed" + fi +} + +each_ruby_install() { + each_fakegem_install + if [[ $(basename ${RUBY}) != "jruby" ]]; then + ruby_fakegem_newins ext/json/ext/generator$(get_modname) lib/json/ext/generator$(get_modname) + ruby_fakegem_newins ext/json/ext/parser$(get_modname) lib/json/ext/parser$(get_modname) + fi +} -- cgit v1.2.3-65-gdbad