components/ruby/ruby-18/rubygems-patches/01-CVE-2013-4287-4363.patch
changeset 1567 b5493d203180
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-18/rubygems-patches/01-CVE-2013-4287-4363.patch	Thu Nov 21 13:50:26 2013 -0800
@@ -0,0 +1,41 @@
+Fix for the following two CVE issues:
+
+CVE-2013-4287 
+Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in 
+lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 
+2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 
+2.0.0p247, allows remote attackers to cause a denial of service (CPU 
+consumption) via a crafted gem version that triggers a large amount of 
+backtracking in a regular expression. 
+
+CVE-2013-4363 
+Algorithmic complexity vulnerability in 
+Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems 
+before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 
+2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to 
+cause a denial of service (CPU consumption) via a crafted gem version that 
+triggers a large amount of backtracking in a regular expression. NOTE: this 
+issue is due to an incomplete fix for CVE-2013-4287. 
+
+The fixes come from
+http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html 
+and 
+http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4363_txt.html 
+
+--- rubygems-1.3.5-orig//lib/rubygems/version.rb	Mon Jun 22 15:54:36 2009
++++ rubygems-1.3.5/lib/rubygems/version.rb	Thu Oct 24 16:02:38 2013
[email protected]@ -69,12 +69,12 @@
+ 
+   include Comparable
+ 
+-  VERSION_PATTERN = '[0-9]+(\.[0-9a-z]+)*'
++  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-z]+)*'
+ 
+   attr_reader :version
+ 
+   def self.correct?(version)
+-    pattern = /\A\s*(#{VERSION_PATTERN})*\s*\z/
++    pattern = /\A\s*(#{VERSION_PATTERN})?\s*\z/
+ 
+     version.is_a? Integer or
+       version =~ pattern or