--- a/components/ruby/ruby-18/Makefile	Thu Dec 05 06:19:29 2013 -0800
+++ b/components/ruby/ruby-18/Makefile	Sun Dec 08 21:13:26 2013 -0800
@@ -80,7 +80,7 @@
 	$(RM) -r $(SOURCE_DIR_1); \
 	$(UNPACK) $(UNPACK_ARGS) $(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE_1); \
 	$(foreach patch,$(PATCHES_1), \
-	$(GPATCH) -d $(SOURCE_DIR_1) $(GPATCH_FLAGS) < $(patch))
+	$(GPATCH) -d $(SOURCE_DIR_1) $(GPATCH_FLAGS) < $(patch); )
 
 # These modifications of ruby.1 must occur after ruby
 # is installed, not before.  Although there are some other patches

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-18/patches/10-CVE-2013-4164.patch	Sun Dec 08 21:13:26 2013 -0800
@@ -0,0 +1,67 @@
+This ruby 1.8.7 patch was derived from the ruby 1.9.3 fix for:
+
+https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
+
+as seen here:
+http://bugs.ruby-lang.org/projects/ruby-trunk/repository/diff/util.c?rev=43780&rev_to=41757
+
+CVE-2013-4164
+
+Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0
+before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision
+43780 allows context-dependent attackers to cause a denial of service
+(segmentation fault) and possibly execute arbitrary code via a string
+that is converted to a floating point value, as demonstrated using (1)
+the to_f method or (2) JSON.parse.
+
+--- ruby-1.8.7-p374-orig/util.c	2010-11-21 23:21:34.000000000 -0800
++++ ruby-1.8.7-p374/util.c	2013-12-02 16:58:32.995038000 -0800
+@@ -892,6 +892,11 @@
+ #else
+ #define MALLOC malloc
+ #endif
++#ifdef FREE
++extern void FREE(void*);
++#else
++#define FREE free
++#endif
+ 
+ #ifndef Omit_Private_Memory
+ #ifndef PRIVATE_MEM
+@@ -1176,7 +1181,7 @@
+ #endif
+ 
+     ACQUIRE_DTOA_LOCK(0);
+-    if ((rv = freelist[k]) != 0) {
++    if (k <= Kmax && (rv = freelist[k]) != 0) {
+         freelist[k] = rv->next;
+     }
+     else {
+@@ -1186,7 +1191,7 @@
+ #else
+         len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
+                 /sizeof(double);
+-        if (pmem_next - private_mem + len <= PRIVATE_mem) {
++        if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
+             rv = (Bigint*)pmem_next;
+             pmem_next += len;
+         }
+@@ -1205,6 +1210,10 @@
+ Bfree(Bigint *v)
+ {
+     if (v) {
++        if (v->k > Kmax) {
++            FREE(v);
++            return;
++        }
+         ACQUIRE_DTOA_LOCK(0);
+         v->next = freelist[v->k];
+         freelist[v->k] = v;
+@@ -2200,6 +2209,7 @@
+         for (; c >= '0' && c <= '9'; c = *++s) {
+ have_dig:
+             nz++;
++            if (nf > DBL_DIG * 4) continue;
+             if (c -= '0') {
+                 nf += nz;
+                 for (i = 1; i < nz; i++)

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-18/patches/11-dir_rb.patch	Sun Dec 08 21:13:26 2013 -0800
@@ -0,0 +1,18 @@
+Fixes a sporadic test problem with ruby.
+See http://bugs.ruby-lang.org/issues/show/1714
+
+The fix is from this revision, which does not appear in
+the latest ruby 1.8.7-p374:
+http://bugs.ruby-lang.org/projects/ruby-18/repository/revisions/24668
+
+--- ruby-1.8.7-p374-orig/lib/test/unit/collector/dir.rb	2007-02-12 15:01:19.000000000 -0800
++++ ruby-1.8.7-p374/lib/test/unit/collector/dir.rb	2013-12-05 17:46:31.105788000 -0800
+@@ -91,7 +91,7 @@
+           end
+           find_test_cases(already_gathered).each{|t| add_suite(suites, t.suite)}
+         ensure
+-          $:.delete_at($:.rindex(dir)) if(dir)
++          $:.delete_at($:.index(dir)) if(dir)
+         end
+ 
+ 	def realdir(path)