--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-21/patches/15-CVE-2016-2337.patch Tue Jan 24 13:57:07 2017 -0800
@@ -0,0 +1,109 @@
+Patch from upstream to fix CVE-2016-2337.
+
+See:
+
+ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2337
+
+and:
+
+ https://bugzilla.suse.com/show_bug.cgi?id=1018812
+
+for more details.
+
+Based on the patches at:
+
+ https://github.com/ruby/tk/commit/ebd0fc80d62eeb7b8556522256f8d035e013eb65
+ https://github.com/ruby/tk/commit/d098136e3f62a4879a7d7cd34bbd50f482ba3331
+
+--- ruby-2.1.6/ext/tk/tcltklib.c.orig 2017-01-24 07:24:44.277290163 +0000
++++ ruby-2.1.6/ext/tk/tcltklib.c 2017-01-24 11:10:02.370460844 +0000
+@@ -3291,7 +3291,7 @@
+ DUMP1("set backtrace");
+ if (!NIL_P(backtrace = rb_funcall(exc, ID_backtrace, 0, 0))) {
+ backtrace = rb_ary_join(backtrace, rb_str_new2("\n"));
+- Tcl_AddErrorInfo(interp, StringValuePtr(backtrace));
++ Tcl_AddErrorInfo(interp, StringValueCStr(backtrace));
+ }
+
+ rb_thread_critical = thr_crit_bup;
+@@ -6217,19 +6217,19 @@
+ /* without Tk */
+ with_tk = 0;
+ } else {
+- /* Tcl_SetVar(ptr->ip, "argv", StringValuePtr(opts), 0); */
+- Tcl_SetVar(ptr->ip, "argv", StringValuePtr(opts), TCL_GLOBAL_ONLY);
++ /* Tcl_SetVar(ptr->ip, "argv", StringValueCStr(opts), 0); */
++ Tcl_SetVar(ptr->ip, "argv", StringValueCStr(opts), TCL_GLOBAL_ONLY);
+ Tcl_Eval(ptr->ip, "set argc [llength $argv]");
+ }
+ case 1:
+ /* argv0 */
+ if (!NIL_P(argv0)) {
+- if (strncmp(StringValuePtr(argv0), "-e", 3) == 0
+- || strncmp(StringValuePtr(argv0), "-", 2) == 0) {
++ if (strncmp(StringValueCStr(argv0), "-e", 3) == 0
++ || strncmp(StringValueCStr(argv0), "-", 2) == 0) {
+ Tcl_SetVar(ptr->ip, "argv0", "ruby", TCL_GLOBAL_ONLY);
+ } else {
+- /* Tcl_SetVar(ptr->ip, "argv0", StringValuePtr(argv0), 0); */
+- Tcl_SetVar(ptr->ip, "argv0", StringValuePtr(argv0),
++ /* Tcl_SetVar(ptr->ip, "argv0", StringValueCStr(argv0), 0); */
++ Tcl_SetVar(ptr->ip, "argv0", StringValueCStr(argv0),
+ TCL_GLOBAL_ONLY);
+ }
+ }
+@@ -6426,7 +6426,7 @@
+ slave->allow_ruby_exit = 0;
+ slave->return_value = 0;
+
+- slave->ip = Tcl_CreateSlave(master->ip, StringValuePtr(name), safe);
++ slave->ip = Tcl_CreateSlave(master->ip, StringValueCStr(name), safe);
+ if (slave->ip == NULL) {
+ rb_thread_critical = thr_crit_bup;
+ return rb_exc_new2(rb_eRuntimeError,
+@@ -6902,7 +6902,7 @@
+ get_obj_from_str(str)
+ VALUE str;
+ {
+- const char *s = StringValuePtr(str);
++ const char *s = StringValueCStr(str);
+
+ #if TCL_MAJOR_VERSION == 8 && TCL_MINOR_VERSION == 0
+ return Tcl_NewStringObj((char*)s, RSTRING_LEN(str));
+@@ -7750,7 +7750,8 @@
+ if (NIL_P(msg)) {
+ msg_obj = NULL;
+ } else {
+- msg_obj = Tcl_NewStringObj(RSTRING_PTR(msg), RSTRING_LEN(msg));
++ char *s = StringValueCStr(msg);
++ msg_obj = Tcl_NewStringObj(s, RSTRING_LENINT(msg));
+ Tcl_IncrRefCount(msg_obj);
+ }
+
+@@ -8414,7 +8415,7 @@
+
+ enc_name = rb_funcall(enc_name, ID_to_s, 0, 0);
+ if (Tcl_SetSystemEncoding((Tcl_Interp *)NULL,
+- StringValuePtr(enc_name)) != TCL_OK) {
++ StringValueCStr(enc_name)) != TCL_OK) {
+ rb_raise(rb_eArgError, "unknown encoding name '%s'",
+ RSTRING_PTR(enc_name));
+ }
+@@ -8835,7 +8836,7 @@
+ Tcl_Preserve((ClientData)av); /* XXXXXXXX */
+ #endif
+ for (i = 0; i < argc; ++i) {
+- av[i] = strdup(StringValuePtr(argv[i]));
++ av[i] = strdup(StringValueCStr(argv[i]));
+ }
+ av[argc] = NULL;
+ #endif
+@@ -9839,7 +9840,7 @@
+ len = 1;
+ for(num = 0; num < argc; num++) {
+ if (OBJ_TAINTED(argv[num])) taint_flag = 1;
+- dst = StringValuePtr(argv[num]);
++ dst = StringValueCStr(argv[num]);
+ #if TCL_MAJOR_VERSION >= 8
+ len += Tcl_ScanCountedElement(dst, RSTRING_LENINT(argv[num]),
+ &flagPtr[num]) + 1;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-23/patches/06-CVE-2016-2337.patch Tue Jan 24 13:57:07 2017 -0800
@@ -0,0 +1,111 @@
+Patch from upstream to fix CVE-2016-2337.
+
+See:
+
+ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2337
+
+and:
+
+ https://bugzilla.suse.com/show_bug.cgi?id=1018812
+
+for more details.
+
+Note that we already have the changes from:
+
+ https://github.com/ruby/tk/commit/ebd0fc80d62eeb7b8556522256f8d035e013eb65
+
+So we just need the changes in:
+
+ https://github.com/ruby/tk/commit/d098136e3f62a4879a7d7cd34bbd50f482ba3331
+
+--- ruby-2.3.1/ext/tk/tcltklib.c.orig 2017-01-24 11:18:36.997895152 +0000
++++ ruby-2.3.1/ext/tk/tcltklib.c 2017-01-24 11:24:03.332270445 +0000
+@@ -3313,7 +3313,7 @@
+ DUMP1("set backtrace");
+ if (!NIL_P(backtrace = rb_funcallv(exc, ID_backtrace, 0, 0))) {
+ backtrace = rb_ary_join(backtrace, rb_str_new2("\n"));
+- Tcl_AddErrorInfo(interp, StringValuePtr(backtrace));
++ Tcl_AddErrorInfo(interp, StringValueCStr(backtrace));
+ }
+
+ rb_thread_critical = thr_crit_bup;
+@@ -6222,19 +6222,19 @@
+ /* without Tk */
+ with_tk = 0;
+ } else {
+- /* Tcl_SetVar(ptr->ip, "argv", StringValuePtr(opts), 0); */
+- Tcl_SetVar(ptr->ip, "argv", StringValuePtr(opts), TCL_GLOBAL_ONLY);
++ /* Tcl_SetVar(ptr->ip, "argv", StringValueCStr(opts), 0); */
++ Tcl_SetVar(ptr->ip, "argv", StringValueCStr(opts), TCL_GLOBAL_ONLY);
+ Tcl_Eval(ptr->ip, "set argc [llength $argv]");
+ }
+ case 1:
+ /* argv0 */
+ if (!NIL_P(argv0)) {
+- if (strncmp(StringValuePtr(argv0), "-e", 3) == 0
+- || strncmp(StringValuePtr(argv0), "-", 2) == 0) {
++ if (strncmp(StringValueCStr(argv0), "-e", 3) == 0
++ || strncmp(StringValueCStr(argv0), "-", 2) == 0) {
+ Tcl_SetVar(ptr->ip, "argv0", "ruby", TCL_GLOBAL_ONLY);
+ } else {
+- /* Tcl_SetVar(ptr->ip, "argv0", StringValuePtr(argv0), 0); */
+- Tcl_SetVar(ptr->ip, "argv0", StringValuePtr(argv0),
++ /* Tcl_SetVar(ptr->ip, "argv0", StringValueCStr(argv0), 0); */
++ Tcl_SetVar(ptr->ip, "argv0", StringValueCStr(argv0),
+ TCL_GLOBAL_ONLY);
+ }
+ }
+@@ -6434,7 +6434,7 @@
+ slave->allow_ruby_exit = 0;
+ slave->return_value = 0;
+
+- slave->ip = Tcl_CreateSlave(master->ip, StringValuePtr(name), safe);
++ slave->ip = Tcl_CreateSlave(master->ip, StringValueCStr(name), safe);
+ if (slave->ip == NULL) {
+ rb_thread_critical = thr_crit_bup;
+ return rb_exc_new2(rb_eRuntimeError,
+@@ -6910,7 +6910,7 @@
+ get_obj_from_str(str)
+ VALUE str;
+ {
+- const char *s = StringValuePtr(str);
++ const char *s = StringValueCStr(str);
+
+ #if TCL_MAJOR_VERSION == 8 && TCL_MINOR_VERSION == 0
+ return Tcl_NewStringObj((char*)s, RSTRING_LEN(str));
+@@ -7758,7 +7758,7 @@
+ if (NIL_P(msg)) {
+ msg_obj = NULL;
+ } else {
+- char *s = StringValuePtr(msg);
++ char *s = StringValueCStr(msg);
+ msg_obj = Tcl_NewStringObj(s, RSTRING_LENINT(msg));
+ Tcl_IncrRefCount(msg_obj);
+ }
+@@ -8423,7 +8423,7 @@
+
+ enc_name = rb_funcallv(enc_name, ID_to_s, 0, 0);
+ if (Tcl_SetSystemEncoding((Tcl_Interp *)NULL,
+- StringValuePtr(enc_name)) != TCL_OK) {
++ StringValueCStr(enc_name)) != TCL_OK) {
+ rb_raise(rb_eArgError, "unknown encoding name '%s'",
+ RSTRING_PTR(enc_name));
+ }
+@@ -8864,7 +8864,7 @@
+ Tcl_Preserve((ClientData)av); /* XXXXXXXX */
+ #endif
+ for (i = 0; i < argc; ++i) {
+- av[i] = strdup(StringValuePtr(argv[i]));
++ av[i] = strdup(StringValueCStr(argv[i]));
+ }
+ av[argc] = NULL;
+ #endif
+@@ -9868,7 +9868,7 @@
+ len = 1;
+ for(num = 0; num < argc; num++) {
+ if (OBJ_TAINTED(argv[num])) taint_flag = 1;
+- dst = StringValuePtr(argv[num]);
++ dst = StringValueCStr(argv[num]);
+ #if TCL_MAJOR_VERSION >= 8
+ len += Tcl_ScanCountedElement(dst, RSTRING_LENINT(argv[num]),
+ &flagPtr[num]) + 1;