--- a/components/ruby/Makefile Tue Nov 26 13:57:44 2013 -0800
+++ b/components/ruby/Makefile Tue Nov 26 14:09:46 2013 -0800
@@ -67,12 +67,19 @@
# these macros are used in the package manifest
PKG_MACROS+= RUBY_VER=$(RUBY_VER)
+# patches to rubygems are in a separate directory from the ruby patches
+PATCH_DIR_1 = rubygems-patches
+PATCHES_1 = $(shell find $(PATCH_DIR_1) -type f -name $(PATCH_PATTERN) \
+ 2>/dev/null | sort)
+
# Since configure.in is patched, we need to autoconf after the patch.
# Also, unpack the 2nd archive for rubygems.
-# Rubygems does not have patches, nor does it use configure nor make.
+# Rubygems has patches, but it does not use configure nor make.
COMPONENT_PREP_ACTION = (cd $(@D) ; autoconf); \
$(RM) -r $(SOURCE_DIR_1); \
- $(UNPACK) $(UNPACK_ARGS) $(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE_1)
+ $(UNPACK) $(UNPACK_ARGS) $(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE_1) \
+ $(foreach patch,$(PATCHES_1), \
+ $(GPATCH) -d $(SOURCE_DIR_1) $(GPATCH_FLAGS) < $(patch))
# These modifications of ruby.1 must occur after ruby
# is installed, not before. Although there are some other patches
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/rubygems-patches/01-CVE-2013-4287-4363.patch Tue Nov 26 14:09:46 2013 -0800
@@ -0,0 +1,41 @@
+Fix for the following two CVE issues:
+
+CVE-2013-4287
+Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in
+lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25,
+2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through
+2.0.0p247, allows remote attackers to cause a denial of service (CPU
+consumption) via a crafted gem version that triggers a large amount of
+backtracking in a regular expression.
+
+CVE-2013-4363
+Algorithmic complexity vulnerability in
+Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems
+before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before
+2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to
+cause a denial of service (CPU consumption) via a crafted gem version that
+triggers a large amount of backtracking in a regular expression. NOTE: this
+issue is due to an incomplete fix for CVE-2013-4287.
+
+The fixes come from
+http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html
+and
+http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4363_txt.html
+
+--- rubygems-1.3.5-orig//lib/rubygems/version.rb Mon Jun 22 15:54:36 2009
++++ rubygems-1.3.5/lib/rubygems/version.rb Thu Oct 24 16:02:38 2013
+@@ -69,12 +69,12 @@
+
+ include Comparable
+
+- VERSION_PATTERN = '[0-9]+(\.[0-9a-z]+)*'
++ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-z]+)*'
+
+ attr_reader :version
+
+ def self.correct?(version)
+- pattern = /\A\s*(#{VERSION_PATTERN})*\s*\z/
++ pattern = /\A\s*(#{VERSION_PATTERN})?\s*\z/
+
+ version.is_a? Integer or
+ version =~ pattern or