svn commit: r334705 - in head: devel/ruby-gems security/vuxml

Steve Wills swills at FreeBSD.org
Sun Nov 24 05:36:30 UTC 2013 

Author: swills
Date: Sun Nov 24 05:36:28 2013
New Revision: 334705
URL: http://svnweb.freebsd.org/changeset/ports/334705

Log:
  - Update devel/ruby-gems to 1.8.28
  - Document security issues with 1.8.26 and 1.8.27 (CVE-2013-4287 and CVE-2013-4363)
  
  Security:	742eb9e4-e3cb-4f5a-b94e-0e9a39420600
  Security:	54237182-9635-4a8b-92d7-33bfaeed84cd

Modified:
  head/devel/ruby-gems/Makefile
  head/devel/ruby-gems/distinfo
  head/devel/ruby-gems/pkg-plist   (contents, props changed)
  head/security/vuxml/vuln.xml

Modified: head/devel/ruby-gems/Makefile
==============================================================================
--- head/devel/ruby-gems/Makefile	Sun Nov 24 01:29:02 2013	(r334704)
+++ head/devel/ruby-gems/Makefile	Sun Nov 24 05:36:28 2013	(r334705)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	gems
-PORTVERSION=	1.8.25
+PORTVERSION=	1.8.28
 CATEGORIES=	devel ruby
 MASTER_SITES=	${MASTER_SITE_RUBYGEMS:S/\/gems\//\/rubygems\//}
 PKGNAMEPREFIX=	${RUBY_PKGNAMEPREFIX}
@@ -43,7 +43,7 @@ NO_STAGE=	yes
 do-install:
 	@${MKDIR} ${PREFIX}/${GEMS_DOC_BASE_DIR}/
 	@${TOUCH} ${PREFIX}/${GEMS_DOC_BASE_DIR}/.keep_this
-	cd ${WRKSRC}; ${RUBY} ${RUBY_SETUP} ${RUBY_SETUP_OPTIONS}
+	cd ${WRKSRC}; ${SETENV} ${GEM_ENV} ${RUBY} ${RUBY_SETUP} ${RUBY_SETUP_OPTIONS}
 
 post-install:
 	@${LN} -sf ${PREFIX}/bin/gem${RUBY_VER_SHORT} ${PREFIX}/bin/gem

Modified: head/devel/ruby-gems/distinfo
==============================================================================
--- head/devel/ruby-gems/distinfo	Sun Nov 24 01:29:02 2013	(r334704)
+++ head/devel/ruby-gems/distinfo	Sun Nov 24 05:36:28 2013	(r334705)
@@ -1,2 +1,2 @@
-SHA256 (ruby/rubygems-1.8.25.tgz) = 649348ddf8746887fb1ee79c55dc508f0627d3d0bfa7fcdbcd4edb24908f1cc8
-SIZE (ruby/rubygems-1.8.25.tgz) = 380540
+SHA256 (ruby/rubygems-1.8.28.tgz) = f5f1aae263cd7f44634adf47733a5521f676ce76f19006db85d78c685defed39
+SIZE (ruby/rubygems-1.8.28.tgz) = 270451

Modified: head/devel/ruby-gems/pkg-plist
==============================================================================
--- head/devel/ruby-gems/pkg-plist	Sun Nov 24 01:29:02 2013	(r334704)
+++ head/devel/ruby-gems/pkg-plist	Sun Nov 24 05:36:28 2013	(r334705)
@@ -84,7 +84,6 @@ bin/gem%%RUBY_VER_SHORT%%
 %%RUBY_SITELIBDIR%%/rubygems/source_index.rb
 %%RUBY_SITELIBDIR%%/rubygems/spec_fetcher.rb
 %%RUBY_SITELIBDIR%%/rubygems/specification.rb
-%%RUBY_SITELIBDIR%%/rubygems/ssl_certs/ca-bundle.pem
 %%RUBY_SITELIBDIR%%/rubygems/syck_hack.rb
 %%RUBY_SITELIBDIR%%/rubygems/test_case.rb
 %%RUBY_SITELIBDIR%%/rubygems/test_utilities.rb

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Nov 24 01:29:02 2013	(r334704)
+++ head/security/vuxml/vuln.xml	Sun Nov 24 05:36:28 2013	(r334705)
@@ -51,6 +51,73 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="742eb9e4-e3cb-4f5a-b94e-0e9a39420600">
+    <topic>ruby-gems -- Algorithmic Complexity Vulnerability</topic>
+    <affects>
+      <package>
+	<name>ruby19-gems</name>
+	<range><lt>1.8.27</lt></range>
+      </package>
+      <package>
+	<name>ruby20-gems</name>
+	<range><lt>1.8.27</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Ruby Gem developers report:</p>
+	<blockquote cite="http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html">
+	  <p>The patch for CVE-2013-4363 was insufficiently verified so the
+	     combined regular expression for verifying gem version remains
+	     vulnerable following CVE-2013-4363.</p>
+	  <p>RubyGems validates versions with a regular expression that is
+	     vulnerable to denial of service due to backtracking. For specially
+	     crafted RubyGems versions attackers can cause denial of service
+	     through CPU consumption.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-4363</cvename>
+    </references>
+    <dates>
+      <discovery>2013-09-24</discovery>
+      <entry>2013-11-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="54237182-9635-4a8b-92d7-33bfaeed84cd">
+    <topic>ruby-gems -- Algorithmic Complexity Vulnerability</topic>
+    <affects>
+      <package>
+	<name>ruby19-gems</name>
+	<range><lt>1.8.26</lt></range>
+      </package>
+      <package>
+	<name>ruby20-gems</name>
+	<range><lt>1.8.26</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Ruby Gem developers report:</p>
+	<blockquote cite="http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html">
+	  <p>RubyGems validates versions with a regular expression that is
+	     vulnerable to denial of service due to backtracking. For specially
+	     crafted RubyGems versions attackers can cause denial of service
+	     through CPU consumption.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-4287</cvename>
+    </references>
+    <dates>
+      <discovery>2013-09-09</discovery>
+      <entry>2013-11-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="cc9043cf-7f7a-426e-b2cc-8d1980618113">
     <topic>ruby -- Heap Overflow in Floating Point Parsing</topic>
     <affects>

More information about the svn-ports-head mailing list