Fixed the following security issues:
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON
For more details, see the release notes:
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/
Drop now upstreamed rubygems patches and add hashes for the license files
while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-2c is BSD-2-Clause.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-3c is BSD-3-Clause.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
On uClibc, finite, isinf and isnan are not directly implemented as
functions. Instead math.h #define's these to __finite, __isinf and __isnan,
which are real functions.
This confuses the Ruby configure script which use AC_REPLACE_FUNCS to
detect these, as it really checks for a function without including math.h.
Because of the naming difference the checks fail, therefore the symbols
HAVE_FINITE, HAVE_ISINF and HAVE_ISNAN are not defined.
Ruby code relies on those symbols in order to define its own version of
the finite, isinf and isnan functions. Since the symbols haven't been
defined, those definitions cause conflicts with the already-existing
functions.
Fixes:
http://autobuild.buildroot.net/results/f34/f34dc20749c6f6d12c51eddf3ee6c2ef41d7c13d/
[Peter: extend description, add comment in .mk]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The problem addressed by 0001 patch has been fixed upstream and is that
fix is included in this release:
aa107497cd
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The SSP support checks of the Ruby configure script do not do a full
link, and therefore don't properly detect if SSP support is fully
functional or not, which causes some build failures if the compiler
supports -fstack-protector but the C library does not provide the SSP
implementation.
To avoid this, we explicitly tell ruby if SSP support is available or
not.
Fixes:
http://autobuild.buildroot.net/results/001/00154b0142f51c197d5d53ae36f7adc4f8250d9d/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 53bf889cdc ("ruby: should not
use dl_iterate_phdr() on Blackfin") we added
ac_cv_func_dl_iterate_phdr=no to RUBY_CONF_ENV when building on the
Blackfin architecture.
However, while doing so, we overwrote the previous value of
RUBY_CONF_ENV, which was defined to have custom CFLAGS:
RUBY_CONF_ENV = CFLAGS="$(RUBY_CFLAGS)"
This has no visible effect because the custom CFLAGS are only used on
SuperH/SuperH 64, while the overwrite of RUBY_CONF_ENV takes place on
Blackfin.
However, it doesn't look very pretty, and future additions to
RUBY_CONF_ENV may break this subtle behavior.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2014-8090 - Another Denial Of Service XML Expansion.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2014-8080 - Denial of service XML expansion
And change default ext/openssl settings WRT CVE-2014-3566.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
At least for ruby 2.x we need to --disable-rubygems besides removing the
gems files to avoid the requires.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Ruby can now use gmp optionally, so make sure that if the gmp package
for the target is enabled, it gets built before the ruby package, and
the appropriate configure options are passed to Ruby.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building host-ruby, if gmp seems to be available (for example
when host-gmp is built as a dependency of building the toolchain),
Ruby tries to use it. Unfortunately, it fails to use it because there
is no static version of host-gmp that is built and installed.
Since we anyway don't care much about gmp support in host-ruby, simply
disable it.
This issue was introduced since the bump to Ruby 2.1.0, and this
commit fixes:
http://autobuild.buildroot.org/results/e19/e197f20bd5ec4aae6d8692d67df4f539a9df33e2/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit bumps Ruby to version 2.1.2. It was quickly runtime tested
on ARM EBIhf.
In addition to this it changes the site to an http:// location, which
is the official one advertised on the Ruby web site.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The dl_iterate_phdr() C library function on Blackfin returns a
non-conventional structure format compared to other architectures,
which makes Ruby unable to use it. Since it's just an optional feature
of Ruby apparently used to generate more fancy backtraces, this commit
simply disables the usage of dl_iterate_phdr() on this architecture.
Fixes:
http://autobuild.buildroot.org/results/1b0/1b0e2f5f95889eb26846927da45d128247d0ed89/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It's currently in a non-working state since it requires a couple of
extensions that don't build at the moment (they try to execute tests in
configure) and also requires a target compiler.
So remove it to avoid false expectations and reclaim target space back
of about 1.5 MiB.
[Thomas: slightly reword comments.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As reported by Fatih Aşıcı on the mailing list it sometimes fails with
the host openssl depending on versions when development files are
installed.
And as suggested by Thomas Petazzoni it's really not required for
anything so just disable it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Based on the contents of LEGAL, without checking the code.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes JSON DoS (CVE-2013-0269) and REXML DoS (no assigned CVE yet).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Security Fix for RubyGems: SSL server verification failure for remote
repository.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
