Fixed the following security issues:
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON
For more details, see the release notes:
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/
Drop now upstreamed rubygems patches and add hashes for the license files
while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We unfortunately cannot use the upstream patches directly as they are not in
'patch -p1' format, so convert them and include instead.
Fixes:
CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications that include terminal escape
characters. Printing the gem specification would execute terminal escape
sequences.
CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications to cause a denial of service attack
against RubyGems clients who have issued a `query` command.
CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
specification names, allowing a maliciously crafted gem to potentially
overwrite any file on the filesystem.
CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
hijacking vulnerability that allows a MITM attacker to force the RubyGems
client to download and install gems from a server that the attacker
controls.
For more details, see
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-2c is BSD-2-Clause.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-3c is BSD-3-Clause.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
On uClibc, finite, isinf and isnan are not directly implemented as
functions. Instead math.h #define's these to __finite, __isinf and __isnan,
which are real functions.
This confuses the Ruby configure script which use AC_REPLACE_FUNCS to
detect these, as it really checks for a function without including math.h.
Because of the naming difference the checks fail, therefore the symbols
HAVE_FINITE, HAVE_ISINF and HAVE_ISNAN are not defined.
Ruby code relies on those symbols in order to define its own version of
the finite, isinf and isnan functions. Since the symbols haven't been
defined, those definitions cause conflicts with the already-existing
functions.
Fixes:
http://autobuild.buildroot.net/results/f34/f34dc20749c6f6d12c51eddf3ee6c2ef41d7c13d/
[Peter: extend description, add comment in .mk]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The problem addressed by 0001 patch has been fixed upstream and is that
fix is included in this release:
aa107497cd
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It's been deprecated for quite some time now.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The SSP support checks of the Ruby configure script do not do a full
link, and therefore don't properly detect if SSP support is fully
functional or not, which causes some build failures if the compiler
supports -fstack-protector but the C library does not provide the SSP
implementation.
To avoid this, we explicitly tell ruby if SSP support is available or
not.
Fixes:
http://autobuild.buildroot.net/results/001/00154b0142f51c197d5d53ae36f7adc4f8250d9d/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 53bf889cdc ("ruby: should not
use dl_iterate_phdr() on Blackfin") we added
ac_cv_func_dl_iterate_phdr=no to RUBY_CONF_ENV when building on the
Blackfin architecture.
However, while doing so, we overwrote the previous value of
RUBY_CONF_ENV, which was defined to have custom CFLAGS:
RUBY_CONF_ENV = CFLAGS="$(RUBY_CFLAGS)"
This has no visible effect because the custom CFLAGS are only used on
SuperH/SuperH 64, while the overwrite of RUBY_CONF_ENV takes place on
Blackfin.
However, it doesn't look very pretty, and future additions to
RUBY_CONF_ENV may break this subtle behavior.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Re-enable parallel builds, it doesn't seem to be affected by the issue
worked around in 9332a1ad4 any more.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit doesn't touch infra packages.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.
As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.
This also helps preparing the addition of other options to select
shared, shared+static or just static.
Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Fixes:
CVE-2014-8090 - Another Denial Of Service XML Expansion.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2014-8080 - Denial of service XML expansion
And change default ext/openssl settings WRT CVE-2014-3566.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Disable fiddle support because of compile failure (no ffi_closure support
for bfin).
Fixes:
http://autobuild.buildroot.net/results/0a8/0a854274b520d4daca3911a64777a447b5756a52/
[Thomas: slightly adjust the comment wording.]
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
At least for ruby 2.x we need to --disable-rubygems besides removing the
gems files to avoid the requires.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Ruby can now use gmp optionally, so make sure that if the gmp package
for the target is enabled, it gets built before the ruby package, and
the appropriate configure options are passed to Ruby.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building host-ruby, if gmp seems to be available (for example
when host-gmp is built as a dependency of building the toolchain),
Ruby tries to use it. Unfortunately, it fails to use it because there
is no static version of host-gmp that is built and installed.
Since we anyway don't care much about gmp support in host-ruby, simply
disable it.
This issue was introduced since the bump to Ruby 2.1.0, and this
commit fixes:
http://autobuild.buildroot.org/results/e19/e197f20bd5ec4aae6d8692d67df4f539a9df33e2/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit bumps Ruby to version 2.1.2. It was quickly runtime tested
on ARM EBIhf.
In addition to this it changes the site to an http:// location, which
is the official one advertised on the Ruby web site.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The dl_iterate_phdr() C library function on Blackfin returns a
non-conventional structure format compared to other architectures,
which makes Ruby unable to use it. Since it's just an optional feature
of Ruby apparently used to generate more fancy backtraces, this commit
simply disables the usage of dl_iterate_phdr() on this architecture.
Fixes:
http://autobuild.buildroot.org/results/1b0/1b0e2f5f95889eb26846927da45d128247d0ed89/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No matter what you do, the Ruby build system wants to use shared
libraries for the encoding modules. Therefore, this commit disallows
the selection of Ruby in BR2_PREFER_STATIC_LIB situations.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It's currently in a non-working state since it requires a couple of
extensions that don't build at the moment (they try to execute tests in
configure) and also requires a target compiler.
So remove it to avoid false expectations and reclaim target space back
of about 1.5 MiB.
[Thomas: slightly reword comments.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As reported by Fatih Aşıcı on the mailing list it sometimes fails with
the host openssl depending on versions when development files are
installed.
And as suggested by Thomas Petazzoni it's really not required for
anything so just disable it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Reviewed-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch lines up the comments in Config.in files that clarify which
toolchain options the package depends on.
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The 'pcrel too far' problem detected in the autobuild on SuperH
architectures, seems to be caused by the -Os optimization flag. Using
standard optimization fixes the problem.
Fixes http://autobuild.buildroot.net/results/bc36e051e06f596c2fafdd3cc3745bb34b73ace3/
Investigated-by: Lionel Orry <lionel.orry@gmail.com>
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Based on the contents of LEGAL, without checking the code.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
