From nobody Sun Apr 17 04:08:51 2022
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C942111CF83F;
	Sun, 17 Apr 2022 04:08:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KgxQD1Bfzz3JhF;
	Sun, 17 Apr 2022 04:08:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1650168532;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=aG02YPT4+6YggUYoQ9+G6OR5cSQvxtZ19Tm7VKQnBiQ=;
	b=eN4Mp4mQBp/eID2Zawhcm3LKUmWzcuuua8jWEm7uuUwKrAAov9rT1Y6cAMnQ8zaMsP+o6+
	AZ8cpIddeOJ+1c8OEFA4pwjX0DI26+ux8WO3kSIXCztoDx68WcXUf8yhSbhj1oeo8YGI+b
	6Y0kEUyfYUrmKu0LrNDtzt6jdbSjK3/lGEFe2hveo4Ai4PX7NsIsRzIOiF1WS4XELl8k+J
	qMcfI2fuGeqElKWTIqdB3LZBlqDFnHwmnWObL1Wd+gBaO9CcHo3Xh7mAzcBNSGrbvv1lZ9
	Xs3uIxPU12GaKCafm2Jl/tDqgC/1UY7Fdc4HiIb1N4XhI4f9NcTcgSdpOUSaPw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D84D41739A;
	Sun, 17 Apr 2022 04:08:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23H48ptb024951;
	Sun, 17 Apr 2022 04:08:51 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23H48pED024950;
	Sun, 17 Apr 2022 04:08:51 GMT
	(envelope-from git)
Date: Sun, 17 Apr 2022 04:08:51 GMT
Message-Id: <202204170408.23H48pED024950@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Yasuhiro Kimura <yasu@FreeBSD.org>
Subject: git: 3d90d93bd56e - main - lang/ruby32: Add upstream patches to fix recent vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: yasu
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 3d90d93bd56ee79ea165afecd38fd9fec6674d26
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1650168532;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=aG02YPT4+6YggUYoQ9+G6OR5cSQvxtZ19Tm7VKQnBiQ=;
	b=s9tInG65cFo2pWpMnW8v3NqMmZi6+hOJXbOVJvCUFmNByLFzF2yMgLsErSZTYMbldcfWS5
	6K3JoIl08lMy8PXXlZL6vzCRvZ/kJQidDrkNFwg4piqN3Visrc+L4CSD3B/W9yabq4BZA4
	FHL9dxt9uz8r4wg3Swe6vcJUKBidc4NDb3QEsOPNIy4r94WF3LxYGH2WMG1pU3DgjOXTWr
	7m/AO2qbzLQtYh/Ef4AQaXAjEniOn+gL4Jp9OWIZsMUm5TwtuDbnDKSrGf2PDen14jTN6b
	vSE8mVeQQvIF9IOyMAgkS5mVtaqjI+n9R1y+Rw8No5k5HRDr36MiPHW/t9dFFw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650168532; a=rsa-sha256; cv=none;
	b=upVCZxfZxI63cq4fZP9o4bkwh2ANfc4H+FQaoBEW19WyM1xH98mC16RQt5/gfpgB+182S3
	Dc6Oz4ZUZwblNd87zXkJSSO7KIwmuOj1hPjsslUweOj51zenRI+Est+x0y5B24AWI3BCUZ
	OzecWrjjjiOhWrz8/E+ZzlyIj9oOgLxZPYpPMC4ZdmSfpd/iEuONF+ZHpDsYbIkNbeB76I
	aNTllaydajOy++wFyeYU/B3DhJAODd25MTH82A1EFZoxYObUiug2zH4yKFqr6X6U1CWDW8
	H8iuqu0s67zys+zrAKifC3cqbEDvRYywR39qow9entH4cA22mggepgmUGcU7qw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by yasu:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3d90d93bd56ee79ea165afecd38fd9fec6674d26

commit 3d90d93bd56ee79ea165afecd38fd9fec6674d26
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-04-17 02:18:12 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-04-17 04:07:45 +0000

    lang/ruby32: Add upstream patches to fix recent vulnerabilities
    
    PR:             263357
    Approved by:    sunpoet (ruby@)
    Security:       f22144d7-bad1-11ec-9cfe-0800270512f4
    Security:       06ed6a49-bad4-11ec-9cfe-0800270512f4
---
 Mk/bsd.ruby.mk                         |  2 +-
 lang/ruby32/files/patch-CVE-2022-28738 | 66 ++++++++++++++++++++++++++++++++++
 lang/ruby32/files/patch-CVE-2022-28739 | 64 +++++++++++++++++++++++++++++++++
 3 files changed, 131 insertions(+), 1 deletion(-)

diff --git a/Mk/bsd.ruby.mk b/Mk/bsd.ruby.mk
index 5471244b4838..1e9286ced1b8 100644
--- a/Mk/bsd.ruby.mk
+++ b/Mk/bsd.ruby.mk
@@ -162,7 +162,7 @@ RUBY31=			""	# PLIST_SUB helpers
 # Ruby 3.2
 #
 RUBY_DISTVERSION=	3.2.0-preview1
-RUBY_PORTREVISION=	0
+RUBY_PORTREVISION=	1
 RUBY_PORTEPOCH=		1
 RUBY32=			""	# PLIST_SUB helpers
 
diff --git a/lang/ruby32/files/patch-CVE-2022-28738 b/lang/ruby32/files/patch-CVE-2022-28738
new file mode 100644
index 000000000000..79cd2f40b47b
--- /dev/null
+++ b/lang/ruby32/files/patch-CVE-2022-28738
@@ -0,0 +1,66 @@
+From cf2bbcfff2985c116552967c7c4522f4630f2d18 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Fri, 11 Jun 2021 00:06:43 +0900
+Subject: [PATCH 1/2] Just free compiled pattern if no space is used
+
+https://hackerone.com/reports/1220911
+---
+ regcomp.c                | 14 ++++++++------
+ test/ruby/test_regexp.rb |  9 +++++++++
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git regcomp.c regcomp.c
+index 3e65c9d2e3..94640639d8 100644
+--- regcomp.c
++++ regcomp.c
+@@ -142,8 +142,13 @@ bitset_on_num(BitSetRef bs)
+ static void
+ onig_reg_resize(regex_t *reg)
+ {
+-  resize:
+-    if (reg->alloc > reg->used) {
++  do {
++    if (!reg->used) {
++      xfree(reg->p);
++      reg->alloc = 0;
++      reg->p = 0;
++    }
++    else if (reg->alloc > reg->used) {
+       unsigned char *new_ptr = xrealloc(reg->p, reg->used);
+       // Skip the right size optimization if memory allocation fails
+       if (new_ptr) {
+@@ -151,10 +156,7 @@ onig_reg_resize(regex_t *reg)
+         reg->p = new_ptr;
+       }
+     }
+-    if (reg->chain) {
+-      reg = reg->chain;
+-      goto resize;
+-    }
++  } while ((reg = reg->chain) != 0);
+ }
+ 
+ extern int
+diff --git test/ruby/test_regexp.rb test/ruby/test_regexp.rb
+index 4be6d7bec7..84687c5380 100644
+--- test/ruby/test_regexp.rb
++++ test/ruby/test_regexp.rb
+@@ -1431,6 +1431,15 @@ def test_bug18631
+     assert_kind_of MatchData, /(?<x>a)(?<x>aa)\k<x>/.match("aaaab")
+   end
+ 
++  def test_invalid_group
++    assert_separately([], "#{<<-"begin;"}\n#{<<-'end;'}")
++    begin;
++      assert_raise_with_message(RegexpError, /invalid conditional pattern/) do
++        Regexp.new("((?(1)x|x|)x)+")
++      end
++    end;
++  end
++
+   # This assertion is for porting x2() tests in testpy.py of Onigmo.
+   def assert_match_at(re, str, positions, msg = nil)
+     re = Regexp.new(re) unless re.is_a?(Regexp)
+-- 
+2.35.2
+
diff --git a/lang/ruby32/files/patch-CVE-2022-28739 b/lang/ruby32/files/patch-CVE-2022-28739
new file mode 100644
index 000000000000..8de3fa8b434b
--- /dev/null
+++ b/lang/ruby32/files/patch-CVE-2022-28739
@@ -0,0 +1,64 @@
+From d0a822eec524522d81ffc7da2bb1baf906b0318a Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Thu, 1 Jul 2021 06:39:17 +0900
+Subject: [PATCH 2/2] Fix dtoa buffer overrun
+
+https://hackerone.com/reports/1248108
+---
+ missing/dtoa.c          |  3 ++-
+ test/ruby/test_float.rb | 18 ++++++++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git missing/dtoa.c missing/dtoa.c
+index a940eabd91..b7a8302875 100644
+--- missing/dtoa.c
++++ missing/dtoa.c
+@@ -1552,6 +1552,7 @@ break2:
+ 	    if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0;
+ 	    if (*s == '0') {
+ 		while (*++s == '0');
++		if (!*s) goto ret;
+ 		s1 = strchr(hexdigit, *s);
+ 	    }
+ 	    if (s1 != NULL) {
+@@ -1574,7 +1575,7 @@ break2:
+ 		for (; *s && (s1 = strchr(hexdigit, *s)); ++s) {
+ 		    adj += aadj * ((s1 - hexdigit) & 15);
+ 		    if ((aadj /= 16) == 0.0) {
+-			while (strchr(hexdigit, *++s));
++			while (*++s && strchr(hexdigit, *s));
+ 			break;
+ 		    }
+ 		}
+diff --git test/ruby/test_float.rb test/ruby/test_float.rb
+index 4be2cfeeda..57a46fce92 100644
+--- test/ruby/test_float.rb
++++ test/ruby/test_float.rb
+@@ -171,6 +171,24 @@ def test_strtod
+       assert_raise(ArgumentError, n += z + "A") {Float(n)}
+       assert_raise(ArgumentError, n += z + ".0") {Float(n)}
+     end
++
++    x = nil
++    2000.times do
++      x = Float("0x"+"0"*30)
++      break unless x == 0.0
++    end
++    assert_equal(0.0, x, ->{"%a" % x})
++    x = nil
++    2000.times do
++      begin
++        x = Float("0x1."+"0"*270)
++      rescue ArgumentError => e
++        raise unless /"0x1\.0{270}"/ =~ e.message
++      else
++        break
++      end
++    end
++    assert_nil(x, ->{"%a" % x})
+   end
+ 
+   def test_divmod
+-- 
+2.35.2
+