Add debian patch for bug 536008.

Package-Manager: portage-2.2.20/cvs/Linux x86_64 Manifest-Sign-Key: 0x8883FA56A308A8D7!
author: Hans de Graaff <graaff@gentoo.org> 2015-07-10 06:45:27 +0000
committer: Hans de Graaff <graaff@gentoo.org> 2015-07-10 06:45:27 +0000
commit: 418e1eb507f5826b748d288b77be10fb915c3801 (patch)
tree: d891b5686e7e6ffd9f3c30daec96dfb1f4e4d1aa /dev-ruby/redcloth
parent: Cleanup vulnerable version, bug 495218. (diff)
download: historical-418e1eb507f5826b748d288b77be10fb915c3801.tar.gz
historical-418e1eb507f5826b748d288b77be10fb915c3801.tar.bz2
historical-418e1eb507f5826b748d288b77be10fb915c3801.zip
5 files changed, 140 insertions, 21 deletions
diff --git a/dev-ruby/redcloth/ChangeLog b/dev-ruby/redcloth/ChangeLog
index ba3b3ffd8602..96c9660454eb 100644
--- a/dev-ruby/redcloth/ChangeLog
+++ b/dev-ruby/redcloth/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for dev-ruby/redcloth
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-ruby/redcloth/ChangeLog,v 1.100 2015/06/07 19:21:57 jlec Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-ruby/redcloth/ChangeLog,v 1.101 2015/07/10 06:45:26 graaff Exp $
+
+*redcloth-4.2.9-r4 (10 Jul 2015)
+*redcloth-4.2.9-r3 (10 Jul 2015)
+
+  10 Jul 2015; Hans de Graaff <graaff@gentoo.org> -redcloth-4.2.9-r2.ebuild,
+  +redcloth-4.2.9-r3.ebuild, +redcloth-4.2.9-r4.ebuild,
+  +files/redcloth-4.2.9-cve-2012-6684.patch:
+  Add debian patch for bug 536008.
 
   07 Jun 2015; Justin Lecher <jlec@gentoo.org> metadata.xml:
   Add github to remote-id in metadata.xml
diff --git a/dev-ruby/redcloth/Manifest b/dev-ruby/redcloth/Manifest
index 3b9d17bbf40d..7d601e88f698 100644
--- a/dev-ruby/redcloth/Manifest
+++ b/dev-ruby/redcloth/Manifest
@@ -1,27 +1,17 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA512
+Hash: SHA256
 
+AUX redcloth-4.2.9-cve-2012-6684.patch 1996 SHA256 5a0473add0af2158675a8b68c8832f08e3e127297b33ba8d5902109257a37640 SHA512 17ea6052abf651c41091df3a1799bb33ad2161abd5a78f2d6db4629eb57a0413f4341ad87ca065391e5cc3e083bd65000d3d68d1fa53d0d15e5a73f5962a1498 WHIRLPOOL 28b67c831e42037546e2d14c48a9256bd043660e21c9265432c7011ff0166cc16ac3909c2a54b830365393f35d14befe735a9888463e9f4c454a09ae030cbe27
 DIST RedCloth-git-4.2.9.tgz 96897 SHA256 e649f46a58b949c6d229714c25b747f331b4a5b887eaa65ac43eab1f39067e6c SHA512 646f7a1a88ab9b3ff078016df706a1c9d991bf21d86ef1dd4c0a0ee6b946f94276b52499218bca222461eb003510e84b81f44b08899c5b36ac115137193e968a WHIRLPOOL 4276714eb34ec2571544ff271698f1e6540ac62d51704c4216d19452be0b59d1da3014b7c290204b9ca42d5edd88094f1de79618d3bbf8d4f8ae5fb214ecca63
 EBUILD redcloth-4.2.9-r1.ebuild 1746 SHA256 4d6527ebb1b625d8526097b6dc663b01e8aab19189d264e16f3ac72e2ab67219 SHA512 44a9065ab5ff392db6546402966a347d2e0c674128447a2228434efceb065cb7d17b82bf4f5404a35a3e0f37d0bac8820aecd80e3dab9f181f739c5789919816 WHIRLPOOL a5e088776fd39795fade0f4b900dab31d7141f2ca19ee9b1ea58025692a196d1e1b5436cf79dc42a67882359709927c6c655a2d9bc345cace57cc93b87974b22
-EBUILD redcloth-4.2.9-r2.ebuild 1612 SHA256 a6b5e108279668acaf30aa5c43fbfdae5742453c1e1f980191351b08018c9add SHA512 0fbfbe8e94d562f48c0545f9229b548ff760408208aee58b5bfa106c2a43481bda295b68ca06deff3df142df64d094b60478c0bbaf0a88d3bbe5b76dfa812b08 WHIRLPOOL 0cb6203339e081b51c740782f9094d39356f8d6268ba92e8e555b8477a758118a0cf517f23c0dba1b8f6029c0fca89c65823a84aae95f15f6771325e748d05a7
-MISC ChangeLog 12876 SHA256 20bb689927e060b3873c1cb479cd1a359f601a64d29a30d54a3ac15d9f202b4b SHA512 20753258b3dcf35f7b9e53d5852673641c11f484435ae6e0e5edc34ac3a1ae25b686f3763675b41ec35b9fe295adabfb5c51e4ae3ece626245b0de2164ef2cf1 WHIRLPOOL d7aa73fb886ee3cad6a373794b9cad095eda490be48e438a9ff84ce6ba7e810a55281becdf57ea5b78c012be99a971adc2cedc67ea83369c80ce8d6d48c7d537
+EBUILD redcloth-4.2.9-r3.ebuild 1641 SHA256 8ad20b44b675f3aba79751417703506b5ed6d7f457d25d3c7a48613e1954db05 SHA512 a187f291e7b82c3b30d42ca367e5cfb25486e198258710c6aedae9fe811c492db46794b96e67f9c4286162e8af3dc7556a4c32044989ecf5cd3cb0eab6850ab4 WHIRLPOOL 2441e209f9d16afe19cd45bbfdc288e273557d65284f4fac9c203623e044cb04ba5bbae764beabc242e0b620f813190b0948841e99e5d6ec28591016f4d8431b
+EBUILD redcloth-4.2.9-r4.ebuild 1655 SHA256 3e1749b7ed4bd5a61042d02dc2c15dedd86f78e590c89d5b3b3c567fe45eec76 SHA512 c942ce59e362d124f21bf5cd227ddfd11de363176bea4115edf3091370a202253b3890d753ad7062646ad5c833c48fd52d04938c5e52f43a1815d9ad4c97297d WHIRLPOOL 85bdd8d595e6fc5d289b65df596340f1baddcb04e25893ecf8c8a3f18f2a1d0b15f83907f9275a34493855d3865e411555d066b5cd1e3aa6dcf7177181f3f73c
+MISC ChangeLog 13159 SHA256 caa8c9661a57e21bb443aa50bd6fa9fa40284dba66d58b0f54549314604bd987 SHA512 0217f686adbd00a050a7101020b4f728f2e917cc37efa5f934d75dee33ea2d7a4d57adcfd6169353098cfcd31e451639fb5f6b84fa56ffe8b7d3e61595d0d5c9 WHIRLPOOL d92a8490bddb5ce91b6a433c50c24427037d429c879b9b5ac3659db98d1b05752a93595b7a6b0dd1ba1150e16c48af50043c847d549ca2fd067afa19d0359800
 MISC metadata.xml 244 SHA256 2e3aa80510a458f40e1890cac15854077ba1b91b8a9f07836a67c275016c92c4 SHA512 eeec7ac86941d451d420b87b5849a243b60c155181440f7f513dfe1341b7cd41cf93c03c3f4c8fb255c9267cc2cc25538a68c93f472a6ced907955eb71aa0a3c WHIRLPOOL 917078f841c02481e582c2daba27021de8bf5ec0b3562d3a68168d17eae4f48749e893922fb09ca5b276e7fdbf0cef7b33ed822d4be87bc0ae43c38c987791fe
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0
+Version: GnuPG v2
 
-iQJ8BAEBCgBmBQJVdJnWXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
-ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0QUU0N0I4NzFERUI0MTJFN0EyODE0NUFF
-OTQwMkE3OUIwMzUyOUEyAAoJEOlAKnmwNSmiknQQAJZVRdeeKXxdOadNcwuauBUc
-mYKG2eB50kDQBSTbyzhaShN0DLUFtlvZMNocSiW/ML34hueeOfh2BSJkvl5TbOKI
-61INc1yyxXezNbmaGkUd3NSxcnB99x8RTNleWPvmnw2f6T2Wg0QOEwvtA0c9Zy+G
-PmR0TNtQDWvk49hj2hvQbrUP5F3uGYUFGtoK59O054o6upDyMGPdH6M6lGN3GFyT
-ijy1K4yFYpuIiLe5IOE8+pVq5hD9JG67hIanGZ2KWvdqlXof3K3rIMg6j5pUpOru
-wNRS6tw94nhi3d3NO3W0Wcix+PRRrpZkjRVkBKtwfGVHW5joR4bygyNF/wN68KhZ
-Q55kDy1k95zT5WF/7HF3GVZHKlTOR4bzzYMASEgzTaNllUk8Jp7omPM2StoOi5+S
-EgD+c6TBHsLtzQCc3OEG/HIHIJ1FOZ7JWvjyfNkznRlz9I0qPHT8cHu59lHKGxzC
-wG0u0rfTKN8uj+iu8BIQ9FIYwu/WzRG9e8wgy+5VZ/ryjUOfh3XWM1iPAtPRmDx4
-pB3/Dp9wm405XzTCjNy00zxvxOrOZY/Wc7V6uzKPeErtBYxMfQF4eJC44Paz5Jgi
-qvp2Q5ftQiKWStI7cmQCH8r4NbQvEE1ShLZjPe7MaMwDsNf/wd/85yoea2hsLEe9
-sfe+P70gN7z+45FsQtCM
-=Rrn9
+iF4EAREIAAYFAlWfagcACgkQiIP6VqMIqNcsewD7BoBNhfPDqKkDB2CQyFJxaP0I
+ImkcAANMISlX2Oks6VoA/1ijXIhGxfQO69bGNXIXpr/mWkktzWlyUQM2Vm4EnNdH
+=9Qsv
 -----END PGP SIGNATURE-----
diff --git a/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch b/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch
new file mode 100644
index 000000000000..ec36340f8aad
--- /dev/null
+++ b/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch
@@ -0,0 +1,58 @@
+Patch taken from Debian (via upstream pull request that is still pending)
+
+http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/
+https://github.com/jgarber/redcloth/pull/20/commits
+
+From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001
+From: Antonio Terceiro <terceiro@debian.org>
+Date: Sat, 7 Feb 2015 23:27:39 -0200
+Subject: [PATCH] Filter out 'javascript:' links when using filter_html or
+ sanitize_html
+
+This is a fix for CVE-2012-6684
+---
+ lib/redcloth/formatters/html.rb     |  6 +++++-
+ spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 spec/security/CVE-2012-6684_spec.rb
+
+diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
+index bfadfb7..b8793b2 100644
+--- a/lib/redcloth/formatters/html.rb
++++ b/lib/redcloth/formatters/html.rb
+@@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML
+   end
+   
+   def link(opts)
+-    "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
++      opts[:name]
++    else
++      "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    end
+   end
+   
+   def image(opts)
+diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
+new file mode 100644
+index 0000000..05219fd
+--- /dev/null
++++ b/spec/security/CVE-2012-6684_spec.rb
+@@ -0,0 +1,14 @@
++# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
++
++require 'redcloth'
++
++describe 'CVE-2012-6684' do
++
++  it 'should not let javascript links pass through' do
++    # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
++    output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
++    expect(output).to_not match(/href=.javascript:alert/)
++  end
++
++
++end
+-- 
+2.1.4
+
diff --git a/dev-ruby/redcloth/redcloth-4.2.9-r3.ebuild b/dev-ruby/redcloth/redcloth-4.2.9-r3.ebuild
new file mode 100644
index 000000000000..85401b57cb69
--- /dev/null
+++ b/dev-ruby/redcloth/redcloth-4.2.9-r3.ebuild
@@ -0,0 +1,61 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-ruby/redcloth/redcloth-4.2.9-r3.ebuild,v 1.1 2015/07/10 06:45:26 graaff Exp $
+
+EAPI=5
+
+USE_RUBY="ruby19 ruby20"
+
+RUBY_FAKEGEM_NAME="RedCloth"
+
+RUBY_FAKEGEM_RECIPE_TEST="rspec"
+RUBY_FAKEGEM_TASK_DOC=""
+
+RUBY_FAKEGEM_DOCDIR="doc"
+
+RUBY_FAKEGEM_EXTRADOC="README.rdoc CHANGELOG"
+
+RUBY_FAKEGEM_REQUIRE_PATHS="lib/case_sensitive_require"
+
+inherit ruby-fakegem versionator
+
+DESCRIPTION="A module for using Textile in Ruby"
+HOMEPAGE="http://redcloth.org/"
+
+GITHUB_USER=jgarber
+SRC_URI="https://github.com/${GITHUB_USER}/redcloth/tarball/v${PV} -> ${RUBY_FAKEGEM_NAME}-git-${PV}.tgz"
+RUBY_S="${GITHUB_USER}-${PN}-*"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE=""
+
+DEPEND+=" dev-util/ragel"
+
+ruby_add_bdepend "
+	>=dev-ruby/rake-0.8.7
+	>=dev-ruby/rake-compiler-0.7.1
+	test? ( >=dev-ruby/diff-lcs-1.1.2 )"
+
+pkg_setup() {
+	ruby-ng_pkg_setup
+
+	# Export the VERBOSE variable to avoid remapping of stdout and
+	# stderr, and that breaks because of bad interactions between
+	# echoe, Ruby and Gentoo.
+	export VERBOSE=1
+}
+
+RUBY_PATCHES=( ${P}-cve-2012-6684.patch )
+
+all_ruby_prepare() {
+	sed -i -e '/[Bb]undler/d' Rakefile ${PN}.gemspec || die
+	rm tasks/{release,gems,rspec}.rake || die
+}
+
+each_ruby_compile() {
+	# We cannot run this manually easily, because Ragel re-generation
+	# is a mess
+	${RUBY} -S rake compile || die "rake compile failed"
+}
diff --git a/dev-ruby/redcloth/redcloth-4.2.9-r2.ebuild b/dev-ruby/redcloth/redcloth-4.2.9-r4.ebuild
index 9330bf02c6c2..971694179e04 100644
--- a/dev-ruby/redcloth/redcloth-4.2.9-r2.ebuild
+++ b/dev-ruby/redcloth/redcloth-4.2.9-r4.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-ruby/redcloth/redcloth-4.2.9-r2.ebuild,v 1.4 2015/02/21 09:31:22 graaff Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-ruby/redcloth/redcloth-4.2.9-r4.ebuild,v 1.1 2015/07/10 06:45:26 graaff Exp $
 
 EAPI=5
 
@@ -47,6 +47,8 @@ pkg_setup() {
 	export VERBOSE=1
 }
 
+RUBY_PATCHES=( ${P}-cve-2012-6684.patch )
+
 all_ruby_prepare() {
 	sed -i -e '/[Bb]undler/d' Rakefile ${PN}.gemspec || die
 	rm tasks/{release,gems,rspec}.rake || die
author	Hans de Graaff <graaff@gentoo.org>	2015-07-10 06:45:27 +0000
committer	Hans de Graaff <graaff@gentoo.org>	2015-07-10 06:45:27 +0000
commit	418e1eb507f5826b748d288b77be10fb915c3801 (patch)
tree	d891b5686e7e6ffd9f3c30daec96dfb1f4e4d1aa /dev-ruby/redcloth
parent	Cleanup vulnerable version, bug 495218. (diff)
download	historical-418e1eb507f5826b748d288b77be10fb915c3801.tar.gz historical-418e1eb507f5826b748d288b77be10fb915c3801.tar.bz2 historical-418e1eb507f5826b748d288b77be10fb915c3801.zip