Bug#771431: (preapproval) unblock: ruby2.1/2.1.5-1

[Antonio Terceiro <terceiro@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello,

I intend to upload a new upstream version of ruby2.1 with the attached
debdiff to unstable.

It contains fixes for 2 bugs:

  - Fixes CVE-2014-8090 Another Denial of Service XML Expansion
    (Closes: #770932)
  - Fixes build on SPARC (Closes: #769731)

Even though it's a new upstream release:

- the changes are minimal and are restricted to the above bugs, plus
  minimal build system changes and portability fixes.
- a large part of the debdiff is changelog entries, a version bump, and
  test suite additions.
- having this version in jessie will ease the stable maintainance effort
  by deviating as little as possible from upstream.

Please let me know if you agree with me uploading this.

unblock ruby2.1/2.1.5-1

-- System Information:
Debian Release: jessie/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff --git a/ChangeLog b/ChangeLog
index 19dbbd0..fe76d3d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,50 @@
+Thu Nov 13 22:32:34 2014  CHIKANAGA Tomoyuki  <nagachika@ruby-lang.org>
+
+	* lib/rexml/document.rb: add REXML::Document#document.
+	  reported by Tomas Hoger <thoger@redhat.com> and patched by nahi.
+
+Thu Nov  6 22:57:43 2014  Naohisa Goto  <ngotogenome@gmail.com>
+
+	* bignum.c (absint_numwords_generic): set an array element after
+	  definition of a variable to fix compile error with older version
+	  of fcc (Fujitsu C Compiler) 5.6 on Solaris 10 on Sparc.
+	  [Bug #10350] [ruby-dev:48608]
+
+Thu Nov  6 22:36:55 2014  Naohisa Goto  <ngotogenome@gmail.com>
+
+	* compile.c (compile_data_alloc): add padding when strict alignment
+	  is required for memory access. Currently, the padding is enabled
+	  only when the CPU is 32-bit SPARC and the compiler is GCC.
+	  [Bug #9681] [ruby-core:61715]
+
+	* compile.c (STRICT_ALIGNMENT): defined if strict alignment is required
+
+	* compile.c (ALIGNMENT_SIZE, ALIGNMENT_SIZE_MASK, PADDING_SIZE_MAX):
+	  new macros for alignemnt word size, bit mask, max size of padding.
+
+	* compile.c (calc_padding): new function to calculate padding size.
+
+Wed Nov  5 00:18:22 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* configure.in (__builtin_setjmp): disable with gcc/clang earlier
+	  than 4.3 on Mac OS X.  [ruby-core:65174] [Bug #10272]
+
+Wed Nov  5 00:01:04 2014  Tanaka Akira  <akr@fsij.org>
+
+	* bignum.c (bary_mul_balance_with_mulfunc): Fix free work area
+	  location.
+	  [ruby-dev:48723] [Bug #10464]
+	  [ruby-core:66044] [Bug #10465]
+	  Reported by Kohji Nishihama.
+
+Tue Oct 28 22:30:21 2014  NARUSE, Yui  <naruse@ruby-lang.org>
+
+	* configure.in: remove apple-gcc4.2 from CC candidates.
+
+火 10 28 22:19:44 2014  CHIKANAGA Tomoyuki  <nagachika@ruby-lang.org>
+
+	* version.h (RUBY_VERSION): bump RUBY_VERSION to 2.1.5.
+
 Mon Oct 27 20:20:14 2014  NAKAMURA Usaku  <usa@ruby-lang.org>
 
 	* lib/rexml/entity.rb: keep the entity size within the limitation.
diff --git a/bignum.c b/bignum.c
index b499c0b..27d8d8a 100644
--- a/bignum.c
+++ b/bignum.c
@@ -1650,7 +1650,7 @@ bary_mul_balance_with_mulfunc(BDIGIT *zds, size_t zn, const BDIGIT *xds, size_t
             }
             tds = zds + n;
             MEMCPY(wds, zds + n, BDIGIT, xn);
-            mulfunc(tds, tn, xds, xn, yds + n, r, wds-xn, wn-xn);
+            mulfunc(tds, tn, xds, xn, yds + n, r, wds+xn, wn-xn);
             bary_add(zds + n, tn,
                      zds + n, tn,
                      wds, xn);
@@ -3294,7 +3294,7 @@ absint_numwords_generic(size_t numbytes, int nlz_bits_in_msbyte, size_t word_num
     static const BDIGIT char_bit[1] = { CHAR_BIT };
     BDIGIT numbytes_bary[bdigit_roomof(sizeof(numbytes))];
     BDIGIT val_numbits_bary[bdigit_roomof(sizeof(numbytes) + 1)];
-    BDIGIT nlz_bits_in_msbyte_bary[1] = { nlz_bits_in_msbyte };
+    BDIGIT nlz_bits_in_msbyte_bary[1];
     BDIGIT word_numbits_bary[bdigit_roomof(sizeof(word_numbits))];
     BDIGIT div_bary[numberof(val_numbits_bary) + BIGDIVREM_EXTRA_WORDS];
     BDIGIT mod_bary[numberof(word_numbits_bary)];
@@ -3304,6 +3304,8 @@ absint_numwords_generic(size_t numbytes, int nlz_bits_in_msbyte, size_t word_num
     int sign;
     size_t numwords;
 
+    nlz_bits_in_msbyte_bary[0] = nlz_bits_in_msbyte;
+
     /*
      * val_numbits = numbytes * CHAR_BIT - nlz_bits_in_msbyte
      * div, mod = val_numbits.divmod(word_numbits)
diff --git a/compile.c b/compile.c
index a76c93b..099c280 100644
--- a/compile.c
+++ b/compile.c
@@ -583,18 +583,72 @@ rb_iseq_translate_threaded_code(rb_iseq_t *iseq)
 /* definition of data structure for compiler */
 /*********************************************/
 
+/*
+ * On 32-bit SPARC, GCC by default generates SPARC V7 code that may require
+ * 8-byte word alignment. On the other hand, Oracle Solaris Studio seems to
+ * generate SPARCV8PLUS code with unaligned memory accesss instructions.
+ * That is why the STRICT_ALIGNMENT is defined only with GCC.
+ */
+#if defined(__sparc) && SIZEOF_VOIDP == 4 && defined(__GNUC__)
+  #define STRICT_ALIGNMENT
+#endif
+
+#ifdef STRICT_ALIGNMENT
+  #if defined(HAVE_TRUE_LONG_LONG) && SIZEOF_LONG_LONG > SIZEOF_VALUE
+    #define ALIGNMENT_SIZE SIZEOF_LONG_LONG
+  #else
+    #define ALIGNMENT_SIZE SIZEOF_VALUE
+  #endif
+  #define PADDING_SIZE_MAX    ((size_t)((ALIGNMENT_SIZE) - 1))
+  #define ALIGNMENT_SIZE_MASK PADDING_SIZE_MAX
+  /* Note: ALIGNMENT_SIZE == (2 ** N) is expected. */
+#else
+  #define PADDING_SIZE_MAX 0
+#endif /* STRICT_ALIGNMENT */
+
+#ifdef STRICT_ALIGNMENT
+/* calculate padding size for aligned memory access */
+static size_t
+calc_padding(void *ptr, size_t size)
+{
+    size_t mis;
+    size_t padding = 0;
+
+    mis = (size_t)ptr & ALIGNMENT_SIZE_MASK;
+    if (mis > 0) {
+        padding = ALIGNMENT_SIZE - mis;
+    }
+/*
+ * On 32-bit sparc or equivalents, when a single VALUE is requested
+ * and padding == sizeof(VALUE), it is clear that no padding is needed.
+ */
+#if ALIGNMENT_SIZE > SIZEOF_VALUE
+    if (size == sizeof(VALUE) && padding == sizeof(VALUE)) {
+        padding = 0;
+    }
+#endif
+
+    return padding;
+}
+#endif /* STRICT_ALIGNMENT */
+
 static void *
 compile_data_alloc(rb_iseq_t *iseq, size_t size)
 {
     void *ptr = 0;
     struct iseq_compile_data_storage *storage =
 	iseq->compile_data->storage_current;
+#ifdef STRICT_ALIGNMENT
+    size_t padding = calc_padding((void *)&storage->buff[storage->pos], size);
+#else
+    const size_t padding = 0; /* expected to be optimized by compiler */
+#endif /* STRICT_ALIGNMENT */
 
-    if (storage->pos + size > storage->size) {
+    if (storage->pos + size + padding > storage->size) {
 	unsigned long alloc_size = storage->size * 2;
 
       retry:
-	if (alloc_size < size) {
+	if (alloc_size < size + PADDING_SIZE_MAX) {
 	    alloc_size *= 2;
 	    goto retry;
 	}
@@ -606,8 +660,15 @@ compile_data_alloc(rb_iseq_t *iseq, size_t size)
 	storage->pos = 0;
 	storage->size = alloc_size;
 	storage->buff = (char *)(&storage->buff + 1);
+#ifdef STRICT_ALIGNMENT
+        padding = calc_padding((void *)&storage->buff[storage->pos], size);
+#endif /* STRICT_ALIGNMENT */
     }
 
+#ifdef STRICT_ALIGNMENT
+    storage->pos += (int)padding;
+#endif /* STRICT_ALIGNMENT */
+
     ptr = (void *)&storage->buff[storage->pos];
     storage->pos += size;
     return ptr;
diff --git a/configure.in b/configure.in
index bb1ab8a..5968bbd 100644
--- a/configure.in
+++ b/configure.in
@@ -423,7 +423,7 @@ fi
 RUBY_NACL
 AS_CASE(["$host_os:$build_os"],
 [darwin*:darwin*], [
-    AC_CHECK_TOOLS(CC, [gcc-4.2 clang gcc cc])
+    AC_CHECK_TOOLS(CC, [clang gcc cc])
     # Following Apple deployed clang are broken
     # clang version 1.0 (http://llvm.org/svn/llvm-project/cfe/tags/Apple/clang-23 exported)
     # Apple clang version 2.0 (tags/Apple/clang-137) (based on LLVM 2.9svn)
@@ -453,7 +453,9 @@ if test "$GCC" = yes; then
     linker_flag=-Wl,
     : ${optflags=-O3}
     gcc_major=`echo =__GNUC__ | $CC -E -xc - | sed '/^=/!d;s///'`
+    gcc_minor=`echo =__GNUC_MINOR__ | $CC -E -xc - | sed '/^=/!d;s///'`
     test -n "$gcc_major" || gcc_major=0
+    test -n "$gcc_minor" || gcc_minor=0
     # RUBY_APPEND_OPTIONS(XCFLAGS, ["-include ruby/config.h" "-include ruby/missing.h"])
 else
     linker_flag=
@@ -956,6 +958,9 @@ AS_CASE(["$target_os"],
 		ac_cv_type_getgroups=gid_t # getgroups() on Rosetta fills garbage
 		ac_cv_lib_crypt_crypt=no
 		ac_cv_func_fdatasync=no # Mac OS X wrongly reports it has fdatasync()
+		if test $gcc_major -lt 4 -o \( $gcc_major -eq 4 -a $gcc_minor -lt 3 \); then
+		    ac_cv_func___builtin_setjmp=no
+		fi
                 AC_CACHE_CHECK(for broken crypt with 8bit chars, rb_cv_broken_crypt,
                     [AC_TRY_RUN([
 #include <stdio.h>
diff --git a/debian/changelog b/debian/changelog
index 2b1a85f..e0f68ba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ruby2.1 (2.1.5-1) unstable; urgency=medium
+
+  * New upstream release
+    - Fixes CVE-2014-8090 Another Denial of Service XML Expansion
+      (Closes: #770932)
+    - Fixes build on SPARC (Closes: #769731)
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sat, 29 Nov 2014 12:30:39 -0200
+
 ruby2.1 (2.1.4-1) unstable; urgency=high
 
   * New upstream version
diff --git a/lib/rexml/document.rb b/lib/rexml/document.rb
index 1e18263..f92eb62 100644
--- a/lib/rexml/document.rb
+++ b/lib/rexml/document.rb
@@ -278,6 +278,10 @@ module REXML
       end
     end
 
+    def document
+      self
+    end
+
     private
     def build( source )
       Parsers::TreeParser.new( source, self ).parse
diff --git a/lib/rexml/entity.rb b/lib/rexml/entity.rb
index f447202..3a35ec6 100644
--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -157,6 +157,7 @@ module REXML
 
   # This is a set of entity constants -- the ones defined in the XML
   # specification.  These are +gt+, +lt+, +amp+, +quot+ and +apos+.
+  # CAUTION: these entities does not have parent and document
   module EntityConst
     # +>+
     GT = Entity.new( 'gt', '>' )
diff --git a/test/rexml/test_document.rb b/test/rexml/test_document.rb
index efdcf66..c5ac057 100644
--- a/test/rexml/test_document.rb
+++ b/test/rexml/test_document.rb
@@ -47,7 +47,23 @@ EOF
 </member>
 EOF
 
-    XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+  XML_WITH_NESTED_EMPTY_ENTITY = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
+  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
+  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
+  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
+  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
+  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
+  <!ENTITY g "">
+]>
+<member>
+&a;
+</member>
+EOF
+
+  XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
 <!DOCTYPE root [
   <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
   <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
@@ -61,6 +77,20 @@ EOF
 <cd></cd>
 EOF
 
+  XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+  <!ENTITY % a "">
+  <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+  <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+  <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+  <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+  <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+  <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+  <!ENTITY test "test %g;">
+]>
+<cd></cd>
+EOF
+
   XML_WITH_4_ENTITY_EXPANSION = <<EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE member [
@@ -87,6 +117,18 @@ EOF
     end
     assert_equal(101, doc.entity_expansion_count)
 
+    doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY)
+    assert_raise(RuntimeError) do
+      doc.root.children.first.value
+    end
+    REXML::Security.entity_expansion_limit = 100
+    assert_equal(100, REXML::Security.entity_expansion_limit)
+    doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY)
+    assert_raise(RuntimeError) do
+      doc.root.children.first.value
+    end
+    assert_equal(101, doc.entity_expansion_count)
+
     REXML::Security.entity_expansion_limit = 4
     doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
     assert_equal("\na\na a\n<\n", doc.root.children.first.value)
@@ -108,6 +150,15 @@ EOF
     assert_raise(REXML::ParseException) do
       REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
     end
+
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY)
+    end
+    REXML::Security.entity_expansion_limit = 100
+    assert_equal(100, REXML::Security.entity_expansion_limit)
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY)
+    end
   ensure
     REXML::Security.entity_expansion_limit = 10000
   end
diff --git a/test/ruby/envutil.rb b/test/ruby/envutil.rb
index fa13089..a6a9f70 100644
--- a/test/ruby/envutil.rb
+++ b/test/ruby/envutil.rb
@@ -192,7 +192,7 @@ module EnvUtil
           log = File.read(name) rescue next
           if /\AProcess:\s+#{cmd} \[#{pid}\]$/ =~ log
             File.unlink(name)
-            File.unlink("#{path}/.#{File.basename(name)}.plist")
+            File.unlink("#{path}/.#{File.basename(name)}.plist") rescue nil
             return log
           end
         end
diff --git a/version.h b/version.h
index 794e0d6..fbb3fa9 100644
--- a/version.h
+++ b/version.h
@@ -1,10 +1,10 @@
-#define RUBY_VERSION "2.1.4"
-#define RUBY_RELEASE_DATE "2014-10-27"
-#define RUBY_PATCHLEVEL 265
+#define RUBY_VERSION "2.1.5"
+#define RUBY_RELEASE_DATE "2014-11-13"
+#define RUBY_PATCHLEVEL 273
 
 #define RUBY_RELEASE_YEAR 2014
-#define RUBY_RELEASE_MONTH 10
-#define RUBY_RELEASE_DAY 27
+#define RUBY_RELEASE_MONTH 11
+#define RUBY_RELEASE_DAY 13
 
 #include "ruby/version.h"

Attachment: signature.asc
Description: Digital signature