Version in base suite: 1.9.0.2-9
Version in overlay suite: (not present)

Base version: ruby1.9_1.9.0.2-9
Target version: ruby1.9_1.9.0.2-9lenny1
Base file: /org/ftp.debian.org/ftp/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-9.dsc
Target file: /org/ftp.debian.org/queue/p-u-new/ruby1.9_1.9.0.2-9lenny1.dsc

 debian/patches/931_CVE-2009-0642.dpatch |   37 +++++
 debian/patches/932_CVE-2009-1904.dpatch |  219 ++++++++++++++++++++++++++++++++
 ruby1.9-1.9.0.2/debian/changelog        |   10 +
 ruby1.9-1.9.0.2/debian/patches/00list   |    2 
 4 files changed, 268 insertions(+)

diff -u ruby1.9-1.9.0.2/debian/changelog ruby1.9-1.9.0.2/debian/changelog
--- ruby1.9-1.9.0.2/debian/changelog
+++ ruby1.9-1.9.0.2/debian/changelog
@@ -1,3 +1,13 @@
+ruby1.9 (1.9.0.2-9lenny1) stable-security; urgency=high
+
+  * added patch: 932_CVE-2009-1904 (ref: #532689)
+    It fixes BigDecimal DoS vulnerability (CVE-2009-1904).  (backported from
+    1.8.7-p172 and 1.8.7-p174)
+  * Add upstream patch to properly check return values of the
+    OCSP_basic_verify function (CVE-2009-0642; Closes: #513528)
+
+ -- akira yamada <akira@debian.org>  Fri, 10 Jul 2009 16:21:55 +0900
+
 ruby1.9 (1.9.0.2-9) unstable; urgency=high
 
   * fixes regression:
diff -u ruby1.9-1.9.0.2/debian/patches/00list ruby1.9-1.9.0.2/debian/patches/00list
--- ruby1.9-1.9.0.2/debian/patches/00list
+++ ruby1.9-1.9.0.2/debian/patches/00list
@@ -21,0 +22,2 @@
+931_CVE-2009-0642
+932_CVE-2009-1904
only in patch2:
unchanged:
--- ruby1.9-1.9.0.2.orig/debian/patches/931_CVE-2009-0642.dpatch
+++ ruby1.9-1.9.0.2/debian/patches/931_CVE-2009-0642.dpatch
@@ -0,0 +1,37 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 931_CVE-2009-0642.dpatch by Nico Golde <nion@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad ruby1.9-1.9.0.2~/ext/openssl/ossl_ocsp.c ruby1.9-1.9.0.2/ext/openssl/ossl_ocsp.c
+--- ruby1.9-1.9.0.2~/ext/openssl/ossl_ocsp.c	2007-02-13 00:01:19.000000000 +0100
++++ ruby1.9-1.9.0.2/ext/openssl/ossl_ocsp.c	2009-04-06 18:43:12.000000000 +0200
+@@ -589,22 +589,22 @@
+ static VALUE
+ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
+ {
+-    VALUE certs, store, flags;
++    VALUE certs, store, flags, result;
+     OCSP_BASICRESP *bs;
+     STACK_OF(X509) *x509s;
+     X509_STORE *x509st;
+-    int flg, result;
++    int flg;
+ 
+     rb_scan_args(argc, argv, "21", &certs, &store, &flags);
+     x509st = GetX509StorePtr(store);
+     flg = NIL_P(flags) ? 0 : INT2NUM(flags);
+     x509s = ossl_x509_ary2sk(certs);
+     GetOCSPBasicRes(self, bs);
+-    result = OCSP_basic_verify(bs, x509s, x509st, flg);
++    result = OCSP_basic_verify(bs, x509s, x509st, flg) > 0 ? Qtrue : Qfalse;
+     sk_X509_pop_free(x509s, X509_free);
+     if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
+ 
+-    return result ? Qtrue : Qfalse;
++    return result;
+ }
+ 
+ /*
only in patch2:
unchanged:
--- ruby1.9-1.9.0.2.orig/debian/patches/932_CVE-2009-1904.dpatch
+++ ruby1.9-1.9.0.2/debian/patches/932_CVE-2009-1904.dpatch
@@ -0,0 +1,219 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 932_CVE-2009-1904.dpatch by akira yamada <akira@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fixes CVE-2009-1094 (backported 1.8.7-p172 and 1.8.7-p174)
+
+@DPATCH@
+diff -urNad ruby1.9-1.9.0.2~/ext/bigdecimal/bigdecimal.c ruby1.9-1.9.0.2/ext/bigdecimal/bigdecimal.c
+--- ruby1.9-1.9.0.2~/ext/bigdecimal/bigdecimal.c	2008-02-12 11:46:21.000000000 +0900
++++ ruby1.9-1.9.0.2/ext/bigdecimal/bigdecimal.c	2009-07-10 16:19:50.000000000 +0900
+@@ -305,17 +305,19 @@
+ BigDecimal_dump(int argc, VALUE *argv, VALUE self)
+ {
+     ENTER(5);
+-    char sz[50];
+     Real *vp;
+     char *psz;
+     VALUE dummy;
++    volatile VALUE dump;
++
+     rb_scan_args(argc, argv, "01", &dummy);
+     GUARD_OBJ(vp,GetVpValue(self,1));
+-    sprintf(sz,"%lu:",VpMaxPrec(vp)*VpBaseFig());
+-    psz = ALLOCA_N(char,(unsigned int)VpNumOfChars(vp,"E")+strlen(sz));
+-    sprintf(psz,"%s",sz);
++    dump = rb_str_new(0,VpNumOfChars(vp,"E")+50);
++    psz = RSTRING_PTR(dump);
++    sprintf(psz,"%lu:",VpMaxPrec(vp)*VpBaseFig());
+     VpToString(vp, psz+strlen(psz), 0, 0);
+-    return rb_str_new2(psz);
++    rb_str_resize(dump, strlen(psz));
++    return dump;
+ }
+ 
+ /*
+@@ -519,6 +521,7 @@
+     ENTER(5);
+     int e,n,i,nf;
+     U_LONG v,b,j;
++    volatile VALUE str;
+     char *psz,*pch;
+     Real *p;
+ 
+@@ -526,14 +529,14 @@
+ 
+     /* Infinity or NaN not converted. */
+     if(VpIsNaN(p)) {
+-       VpException(VP_EXCEPTION_NaN,"Computation results to 'NaN'(Not a Number)",0);
+-       return Qnil;
++       VpException(VP_EXCEPTION_NaN,"Computation results to 'NaN'(Not a Number)",1);
++       return Qnil;		/* not reached */
+     } else if(VpIsPosInf(p)) {
+-       VpException(VP_EXCEPTION_INFINITY,"Computation results to 'Infinity'",0);
+-       return Qnil;
++       VpException(VP_EXCEPTION_INFINITY,"Computation results to 'Infinity'",1);
++       return Qnil;		/* not reached */
+     } else if(VpIsNegInf(p)) {
+-       VpException(VP_EXCEPTION_INFINITY,"Computation results to '-Infinity'",0);
+-       return Qnil;
++       VpException(VP_EXCEPTION_INFINITY,"Computation results to '-Infinity'",1);
++       return Qnil;		/* not reached */
+     }
+ 
+     e = VpExponent10(p);
+@@ -543,7 +546,8 @@
+         e = VpGetSign(p)*p->frac[0];
+         return INT2FIX(e);
+     }
+-    psz = ALLOCA_N(char,(unsigned int)(e+nf+2));
++    str = rb_str_new(0, e+nf+2);
++    psz = RSTRING_PTR(str);
+ 
+     n = (e+nf-1)/nf;
+     pch = psz;
+@@ -588,17 +592,21 @@
+     double d;
+     S_LONG e;
+     char *buf;
++    volatile VALUE str;
+ 
+     GUARD_OBJ(p,GetVpValue(self,1));
+     if(VpVtoD(&d, &e, p)!=1) return rb_float_new(d);
+-    buf = ALLOCA_N(char,(unsigned int)VpNumOfChars(p,"E"));
++    if (e > DBL_MAX_10_EXP) goto erange;
++    str = rb_str_new(0, VpNumOfChars(p,"E"));
++    buf = RSTRING_PTR(str);
+     VpToString(p, buf, 0, 0);
+     errno = 0;
+     d = strtod(buf, 0);
+     if(errno == ERANGE) {
++      erange:
+        VpException(VP_EXCEPTION_OVERFLOW,"BigDecimal to Float conversion",0);
+-       if(d>0.0) return rb_float_new(DBL_MAX);
+-       else      return rb_float_new(-DBL_MAX);
++       if(d>0.0) d = VpGetDoublePosInf();
++       else      d = VpGetDoubleNegInf();
+     }
+     return rb_float_new(d);
+ }
+@@ -1503,6 +1511,7 @@
+     int   fmt=0;   /* 0:E format */
+     int   fPlus=0; /* =0:default,=1: set ' ' before digits ,set '+' before digits. */
+     Real  *vp;
++    volatile VALUE str;
+     char  *psz;
+     char   ch;
+     U_LONG nc;
+@@ -1539,14 +1548,16 @@
+     }
+     if(mc>0) nc += (nc + mc - 1) / mc + 1;
+ 
+-    psz = ALLOCA_N(char,(unsigned int)nc);
++    str = rb_str_new(0, nc);
++    psz = RSTRING_PTR(str);
+ 
+     if(fmt) {
+         VpToFString(vp, psz, mc, fPlus);
+     } else {
+         VpToString (vp, psz, mc, fPlus);
+     }
+-    return rb_str_new2(psz);
++    rb_str_resize(str, strlen(psz));
++    return str;
+ }
+ 
+ /* Splits a BigDecimal number into four parts, returned as an array of values.
+@@ -1578,24 +1589,29 @@
+ {
+     ENTER(5);
+     Real *vp;
+-    VALUE obj,obj1;
++    VALUE obj,str;
+     S_LONG e;
+     S_LONG s;
+     char *psz1;
+ 
+     GUARD_OBJ(vp,GetVpValue(self,1));
+-    psz1 = ALLOCA_N(char,(unsigned int)VpNumOfChars(vp,"E"));
++    str = rb_str_new(0, VpNumOfChars(vp,"E"));
++    psz1 = RSTRING_PTR(str);
+     VpSzMantissa(vp,psz1);
+     s = 1;
+     if(psz1[0]=='-') {
+-        s = -1; ++psz1;
++	int len = strlen(psz1+1);
++
++	memmove(psz1, psz1+1, len);
++	psz1[len] = '\0';
++        s = -1;
+     }
+     if(psz1[0]=='N') s=0; /* NaN */
+     e = VpExponent10(vp);
+-    obj1 = rb_str_new2(psz1);
+     obj  = rb_ary_new2(4);
+     rb_ary_push(obj, INT2FIX(s));
+-    rb_ary_push(obj, obj1);
++    rb_ary_push(obj, str);
++    rb_str_resize(str, strlen(psz1));
+     rb_ary_push(obj, INT2FIX(10));
+     rb_ary_push(obj, INT2NUM(e));
+     return obj;
+@@ -1628,20 +1644,22 @@
+ {
+     ENTER(5);
+     Real *vp;
+-    VALUE obj;
++    volatile VALUE obj;
+     unsigned int nc;
+-    char *psz1;
+-    char *pszAll;
++    char *psz, *tmp;
+ 
+     GUARD_OBJ(vp,GetVpValue(self,1));
+     nc = VpNumOfChars(vp,"E");
+     nc +=(nc + 9) / 10;
+ 
+-    psz1   = ALLOCA_N(char,nc);
+-    pszAll = ALLOCA_N(char,nc+256);
+-    VpToString(vp, psz1, 10, 0);
+-    sprintf(pszAll,"#<BigDecimal:%lx,'%s',%lu(%lu)>",self,psz1,VpPrec(vp)*VpBaseFig(),VpMaxPrec(vp)*VpBaseFig());
+-    obj = rb_str_new2(pszAll);
++    obj = rb_str_new(0, nc+256);
++    psz = RSTRING_PTR(obj);
++    sprintf(psz,"#<BigDecimal:%lx,'",self);
++    tmp = psz + strlen(psz);
++    VpToString(vp, tmp, 10, 0);
++    tmp += strlen(tmp);
++    sprintf(tmp,"',%lu(%lu)>",VpPrec(vp)*VpBaseFig(),VpMaxPrec(vp)*VpBaseFig());
++    rb_str_resize(obj, strlen(psz));
+     return obj;
+ }
+ 
+@@ -2494,6 +2512,7 @@
+     int  sign=1;
+     Real *vp = NULL;
+     U_LONG mf = VpGetPrecLimit();
++    volatile VALUE buf;
+ 
+     mx = (mx + BASE_FIG - 1) / BASE_FIG + 1;    /* Determine allocation unit. */
+     if(szVal) {
+@@ -2521,7 +2540,8 @@
+ 
+     /* Skip all '_' after digit: 2006-6-30 */
+     ni = 0;
+-    psz = ALLOCA_N(char,strlen(szVal)+1);
++    buf = rb_str_new(0,strlen(szVal)+1);
++    psz = RSTRING_PTR(buf);
+     i   = 0;
+     ipn = 0;
+     while((psz[i]=szVal[ipn])!=0) {
+@@ -3613,7 +3633,7 @@
+                 nc += fprintf(fp, "0.");
+                 n = a->Prec;
+                 for(i=0;i < n;++i) {
+-                 m = BASE1;
++		    m = BASE1;
+                     e = a->frac[i];
+                     while(m) {
+                         nn = e / m;