From 68c3ec9a086ae4167307043910a45300c0ae9f2e Mon Sep 17 00:00:00 2001
From: Hans de Graaff <hans@degraaff.org>
Date: Sun, 23 Jul 2017 10:57:10 +0200
Subject: Patch set for 2.3.4-r3

Add patchs for net smtp valition and openssl weak dh.
---
 patchsets/patches-2.3.4-r3/001_ia64.patch          | 62 ++++++++++++++
 patchsets/patches-2.3.4-r3/004_gfbsd7.patch        | 37 +++++++++
 .../patches-2.3.4-r3/005_no-undefined-ext.patch    | 11 +++
 .../patches-2.3.4-r3/007-openssl-weakdh.patch      | 37 +++++++++
 .../patches-2.3.4-r3/008-net-smtp-validation.patch | 39 +++++++++
 patchsets/patches-2.3.4-r3/009_no-gems.patch       | 95 ++++++++++++++++++++++
 6 files changed, 281 insertions(+)
 create mode 100644 patchsets/patches-2.3.4-r3/001_ia64.patch
 create mode 100644 patchsets/patches-2.3.4-r3/004_gfbsd7.patch
 create mode 100644 patchsets/patches-2.3.4-r3/005_no-undefined-ext.patch
 create mode 100644 patchsets/patches-2.3.4-r3/007-openssl-weakdh.patch
 create mode 100644 patchsets/patches-2.3.4-r3/008-net-smtp-validation.patch
 create mode 100644 patchsets/patches-2.3.4-r3/009_no-gems.patch

diff --git a/patchsets/patches-2.3.4-r3/001_ia64.patch b/patchsets/patches-2.3.4-r3/001_ia64.patch
new file mode 100644
index 0000000..e1e9c89
--- /dev/null
+++ b/patchsets/patches-2.3.4-r3/001_ia64.patch
@@ -0,0 +1,62 @@
+Bug: https://bugs.gentoo.org/show_bug.cgi?id=561780
+
+fix crash on register stack mark/sweep pass
+
+The crash looks like
+
+  Program received signal SIGSEGV, Segmentation fault.
+  mark_locations_array (objspace=0x6000000000045db0, x=0x0, n=864692227966763116) at gc.c:3297
+  3297            v = *x;
+  (gdb) bt
+  #0  mark_locations_array (objspace=0x6000000000045db0, x=0x0, n=864692227966763116) at gc.c:3297
+  #1  0x400000000014a040 in gc_mark_locations (objspace=0x6000000000045db0, start=0x0, end=0x6000080000000368) at gc.c:3310
+  #2  0x400000000014b3a0 in mark_current_machine_context (objspace=0x6000000000045db0, th=0x60000000000455b0) at gc.c:3500
+  #3  0x400000000014dfe0 in gc_mark_roots (objspace=0x6000000000045db0, full_mark=0, categoryp=0x0) at gc.c:4105
+  #4  0x400000000014e6b0 in gc_marks_body (objspace=0x6000000000045db0, full_mark=0) at gc.c:4164
+  #5  0x400000000014f260 in gc_marks (objspace=0x6000000000045db0, full_mark=0) at gc.c:4526
+  #6  0x40000000001525c0 in garbage_collect_body (objspace=0x6000000000045db0, full_mark=0, immediate_sweep=0, reason=256) at gc.c:5024
+  #7  0x400000000013c010 in heap_prepare_freepage (objspace=0x6000000000045db0, heap=0x6000000000045dc0) at gc.c:1219
+  #8  0x400000000013c140 in heap_get_freeobj_from_next_freepage (objspace=0x6000000000045db0, heap=0x6000000000045dc0) at gc.c:1237
+  #9  0x400000000013c360 in heap_get_freeobj (objspace=0x6000000000045db0, heap=0x6000000000045dc0) at gc.c:1259
+  #10 0x400000000013c950 in newobj_of (klass=0, flags=40, v1=0, v2=0, v3=0) at gc.c:1303
+  #11 0x400000000013ccc0 in rb_newobj_of (klass=0, flags=40) at gc.c:1356
+  #12 0x4000000000163740 in hash_alloc (klass=0) at hash.c:289
+  #13 0x4000000000163860 in rb_hash_new () at hash.c:309
+  #14 0x400000000050e420 in Init_BareVM () at vm.c:2822
+  #15 0x40000000000f6b60 in ruby_setup () at eval.c:54
+  #16 0x40000000000f6f50 in ruby_init () at eval.c:75
+  #17 0x400000000001b010 in main (argc=9, argv=0x60000fffffffb1d8) at main.c:35
+
+The problem here is in call
+    gc_mark_locations (objspace=0x6000000000045db0, start=0x0, end=0x6000080000000368) at gc.c:3310
+where 'start' (native_main_thread.register_stack_start)
+is supposed to be stack start but it's not initialized.
+
+The initialization of 'native_main_thread.register_stack_start'
+is supposed to be done in 'ruby_init_stack()'.
+
+But code under 'MAINSTACKADDR_AVAILABLE' exits early.
+The fix is to move 'register_stack_start' earlier.
+
+diff --git a/thread_pthread.c b/thread_pthread.c
+index c8a7a16..9ad448b 100644
+--- a/thread_pthread.c
++++ b/thread_pthread.c
+@@ -722,2 +722,8 @@ ruby_init_stack(volatile VALUE *addr
+     native_main_thread.id = pthread_self();
++#ifdef __ia64
++    if (!native_main_thread.register_stack_start ||
++        (VALUE*)bsp < native_main_thread.register_stack_start) {
++        native_main_thread.register_stack_start = (VALUE*)bsp;
++    }
++#endif
+ #if MAINSTACKADDR_AVAILABLE
+@@ -745,8 +751,2 @@ ruby_init_stack(volatile VALUE *addr
+ #endif
+-#ifdef __ia64
+-    if (!native_main_thread.register_stack_start ||
+-        (VALUE*)bsp < native_main_thread.register_stack_start) {
+-        native_main_thread.register_stack_start = (VALUE*)bsp;
+-    }
+-#endif
+     {
diff --git a/patchsets/patches-2.3.4-r3/004_gfbsd7.patch b/patchsets/patches-2.3.4-r3/004_gfbsd7.patch
new file mode 100644
index 0000000..fa561b6
--- /dev/null
+++ b/patchsets/patches-2.3.4-r3/004_gfbsd7.patch
@@ -0,0 +1,37 @@
+--- configure.in.orig	2013-05-05 19:36:02.800254192 +0200
++++ configure.in	2013-05-05 19:37:56.573346196 +0200
+@@ -2156,7 +2156,7 @@
+ fi
+ 
+ AS_CASE(["$target_os"],
+-[linux* | gnu* | k*bsd*-gnu | bsdi* | kopensolaris*-gnu | nacl], [
++[linux* | gnu* | k*bsd*-gnu | bsdi* | kopensolaris*-gnu | nacl | freebsd* | dragonfly*], [
+     if test "$rb_cv_binary_elf" = no; then
+ 	with_dln_a_out=yes
+     else
+@@ -2249,7 +2249,7 @@
+ 	[bsdi3*], [	AS_CASE(["$CC"],
+ 			[*shlicc*], [	: ${LDSHARED='$(CC) -r'}
+ 					rb_cv_dlopen=yes])],
+-	[linux* | gnu* | k*bsd*-gnu | netbsd* | bsdi* | kopensolaris*-gnu | haiku*], [
++	[linux* | gnu* | k*bsd*-gnu | netbsd* | bsdi* | kopensolaris*-gnu | haiku* | freebsd7*], [
+ 			: ${LDSHARED='$(CC) -shared'}
+ 			if test "$rb_cv_binary_elf" = yes; then
+ 			    LDFLAGS="$LDFLAGS -Wl,-export-dynamic"
+@@ -2262,7 +2262,6 @@
+ 	[freebsd*|dragonfly*], [
+ 			: ${LDSHARED='$(CC) -shared'}
+ 			if test "$rb_cv_binary_elf" = yes; then
+-			    LDFLAGS="$LDFLAGS -rdynamic"
+ 			    DLDFLAGS="$DLDFLAGS "'-Wl,-soname,$@'
+ 			else
+ 			  test "$GCC" = yes && test "$rb_cv_prog_gnu_ld" = yes || LDSHARED='$(LD) -Bshareable'
+@@ -2638,7 +2637,7 @@
+     [sunos4*], [
+ 	LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR) lib$(RUBY_SO_NAME).so'
+ 	],
+-    [linux* | gnu* | k*bsd*-gnu | atheos* | kopensolaris*-gnu | haiku*], [
++    [linux* | gnu* | k*bsd*-gnu | atheos* | kopensolaris*-gnu | haiku* | freebsd7*], [
+ 	LIBRUBY_DLDFLAGS='-Wl,-soname,lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR)'" $LDFLAGS_OPTDIR"
+ 	LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR) lib$(RUBY_SO_NAME).so'
+ 	if test "$load_relative" = yes; then
diff --git a/patchsets/patches-2.3.4-r3/005_no-undefined-ext.patch b/patchsets/patches-2.3.4-r3/005_no-undefined-ext.patch
new file mode 100644
index 0000000..f279932
--- /dev/null
+++ b/patchsets/patches-2.3.4-r3/005_no-undefined-ext.patch
@@ -0,0 +1,11 @@
+--- ruby-1.9.3-preview1.orig/configure.in
++++ ruby-1.9.3-preview1/configure.in
+@@ -2038,7 +2038,7 @@ if test "$with_dln_a_out" != yes; then
+ 	[linux* | gnu* | k*bsd*-gnu | netbsd* | bsdi* | kopensolaris*-gnu], [
+ 			: ${LDSHARED='$(CC) -shared'}
+ 			if test "$rb_cv_binary_elf" = yes; then
+-			    LDFLAGS="$LDFLAGS -Wl,-export-dynamic"
++			    LDFLAGS="$LDFLAGS -Wl,-export-dynamic -Wl,--no-undefined"
+ 			fi
+ 			rb_cv_dlopen=yes],
+ 	[interix*], [	: ${LDSHARED='$(CC) -shared'}
diff --git a/patchsets/patches-2.3.4-r3/007-openssl-weakdh.patch b/patchsets/patches-2.3.4-r3/007-openssl-weakdh.patch
new file mode 100644
index 0000000..ca41065
--- /dev/null
+++ b/patchsets/patches-2.3.4-r3/007-openssl-weakdh.patch
@@ -0,0 +1,37 @@
+From 6dee08d14f7a8a51691b799592774e805d6f8707 Mon Sep 17 00:00:00 2001
+From: Tony Arcieri <bascule@gmail.com>
+Date: Thu, 7 Jan 2016 11:02:31 -0800
+Subject: [PATCH] Remove 512-bit DH group
+
+512-bit DH keys are severely weak and have been implicated in recent attacks:
+
+https://weakdh.org/
+---
+ lib/openssl/pkey.rb  |  8 --------
+
+diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb
+index 3f65adad..89563b65 100644
+--- a/ext/openssl/lib/openssl/pkey.rb
++++ b/ext/openssl/lib/openssl/pkey.rb
+@@ -4,13 +4,6 @@ module PKey
+     if defined?(OpenSSL::PKey::DH)
+ 
+     class DH
+-      DEFAULT_512 = new <<-_end_of_pem_
+------BEGIN DH PARAMETERS-----
+-MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
+-zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
+------END DH PARAMETERS-----
+-      _end_of_pem_
+-
+       DEFAULT_1024 = new <<-_end_of_pem_
+ -----BEGIN DH PARAMETERS-----
+ MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
+@@ -23,7 +16,6 @@ class DH
+     DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
+       warn "using default DH parameters." if $VERBOSE
+       case keylen
+-      when 512  then OpenSSL::PKey::DH::DEFAULT_512
+       when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
+       else
+         nil
diff --git a/patchsets/patches-2.3.4-r3/008-net-smtp-validation.patch b/patchsets/patches-2.3.4-r3/008-net-smtp-validation.patch
new file mode 100644
index 0000000..0b30c99
--- /dev/null
+++ b/patchsets/patches-2.3.4-r3/008-net-smtp-validation.patch
@@ -0,0 +1,39 @@
+From 0827a7e52ba3d957a634b063bf5a391239b9ffee Mon Sep 17 00:00:00 2001
+From: shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Wed, 8 Jun 2016 07:06:57 +0000
+Subject: [PATCH] * lib/net/smtp.rb (getok, get_response): raise an
+ ArgumentError when CR or LF is included in a line, because they are not
+ allowed in RFC5321.
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55324 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+---
+ lib/net/smtp.rb            |  9 +++++++++
+
+diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb
+index 250293bdbe21..a7130a593b40 100644
+--- a/lib/net/smtp.rb
++++ b/lib/net/smtp.rb
+@@ -926,7 +926,15 @@ def quit
+ 
+     private
+ 
++    def validate_line(line)
++      # A bare CR or LF is not allowed in RFC5321.
++      if /[\r\n]/ =~ line
++        raise ArgumentError, "A line must not contain CR or LF"
++      end
++    end
++
+     def getok(reqline)
++      validate_line reqline
+       res = critical {
+         @socket.writeline reqline
+         recv_response()
+@@ -936,6 +944,7 @@ def getok(reqline)
+     end
+ 
+     def get_response(reqline)
++      validate_line reqline
+       @socket.writeline reqline
+       recv_response()
+     end
diff --git a/patchsets/patches-2.3.4-r3/009_no-gems.patch b/patchsets/patches-2.3.4-r3/009_no-gems.patch
new file mode 100644
index 0000000..2da6b7d
--- /dev/null
+++ b/patchsets/patches-2.3.4-r3/009_no-gems.patch
@@ -0,0 +1,95 @@
+--- tool/rbinstall.rb.~1~	2017-03-27 17:18:38.000000000 +0200
++++ tool/rbinstall.rb	2017-03-30 07:38:53.437332083 +0200
+@@ -696,90 +696,11 @@
+ # :startdoc:
+ 
+ install?(:ext, :comm, :gem) do
+-  gem_dir = Gem.default_dir
+-  directories = Gem.ensure_gem_subdirectories(gem_dir, :mode => $dir_mode)
+-  prepare "default gems", gem_dir, directories
+-
+-  spec_dir = File.join(gem_dir, directories.grep(/^spec/)[0])
+-  default_spec_dir = "#{spec_dir}/default"
+-  makedirs(default_spec_dir)
+-
+-  gems = {}
+-
+-  Dir.glob(srcdir+"/{lib,ext}/**/*.gemspec").each do |src|
+-    specgen   = RbInstall::Specs::Reader.new(src)
+-    gems[specgen.gemspec.name] ||= specgen
+-  end
+-
+-  gems.sort.each do |name, specgen|
+-    gemspec   = specgen.gemspec
+-    full_name = "#{gemspec.name}-#{gemspec.version}"
+-
+-    puts "#{" "*30}#{gemspec.name} #{gemspec.version}"
+-    gemspec_path = File.join(default_spec_dir, "#{full_name}.gemspec")
+-    open_for_install(gemspec_path, $data_mode) do
+-      specgen.spec_source
+-    end
+-
+-    unless gemspec.executables.empty? then
+-      bin_dir = File.join(gem_dir, 'gems', full_name, 'bin')
+-      makedirs(bin_dir)
+-
+-      execs = gemspec.executables.map {|exec| File.join(srcdir, 'bin', exec)}
+-      install(execs, bin_dir, :mode => $script_mode)
+-    end
+-  end
++  # gems are unbundled in Gentoo
+ end
+ 
+ install?(:ext, :comm, :gem) do
+-  gem_dir = Gem.default_dir
+-  directories = Gem.ensure_gem_subdirectories(gem_dir, :mode => $dir_mode)
+-  prepare "bundle gems", gem_dir, directories
+-  install_dir = with_destdir(gem_dir)
+-  installed_gems = {}
+-  options = {
+-    :install_dir => install_dir,
+-    :bin_dir => with_destdir(bindir),
+-    :domain => :local,
+-    :ignore_dependencies => true,
+-    :dir_mode => $dir_mode,
+-    :data_mode => $data_mode,
+-    :prog_mode => $prog_mode,
+-    :wrappers => true,
+-    :format_executable => true,
+-  }
+-  Gem::Specification.each_spec([srcdir+'/gems/*']) do |spec|
+-    ins = RbInstall::UnpackedInstaller.new(spec, options)
+-    puts "#{" "*30}#{spec.name} #{spec.version}"
+-    ins.install
+-    File.chmod($data_mode, File.join(install_dir, "specifications", "#{spec.full_name}.gemspec"))
+-    installed_gems[spec.full_name] = true
+-  end
+-  installed_gems, gems = Dir.glob(srcdir+'/gems/*.gem').partition {|gem| installed_gems.key?(File.basename(gem, '.gem'))}
+-  unless installed_gems.empty?
+-    install installed_gems, gem_dir+"/cache"
+-  end
+-  next if gems.empty?
+-  if defined?(Zlib)
+-    Gem.instance_variable_set(:@ruby, with_destdir(File.join(bindir, ruby_install_name)))
+-    gems.each do |gem|
+-      begin
+-        File.umask(022)
+-        Gem.install(gem, Gem::Requirement.default, options)
+-      ensure
+-        File.umask(0222)
+-      end
+-      gemname = File.basename(gem)
+-      puts "#{" "*30}#{gemname}"
+-    end
+-    # fix directory permissions
+-    # TODO: Gem.install should accept :dir_mode option or something
+-    File.chmod($dir_mode, *Dir.glob(install_dir+"/**/"))
+-    # fix .gemspec permissions
+-    File.chmod($data_mode, *Dir.glob(install_dir+"/specifications/*.gemspec"))
+-  else
+-    puts "skip installing bundle gems because of lacking zlib"
+-  end
++  # gems are unbundled in Gentoo
+ end
+ 
+ parse_args()
-- 
cgit v1.2.3-65-gdbad