From 45067e752fccdf8a946ae9d6bd5897cfe57f3a71 Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <asf@boinkor.net>
Date: Fri, 7 Feb 2014 15:41:03 -0800
Subject: [PATCH] Install libyaml 0.1.5 for 2.x rubies also

This should plug the vulnerability to CVE-2013-6393 (and fix #504)
that can still occur in certain systems: If the ruby build process
couldn't find a libyaml that worked, it would build its own vendored
libyaml, which was 0.1.4 (and is vulnerable).

Instead, specify that the build always should install the latest
libyaml & build against that.
---
 share/ruby-build/2.0.0-dev      | 1 +
 share/ruby-build/2.0.0-p0       | 1 +
 share/ruby-build/2.0.0-p195     | 1 +
 share/ruby-build/2.0.0-p247     | 1 +
 share/ruby-build/2.0.0-p353     | 1 +
 share/ruby-build/2.0.0-preview2 | 1 +
 share/ruby-build/2.0.0-rc1      | 1 +
 share/ruby-build/2.0.0-rc2      | 1 +
 share/ruby-build/2.1.0          | 1 +
 share/ruby-build/2.1.0-dev      | 1 +
 share/ruby-build/2.1.0-preview1 | 1 +
 share/ruby-build/2.1.0-preview2 | 1 +
 share/ruby-build/2.1.0-rc1      | 1 +
 13 files changed, 13 insertions(+)

diff --git a/share/ruby-build/2.0.0-dev b/share/ruby-build/2.0.0-dev
index 0729e7e1..294a8a40 100644
--- a/share/ruby-build/2.0.0-dev
+++ b/share/ruby-build/2.0.0-dev
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_git "ruby-2.0.0-dev" "https://github.com/ruby/ruby.git" "ruby_2_0_0" autoconf standard verify_openssl
diff --git a/share/ruby-build/2.0.0-p0 b/share/ruby-build/2.0.0-p0
index b5682c39..94956775 100644
--- a/share/ruby-build/2.0.0-p0
+++ b/share/ruby-build/2.0.0-p0
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.0.0-p0" "http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p0.tar.gz#50d307c4dc9297ae59952527be4e755d" standard verify_openssl
diff --git a/share/ruby-build/2.0.0-p195 b/share/ruby-build/2.0.0-p195
index 6a289206..031d811f 100644
--- a/share/ruby-build/2.0.0-p195
+++ b/share/ruby-build/2.0.0-p195
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.0.0-p195" "http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p195.tar.gz#0672e5af309ae99d1703d0e96eff8ea5" standard verify_openssl
diff --git a/share/ruby-build/2.0.0-p247 b/share/ruby-build/2.0.0-p247
index 1c00e8f1..209ef5f3 100644
--- a/share/ruby-build/2.0.0-p247
+++ b/share/ruby-build/2.0.0-p247
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.0.0-p247" "http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p247.tar.gz#c351450a0bed670e0f5ca07da3458a5b" standard verify_openssl
diff --git a/share/ruby-build/2.0.0-p353 b/share/ruby-build/2.0.0-p353
index 5c3fedc3..47d787c6 100644
--- a/share/ruby-build/2.0.0-p353
+++ b/share/ruby-build/2.0.0-p353
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.0.0-p353" "http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p353.tar.gz#78282433fb697dd3613613ff55d734c1" standard verify_openssl
diff --git a/share/ruby-build/2.0.0-preview2 b/share/ruby-build/2.0.0-preview2
index 7f1eb46c..226f9df3 100644
--- a/share/ruby-build/2.0.0-preview2
+++ b/share/ruby-build/2.0.0-preview2
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.0.0-preview2" "http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-preview2.tar.gz#eaddcbf63dc775708de45c7a81ab54b9" standard verify_openssl
diff --git a/share/ruby-build/2.0.0-rc1 b/share/ruby-build/2.0.0-rc1
index a0910cee..581d0628 100644
--- a/share/ruby-build/2.0.0-rc1
+++ b/share/ruby-build/2.0.0-rc1
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.0.0-rc1" "http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-rc1.tar.gz#7d587dde85e0edf7a2e4f6783e6c0e2e" standard verify_openssl
diff --git a/share/ruby-build/2.0.0-rc2 b/share/ruby-build/2.0.0-rc2
index 1d1c3efa..b2ca1610 100644
--- a/share/ruby-build/2.0.0-rc2
+++ b/share/ruby-build/2.0.0-rc2
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.0.0-rc2" "http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-rc2.tar.gz#9d5e6f26db7c8c3ddefc81fdb19bd41a" standard verify_openssl
diff --git a/share/ruby-build/2.1.0 b/share/ruby-build/2.1.0
index 50fc914a..97cbe616 100644
--- a/share/ruby-build/2.1.0
+++ b/share/ruby-build/2.1.0
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.1.0" "http://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.0.tar.gz#9e6386d53f5200a3e7069107405b93f7" ldflags_dirs standard verify_openssl
diff --git a/share/ruby-build/2.1.0-dev b/share/ruby-build/2.1.0-dev
index a928605e..c8b551e8 100644
--- a/share/ruby-build/2.1.0-dev
+++ b/share/ruby-build/2.1.0-dev
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_git "ruby-2.1.0-dev" "https://github.com/ruby/ruby.git" "ruby_2_1" ldflags_dirs autoconf standard verify_openssl
diff --git a/share/ruby-build/2.1.0-preview1 b/share/ruby-build/2.1.0-preview1
index dec68511..969a37ce 100644
--- a/share/ruby-build/2.1.0-preview1
+++ b/share/ruby-build/2.1.0-preview1
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.1.0-preview1" "http://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.0-preview1.tar.gz#9df4f546f6b961895ba58a8afdf857da" standard verify_openssl
diff --git a/share/ruby-build/2.1.0-preview2 b/share/ruby-build/2.1.0-preview2
index e94f8589..c67f92ff 100644
--- a/share/ruby-build/2.1.0-preview2
+++ b/share/ruby-build/2.1.0-preview2
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.1.0-preview2" "http://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.0-preview2.tar.gz#ba2b95d174e156b417a4d580a452eaf5" ldflags_dirs standard verify_openssl
diff --git a/share/ruby-build/2.1.0-rc1 b/share/ruby-build/2.1.0-rc1
index 18ecf336..6c2f8655 100644
--- a/share/ruby-build/2.1.0-rc1
+++ b/share/ruby-build/2.1.0-rc1
@@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.1.0-rc1" "http://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.0-rc1.tar.gz#a16561f64d78a902fab08693a300df98" ldflags_dirs standard verify_openssl