Moritz Muehlenhoff authored Apr 12, 2019 and Antonio Terceiro committed Apr 17, 2019

ruby2.3 (2.3.3-1+deb9u6) stretch-security; urgency=medium

  * CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324
  * CVE-2019-8325

Some tests in there can fail unpredictably on buildds

Closes: #912740)

nobu authored Apr 01, 2018 and Antonio Terceiro committed Feb 24, 2019

* test/ruby/test_time_tz.rb (gen_zdump_test): fix the expected
  data at the Kiritimati's skip of New Year's Eve 1994.
  [Bug #14655]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63055 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

nobu authored Apr 01, 2018 and Antonio Terceiro committed Feb 24, 2019

* test/ruby/test_time_tz.rb (TestTimeTZ#test_pacific_kiritimati):
  fix the expected data at the skip of New Year's Eve 1994.
  [Bug #14655]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63054 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Backport of upstream commit e71ca6cdcf108e6a2fa47ec9fadefe7554717908
Author: Nobuyoshi Nakada (nobu)

This is a backport of the corresponding change in ruby2.5, where the
corresponding files were copied here.

The new test files were copied from the ones provided by the following
upstream commits:

https://github.com/ruby/ruby/commit/f234e6c3d3170f37508e214cdaef78d4b2584e5a
https://github.com/ruby/ruby/commit/1e0b49a293d3792826c67b7e05c5fcbd09c9ea6e

Closes: #919999

Closes !2

Gbp-Dch: Ignore

Gbp-Dch: Ignore

nagachika authored Oct 17, 2018 and Salvatore Bonaccorso committed Oct 30, 2018

	* pack.c (pack_pack, pack_unpack_internal): infect taint flag.

	* test/ruby/test_pack.rb: add test for above.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65125 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

rhe authored Dec 26, 2016 and Salvatore Bonaccorso committed Oct 30, 2018

Fix unpacking with 'b', 'B', 'h' and 'H' format. Do not return an
uninitialized String to Ruby before filling the content bytes.
Fixes r11175 ("pack.c (pack_unpack): execute block if given with
unpacked value instead of creating an array", 2006-10-15).
[ruby-core:78841] [Bug #13075]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57187 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

[carnil: From the upstream commit
b65b41861f590ae14ec932e323337923ce12ca18 (r57187) add the full tests for
test_unpack_with_block]

Kazuki Yamaguchi authored Jul 27, 2018 and Salvatore Bonaccorso committed Oct 28, 2018

Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=>
could return 0 when the two objects aren't identical.

Reported by Tyler Eckstein. CVE-2018-16395.

Reference: https://hackerone.com/reports/387250

Signed-off-by: Santiago R.R <santiagorr@riseup.net>

Antonio Terceiro authored Mar 31, 2018 and Santiago R.R. committed Jul 19, 2018

debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to assumptions that don't hold on newer tzdata update. Upstream bug: https://bugs.ruby-lang.org/issues/14655

Origin: backported, b18e5cbf


Reviewed-by: Santiago R.R. <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

Gbp-Dch: Ignore
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

Gbp-Dch: Ignore
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

Closes: #898694

Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Dec 14, 2017 and Antonio Terceiro committed Apr 25, 2018

test/net/ftp/test_ftp.rb (process_port_or_eprt): merge a part of r56973 to pass the test introduced at previous commit.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61251

 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, commit 3ec034c597e6d40543bb844dc8f96645bef4bed2
Reviewed-by: Antonio Terceiro <terceiro@debian.org>
Signed-off-by: Antonio Terceiro <terceiro@debian.org>

usa authored Dec 14, 2017 and Antonio Terceiro committed Apr 25, 2018

	Using ^ and $ in regexps means we can accidentally get fooled
	by "%0a" in HTTP request paths being decoded to newline
	characters.  Use \A and \z to match beginning and end-of-string
	respectively, instead.

	Thanks to mame and hsbt for reporting.

	* lib/webrick/httpserver.rb (MountTable#compile):
	  use \A and \z instead of ^ and $
	* lib/webrick/httpserver.rb (MountTable#normalize): use \z instead of $
	* test/webrick/test_httpserver.rb (test_cntrl_in_path): new test

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61241

 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, ccbe964c1f5ecb54a21473bd27f255ee12120fdf
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	* lib/webrick/httpresponse.rb (send_body): call send_body_proc
	  (send_body_proc): new method
	  (class ChunkedWrapper): new class

	* test/webrick/test_httpresponse.rb (test_send_body_proc): new test
	  (test_send_body_proc_chunked): ditto
	  [Feature #855]

	webrick: favor .write over << method

	This will make the next change to use IO.copy_stream
	easier-to-read.  When we can drop Ruby 2.4 support in a few
	years, this will allow us to use writev(2) with multiple
	arguments for headers and chunked responses.

	* lib/webrick/cgi.rb (write): new wrapper method
	  lib/webrick/httpresponse.rb: (send_header): use socket.write
	  (send_body_io): ditto
	  (send_body_string): ditto
	  (send_body_proc): ditto
	  (_write_data): ditto
	  (ChunkedWrapper#write): ditto
	  (_send_file): ditto
	------------------------------------------------------------------------
	r62954 | normal | 2018-03-28 17:05:52 +0900 (水, 28 3 2018) | 14 lines

	webrick/httpresponse: IO.copy_stream for regular files

	Remove the redundant _send_file method since its functionality
	is unnecessary with IO.copy_stream.  IO.copy_stream also allows
	the use of sendfile under some OSes to speed up copies to
	non-TLS sockets.

	Testing with "curl >/dev/null" and "ruby -run -e httpd" to
	read a 1G file over Linux loopback reveals a reduction from
	around ~0.770 to ~0.490 seconds on the client side.

	* lib/webrick/httpresponse.rb (send_body_io): use IO.copy_stream
	  (_send_file): remove
	  [Feature #14237]
	------------------------------------------------------------------------
	r62955 | normal | 2018-03-28 17:05:57 +0900 (水, 28 3 2018) | 10 lines

	webrick: use IO.copy_stream for single range response

	This is also compatible with range responses generated
	by Rack::File (tested with rack 2.0.3).

	* lib/webrick/httpresponse.rb (send_body_io): use Content-Range
	* lib/webrick/httpservlet/filehandler.rb (make_partial_content):
	  use File object for the single range case
	* test/webrick/test_filehandler.rb (get_res_body): use send_body
	  to test result
	------------------------------------------------------------------------
	r62956 | normal | 2018-03-28 17:06:02 +0900 (水, 28 3 2018) | 7 lines

	test/webrick/test_filehandler.rb: stricter multipart range test

	We need to ensure we generate compatibile output in
	the face of future changes

	* test/webrick/test_filehandler.rb (test_make_partial_content):
	  check response body
	------------------------------------------------------------------------
	r62957 | normal | 2018-03-28 17:06:08 +0900 (水, 28 3 2018) | 8 lines

	webrick: quiet warning for multi-part ranges

	Content-Length is ignored by WEBrick::HTTPResponse even if we
	calculate it, so instead we chunk responses to HTTP/1.1 clients
	and terminate HTTP/1.0 connections.

	* lib/webrick/httpservlet/filehandler.rb (make_partial_content):
	  quiet warning
	------------------------------------------------------------------------
	r62958 | normal | 2018-03-28 17:06:13 +0900 (水, 28 3 2018) | 7 lines

	webrick/httpresponse: make ChunkedWrapper copy_stream-compatible

	The .write method needs to return the number of bytes written
	to avoid confusing IO.copy_stream.

	* lib/webrick/httpresponse.rb (ChunkedWrapper#write): return bytes written
	  (ChunkedWrapper#<<): return self
	------------------------------------------------------------------------
	r62959 | normal | 2018-03-28 17:06:18 +0900 (水, 28 3 2018) | 9 lines

	webrick: use IO.copy_stream for multipart response

	Use the new Proc response body feature to generate a multipart
	range response dynamically.  We use a flat array to minimize
	object overhead as much as possible; as many ranges may fit
	into an HTTP request header.

	* lib/webrick/httpservlet/filehandler.rb (multipart_body): new method
	  (make_partial_content): use multipart_body

	get rid of test error/failure on Windows introduced at r62955

	* lib/webrick/httpresponse.rb (send_body_io): use seek if NotImplementedError
	  is raised in IO.copy_stream with offset.

	* lib/webrick/httpservlet/filehandler.rb (multipart_body): ditto.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@63014 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/d32a6d37fe32beffd44e95dd062513cabcc86acb


Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	* ext/socket/unixsocket.c (unixsock_path_value): fix r62991 for
	  Linux abstract namespace.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@63005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/32c00d78a6e94203507bfa57a60ab5a005af6d7b


Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

Santiago R.R. authored Apr 23, 2018 and Antonio Terceiro committed Apr 25, 2018

From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Backported-by: Antonio Terceiro <terceiro@debian.org>
Backported-by: Santiago R.R. <santiago@riseup.net>

See https://bugs.ruby-lang.org/issues/14438

This is a backport of the following two commits from Ruby upstream:

test_time_tz.rb: past Japanese DST tzdata fix

* test/ruby/test_time_tz.rb (TestTimeTZ#test_asia_tokyo): follow
  the tzdata 2018 fix of Japanese DST transitions (1948-1951).
  [ruby-core:85373] [Bug #14438]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62506 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

test_time_tz.rb: past Japanese DST tzdata fix

* test/ruby/test_time_tz.rb (TestTimeTZ#test_asia_tokyo): fix
  the expected data at the end of DST.  [Bug #14438]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62508 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/ruby/test_time_tz.rb | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

Origin: debian, e4c663ef


Bug-Debian: #889117
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	* pack.c (pack_unpack_internal): get rid of underflow.
	  https://hackerone.com/reports/298246

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62997 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/b9121fe7602a560c4fee9ab353a7f57a3988ec73


Description: Fix CVE-2018-8778: Buffer under-read in String#unpack
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	* ext/socket/unixsocket.c (rsock_init_unixsock): check NUL bytes.
	  https://hackerone.com/reports/302997

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62996 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/634232aab57007bbad5c4bad0147d5c965f01d25


Description: Fix CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
 UNIXServer and UNIXSocket
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	From: SHIBATA Hiroshi <hsbt@ruby-lang.org>

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62995 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream: https://github.com/ruby/ruby/commit/a606704e84b1491ea3e490746171c4f882b683e9


Description: Fix CVE-2018-6914: directory traversal vulnerability in the
 Dir.mktmpdir method in the tmpdir library
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

Santiago R.R. authored Apr 23, 2018 and Antonio Terceiro committed Apr 25, 2018

CVE-2018-1000073: Prevent Path Traversal issue during gem installation.

CVE-2018-1000074: Fix possible Unsafe Object Deserialization
Vulnerability in gem owner.

CVE-2018-1000075: Strictly interpret octal fields in tar headers.

CVE-2018-1000076: Raise a security error when there are duplicate files
in a package.

CVE-2018-1000077: Enforce URL validation on spec homepage attribute.

CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when
displayed via gem server.

CVE-2018-1000079: Prevent path traversal when writing to a symlinked
basedir outside of the root.

Origin: upstream, https://bugs.ruby-lang.org/attachments/download/7029/rubygems-276-for-ruby23.patch


Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	* dir.c (GlobPathValue): should be used in rb_push_glob only.
	  other methods should use FilePathValue.
	  https://hackerone.com/reports/302338

	* dir.c (rb_push_glob): expand GlobPathValue

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/89133fafe70c7a3b5d04cf2be028e1eacc6e0447


Description: Fix CVE-2018-8780: Unintentional directory traversal by
 poisoned NUL byte in Dir
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

nobu authored Dec 20, 2017 and Antonio Terceiro committed Apr 25, 2018

* resolv.rb (Resolv::Hosts#lazy_initialize): fixed potential
  command Injection in Hosts::new() by use of Kernel#open.
  [Fix GH-1777] [ruby-core:84347] [Bug #14205]

From: Drigg3r <drigg3r@yandex.com>

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61349 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/e7464561b5151501beb356fc750d5dd1a88014f7


Description: Fix CVE-2017-17790: Command Injection in Hosts::new() by
 use of Kernel#open.
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	Original patch by tenderlove (with minor style adjustments).

	* lib/webrick/httpresponse.rb (send_header): call check_header
	  (check_header): raise on embedded CRLF in header value
	* test/webrick/test_httpresponse.rb
	  (test_prevent_response_splitting_headers): new test
	* (test_prevent_response_splitting_cookie_headers): ditto

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62987 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/eb2aca18dcb4baccf0de494f53fed4ec68e9af27


Description: Fix CVE-2017-17742: HTTP response splitting in WEBrick
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Mar 28, 2018 and Antonio Terceiro committed Apr 25, 2018

	Use the new Proc response body feature to generate a multipart
	range response dynamically.  We use a flat array to minimize
	object overhead as much as possible; as many ranges may fit
	into an HTTP request header.

	* lib/webrick/httpservlet/filehandler.rb (multipart_body): new method
	  (make_partial_content): use multipart_body
	------------------------------------------------------------------------
	r62960 | normal | 2018-03-28 17:06:23 +0900 (水, 28 3 2018) | 13 lines

	webrick/httprequest: limit request headers size

	We use the same 112 KB limit started (AFAIK) by Mongrel, Thin,
	and Puma to prevent malicious users from using up all the memory
	with a single request.  This also limits the damage done by
	excessive ranges in multipart Range: requests.

	Due to the way we rely on IO#gets and the desire to keep
	the code simple, the actual maximum header may be 4093 bytes
	larger than 112 KB, but we're splitting hairs at that point.

	* lib/webrick/httprequest.rb: define MAX_HEADER_LENGTH
	  (read_header): raise when headers exceed max length
	------------------------------------------------------------------------
	r62961 | normal | 2018-03-28 17:06:28 +0900 (水, 28 3 2018) | 9 lines

	webrick/httpservlet/cgihandler: reduce memory use

	WEBrick::HTTPRequest#body can be passed a block to process the
	body in chunks.  Use this feature to avoid building a giant
	string in memory.

	* lib/webrick/httpservlet/cgihandler.rb (do_GET):
	  avoid reading entire request body into memory
	  (do_POST is aliased to do_GET, so it handles bodies)
	------------------------------------------------------------------------
	r62962 | normal | 2018-03-28 17:06:34 +0900 (水, 28 3 2018) | 7 lines

	webrick/httprequest: raise correct exception

	"BadRequest" alone does not resolve correctly, it is in the
	HTTPStatus namespace.

	* lib/webrick/httprequest.rb (read_chunked): use correct exception
	* test/webrick/test_httpserver.rb (test_eof_in_chunk): new test
	------------------------------------------------------------------------
	r62963 | normal | 2018-03-28 17:06:39 +0900 (水, 28 3 2018) | 9 lines

	webrick/httprequest: use InputBufferSize for chunked requests

	While WEBrick::HTTPRequest#body provides a Proc interface
	for streaming large request bodies, clients must not force
	the server to use an excessively large chunk size.

	* lib/webrick/httprequest.rb (read_chunk_size): limit each
	  read and block.call to :InputBufferSize in config.
	* test/webrick/test_httpserver.rb (test_big_chunks): new test
	------------------------------------------------------------------------
	r62964 | normal | 2018-03-28 17:06:44 +0900 (水, 28 3 2018) | 9 lines

	webrick: add test for Digest auth-int

	No changes to the actual code, this is a new test for
	a feature for which no tests existed.  I don't understand
	the Digest authentication code well at all, but this is
	necessary for the subsequent change.

	* test/webrick/test_httpauth.rb (test_digest_auth_int): new test
	  (credentials_for_request): support bodies with POST
	------------------------------------------------------------------------
	r62965 | normal | 2018-03-28 17:06:49 +0900 (水, 28 3 2018) | 18 lines

	webrick/httpauth/digestauth: stream req.body

	WARNING! WARNING! WARNING!  LIKELY BROKEN CHANGE

	Pass a proc to WEBrick::HTTPRequest#body to avoid reading a
	potentially large request body into memory during
	authentication.

	WARNING! this will break apps completely which want to do
	something with the body besides calculating the MD5 digest
	of it.

	Also, keep in mind that probably nobody uses "auth-int".
	Servers such as Apache, lighttpd, nginx don't seem to
	support it; nor does curl when using POST/PUT bodies;
	and we didn't have tests for it until now...

	* lib/webrick/httpauth/digestauth.rb (_authenticate): stream req.body

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62970 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Origin: upstream, https://github.com/ruby/ruby/commit/694697e3f2cdfe7b63c46b64d74cc8c2642c047b


Description: Required changes in WEBrick to fix CVE-2017-17742 and
 CVE-2018-8777
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

usa authored Dec 14, 2017 and Antonio Terceiro committed Apr 25, 2018

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61248

 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Description: Fix CVE-2017-17405: Command injection vulnerability in Net::FTP.
Origin: upstream, 1cfe43fd85c66a9e2b5068480b3e043c31e6b8ca
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
Signed-off-by: Santiago R.R <santiagorr@riseup.net>

Eric Wong authored Sep 30, 2017 and Antonio Terceiro committed Oct 22, 2017

* thread_pthread.c (rb_thread_wakeup_timer_thread): check
  ownership before incrementing
  (rb_thread_wakeup_timer_thread_low): ditto
  [Bug #13794] [ruby-core:83064]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60079 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

------------------------------------------------------------------------

Source: https://bugs.ruby-lang.org/issues/13794


Backport-by: Antonio Terceiro <terceiro@debian.org>
Closes: #876377

Aaron Patterson authored Oct 06, 2017 and Antonio Terceiro committed Oct 22, 2017

This patch adds a method for loading YAML specs from a gem and
whitelists classes and symbols that are allowed in the spec.  Then it
changes calls to YAML.load to call the whitelisted "safe" loader
instead.

------------------------------------------------------------------------

Backport-by: Antonio Terceiro <terceiro@debian.org.>
Source: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
Closes: #879231

Usaku NAKAMURA authored Jun 30, 2017 and Antonio Terceiro committed Oct 22, 2017

	merge revision(s) 58453,58454: [Backport #13499]

	Fix space flag when Inf/NaN and width==3

	* sprintf.c (rb_str_format): while `"% 2f"` and `"% 4f"` result in
	  `" Inf"` and `" Inf"` respectively, `"% 3f"` results in
	  `"Inf"` (no space).
	Refactor "%f" % Inf/NaN

	* sprintf.c (rb_str_format): as for non-finite float, calculate
	  the exact needed size with the space flag.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59218 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

------------------------------------------------------------------------

Source: https://bugs.ruby-lang.org/issues/13499
Backport-by: Antonio Terceiro
Closes: #875936

Usaku NAKAMURA authored Sep 14, 2017 and Antonio Terceiro committed Oct 22, 2017

It had failed to sanitize some type of exception messages.  Reported and
patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59897 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

------------------------------------------------------------------------

Source: https://github.com/ruby/ruby/commit/6617c41292b7d1e097abb8fdb0cab9ddd83c77e7


Backport-by: Antonio Terceiro <terceiro@debian.org>
Closes: #875931