Project

General

Profile

Actions

Bug #15637

closed

Backport RubyGems 3.0.3/2.7.9

Added by hsbt (Hiroshi SHIBATA) about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:91665]

Description

I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

I attached the patches for Ruby 2.4, 2.5 and 2.6.


Files

ruby-2.4.5-rubygems.patch (12.4 KB) ruby-2.4.5-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.5.3-rubygems.patch (12.4 KB) ruby-2.5.3-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.6.1-rubygems.patch (17.6 KB) ruby-2.6.1-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.4.5-rubygems-v2.patch (12.5 KB) ruby-2.4.5-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM
ruby-2.5.3-rubygems-v2.patch (12.5 KB) ruby-2.5.3-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM
ruby-2.6.1-rubygems-v2.patch (17.7 KB) ruby-2.6.1-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM

Updated by duerst (Martin Dürst) about 5 years ago

It says "They contain multiple vulnerabilities.". I hope the intent was to write something like "They fix multiple vulnerabilities." or "They contain multiple vulnerability fixes.".

Updated by hsbt (Hiroshi SHIBATA) about 5 years ago

  • Description updated (diff)

@duerst (Martin Dürst)

Thanks for your proofreading :)

Updated by hsbt (Hiroshi SHIBATA) about 5 years ago

I added a test fix at r67171 for Windows platform. Please backport it too.

Updated by jeremyevans0 (Jeremy Evans) about 5 years ago

It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:

patch: **** malformed patch at line 391:      package = Gem::Package.new @gem

Line 350 in both patch files should probably be changed from:

@@ -480,6 +480,40 @@ def test_extract_symlink_parent

to

@@ -480,6 +480,42 @@ def test_extract_symlink_parent

as there were 36 lines added by that patch hunk.

Updated by jeremyevans0 (Jeremy Evans) about 5 years ago

hsbt (Hiroshi SHIBATA) wrote:

Thanks, I fixed it at v2 patches. Can you try them again?

Yes, all patches apply now, thank you very much.

Updated by naruse (Yui NARUSE) about 5 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67182 merged the patch.

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

The patch for 2.5.3 was merged at r67234.

Updated by jeremyevans0 (Jeremy Evans) about 5 years ago

Are there plans to backport the Rubygems security patches to Ruby 2.3? Ruby 2.3 is still in security maintenance status until the end of the month, so I think this would qualify, but I'm not sure.

Actions #11

Updated by usa (Usaku NAKAMURA) almost 5 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: DONE, 2.6: DONE to 2.4: DONE, 2.5: DONE, 2.6: DONE

Updated by jaruga (Jun Aruga) almost 5 years ago

Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.

In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?

Merge branch 'h1-328571' into master-private

Updated by hsbt (Hiroshi SHIBATA) almost 5 years ago

@jaruga (Jun Aruga)

Sorry, my late response. your list is correct commits..

Updated by jaruga (Jun Aruga) almost 5 years ago

@hsbt (Hiroshi SHIBATA), sure. Thank you for the checking!

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0