Project

General

Profile

Bug #14481

Backport request for RubyGems 2.7.6

Added by hsbt (Hiroshi SHIBATA) about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
-
[ruby-core:85598]

Description

RubyGems 2.7.6 has been released. It contained the several vulnerability fixes.

http://blog.rubygems.org/2018/02/15/2.7.6-released.html

I created patches for all of the active branches of Ruby.

rubygems-276-for-ruby25.patch

This patch for upgrading RubyGems 2.7.3 to 2.7.6 and tiny changes for test-case. So, It includes following fixes:

rubygems-276-for-ruby24.patch and rubygems-276-for-ruby23.patch

These patches contained RubyGems 2.7.6 security fixes and tempfile leak fixes.

rubygems-276-for-ruby22.patch

This patch fixed security vulnerabilities for RubyGems 2.7.6. But I removed patch for "Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin, fixed by Jonathan Claudius and Samuel Giddins." (It was not assigned CVE number)

Because to support packaging with symlink was provided after RubyGems 2.5.

https://github.com/rubygems/rubygems/pull/1209

So, Ruby 2.2 contained RubyGems 2.4. It's affected by its vulnerability.

To nalsh, nagachika, usa

Please backport them.


Files

rubygems-276-for-ruby25.patch (77.4 KB) rubygems-276-for-ruby25.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM
rubygems-276-for-ruby24.patch (19.5 KB) rubygems-276-for-ruby24.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM
rubygems-276-for-ruby23.patch (19.5 KB) rubygems-276-for-ruby23.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM
rubygems-276-for-ruby22.patch (15.5 KB) rubygems-276-for-ruby22.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM

Associated revisions

Revision 4237809a
Added by nagachika (Tomoyuki Chikanaga) about 1 year ago

merge revision(s) 62422: [Backport #14481]

Merge RubyGems 2.7.6 from upstream.

  It fixed some security vulnerabilities.

  http://blog.rubygems.org/2018/02/15/2.7.6-released.html

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@62434 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 62434
Added by nagachika (Tomoyuki Chikanaga) about 1 year ago

merge revision(s) 62422: [Backport #14481]

Merge RubyGems 2.7.6 from upstream.

  It fixed some security vulnerabilities.

  http://blog.rubygems.org/2018/02/15/2.7.6-released.html

Revision d8d19683
Added by nagachika (Tomoyuki Chikanaga) about 1 year ago

fix regexp literal warning.

test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
[Bug #14481]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62436 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 62436
Added by nagachika (Tomoyuki Chikanaga) about 1 year ago

fix regexp literal warning.

test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
[Bug #14481]

Revision 62436
Added by nagachika (Tomoyuki Chikanaga) about 1 year ago

fix regexp literal warning.

test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
[Bug #14481]

Revision 99c76a47
Added by nagachika (Tomoyuki Chikanaga) about 1 year ago

merge revision(s) 62436: [Backport #14481]

fix regexp literal warning.

test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
[Bug #14481]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@62438 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 62438
Added by nagachika (Tomoyuki Chikanaga) about 1 year ago

merge revision(s) 62436: [Backport #14481]

fix regexp literal warning.

test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
[Bug #14481]

Revision 08fb5c21
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 58471,58493,62436: [Backport #13505]

load.c: backtrace of circular require

* load.c (load_lock): print backtrace of circular require via
  `Warning.warn` [ruby-core:80850] [Bug #13505]

  Send the backtrace of the circular require warning as a single String to Warning.warn

* load.c: send as a single string.
* error.c: expose the string formatted by rb_warning as rb_warning_string().
* test/ruby/test_exception.rb: update tests.
  [ruby-core:80850] [Bug #13505]

fix regexp literal warning.

* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
  [Bug #14481]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62439 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 62439
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 58471,58493,62436: [Backport #13505]

load.c: backtrace of circular require

* load.c (load_lock): print backtrace of circular require via
  `Warning.warn` [ruby-core:80850] [Bug #13505]

  Send the backtrace of the circular require warning as a single String to Warning.warn

* load.c: send as a single string.
* error.c: expose the string formatted by rb_warning as rb_warning_string().
* test/ruby/test_exception.rb: update tests.
  [ruby-core:80850] [Bug #13505]

fix regexp literal warning.

* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
  [Bug #14481]

Revision 664b94fd
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 58471,58493,62436: [Backport #13505]

load.c: backtrace of circular require

* load.c (load_lock): print backtrace of circular require via
  `Warning.warn` [ruby-core:80850] [Bug #13505]

  Send the backtrace of the circular require warning as a single String to Warning.warn

* load.c: send as a single string.
* error.c: expose the string formatted by rb_warning as rb_warning_string().
* test/ruby/test_exception.rb: update tests.
  [ruby-core:80850] [Bug #13505]

fix regexp literal warning.

* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
  [Bug #14481]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@62441 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision e4317b5e
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 62422,62436: [Backport #14481]

Merge RubyGems 2.7.6 from upstream.

It fixed some security vulnerabilities.

http://blog.rubygems.org/2018/02/15/2.7.6-released.html

fix regexp literal warning.

* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
  [Bug #14481]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62442 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 62442
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 62422,62436: [Backport #14481]

Merge RubyGems 2.7.6 from upstream.

It fixed some security vulnerabilities.

http://blog.rubygems.org/2018/02/15/2.7.6-released.html

fix regexp literal warning.

* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
  [Bug #14481]

Revision 20ad678d
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 62422,62436: [Backport #14481]

Merge RubyGems 2.7.6 from upstream.

It fixed some security vulnerabilities.

http://blog.rubygems.org/2018/02/15/2.7.6-released.html

fix regexp literal warning.

* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
  [Bug #14481]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@62443 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 332938df
Added by naruse (Yui NARUSE) about 1 year ago

merge revision(s) 61501,61758: [Backport #14481]

fix concurrent test.

* test/rubygems/test_require.rb (test_concurrent_require):
  Synchronizations should be in ensure clause. Sometimes
  `require` fails (not sure why) and latch is not released.
  Such case introduces unlimited awaiting.
  This patch soleve this problem.


skip some tests so that no failure occurs in root privilege

Some tests had failed on `sudo make test-all`, mainly because root can
access any files regardless of permission.  This change adds `skip`
guards into such tests.

Note that almost all tests in which `skip` guards is added, already have
"windows" guard.  This is because there is no support to avoid read
access by owner on Windows.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62834 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 62834
Added by naruse (Yui NARUSE) about 1 year ago

merge revision(s) 61501,61758: [Backport #14481]

fix concurrent test.

* test/rubygems/test_require.rb (test_concurrent_require):
  Synchronizations should be in ensure clause. Sometimes
  `require` fails (not sure why) and latch is not released.
  Such case introduces unlimited awaiting.
  This patch soleve this problem.


skip some tests so that no failure occurs in root privilege

Some tests had failed on `sudo make test-all`, mainly because root can
access any files regardless of permission.  This change adds `skip`
guards into such tests.

Note that almost all tests in which `skip` guards is added, already have
"windows" guard.  This is because there is no support to avoid read
access by owner on Windows.

Revision 90df7a08
Added by naruse (Yui NARUSE) about 1 year ago

merge revision(s) 62244,62246,62301,62302,62303,62422,62436,62452: [Backport #14481]

Merge RubyGems-2.7.5 from upstream.

  Please see its details: http://blog.rubygems.org/2018/02/06/2.7.5-released.html

test_gem_util.rb: fix broken test

* test/rubygems/test_gem_util.rb: no guarantee that tmpdir is
  always underneath the root directory at all.

test_gem_commands_setup_command.rb: BUNDLER_VERS

* test/rubygems/test_gem_commands_setup_command.rb: run bundled
  gem command, instead of installed one.

no need to set bundled bundler unless Gem::USE_BUNDLER_FOR_GEMDEPS


revert r62302 and force to define the version constant


Merge RubyGems 2.7.6 from upstream.

  It fixed some security vulnerabilities.

  http://blog.rubygems.org/2018/02/15/2.7.6-released.html

fix regexp literal warning.

test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
[Bug #14481]

Remove unnecessary `[]`s

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62837 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 62837
Added by naruse (Yui NARUSE) about 1 year ago

merge revision(s) 62244,62246,62301,62302,62303,62422,62436,62452: [Backport #14481]

Merge RubyGems-2.7.5 from upstream.

  Please see its details: http://blog.rubygems.org/2018/02/06/2.7.5-released.html

test_gem_util.rb: fix broken test

* test/rubygems/test_gem_util.rb: no guarantee that tmpdir is
  always underneath the root directory at all.

test_gem_commands_setup_command.rb: BUNDLER_VERS

* test/rubygems/test_gem_commands_setup_command.rb: run bundled
  gem command, instead of installed one.

no need to set bundled bundler unless Gem::USE_BUNDLER_FOR_GEMDEPS


revert r62302 and force to define the version constant


Merge RubyGems 2.7.6 from upstream.

  It fixed some security vulnerabilities.

  http://blog.rubygems.org/2018/02/15/2.7.6-released.html

fix regexp literal warning.

test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
[Bug #14481]

Remove unnecessary `[]`s

History

Updated by hsbt (Hiroshi SHIBATA) about 1 year ago

So, Ruby 2.2 contained RubyGems 2.4. It's affected by its vulnerability.

oops, "It's NOT affected" is correct status.

#2

Updated by nagachika (Tomoyuki Chikanaga) about 1 year ago

  • Status changed from Open to Closed

Applied in changeset ruby_2_4|r62434.


merge revision(s) 62422: [Backport #14481]

Merge RubyGems 2.7.6 from upstream.

  It fixed some security vulnerabilities.

  http://blog.rubygems.org/2018/02/15/2.7.6-released.html
#3

Updated by nagachika (Tomoyuki Chikanaga) about 1 year ago

  • Backport changed from 2.3: REQUIRED, 2.4: REQUIRED, 2.5: REQUIRED to 2.3: REQUIRED, 2.4: DONE, 2.5: REQUIRED

Updated by nagachika (Tomoyuki Chikanaga) about 1 year ago

I've found that ruby -wc test/rubygems/test_gem_server.rb report some warnings.
Due to this warnings, TEST_RIPPER_RATIO=1 make test-all TESTS=ripper/test_files.rb failed.
The default value of TEST_RIPPER_RATIO is 0.05, so the test failure is not deterministic with plain make test-all.

I will fix the warning in trunk and ruby_2_4 branch.

#5

Updated by usa (Usaku NAKAMURA) about 1 year ago

  • Backport changed from 2.3: REQUIRED, 2.4: DONE, 2.5: REQUIRED to 2.3: DONE, 2.4: DONE, 2.5: REQUIRED

Updated by naruse (Yui NARUSE) about 1 year ago

  • Backport changed from 2.3: DONE, 2.4: DONE, 2.5: REQUIRED to 2.3: DONE, 2.4: DONE, 2.5: DONE

ruby_2_5 r62837 merged revision(s) 62244,62246,62301,62302,62303,62422,62436,62452.

Also available in: Atom PDF