Project

General

Profile

Actions
Copy link

Bug #14481

closed

Backport request for RubyGems 2.7.6

Added by hsbt (Hiroshi SHIBATA) almost 7 years ago. Updated over 6 years ago.

Status:
Closed
Assignee:
hsbt (Hiroshi SHIBATA)
Target version:
-
ruby -v:
Backport:
2.3: DONE, 2.4: DONE, 2.5: DONE
[ruby-core:85598]

Description

RubyGems 2.7.6 has been released. It contained the several vulnerability fixes.

http://blog.rubygems.org/2018/02/15/2.7.6-released.html

I created patches for all of the active branches of Ruby.

rubygems-276-for-ruby25.patch

This patch for upgrading RubyGems 2.7.3 to 2.7.6 and tiny changes for test-case. So, It includes following fixes:

rubygems-276-for-ruby24.patch and rubygems-276-for-ruby23.patch

These patches contained RubyGems 2.7.6 security fixes and tempfile leak fixes.

rubygems-276-for-ruby22.patch

This patch fixed security vulnerabilities for RubyGems 2.7.6. But I removed patch for "Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin, fixed by Jonathan Claudius and Samuel Giddins." (It was not assigned CVE number)

Because to support packaging with symlink was provided after RubyGems 2.5.

https://github.com/rubygems/rubygems/pull/1209

So, Ruby 2.2 contained RubyGems 2.4. It's affected by its vulnerability.

To nalsh, nagachika, usa

Please backport them.

Files

Download all files
rubygems-276-for-ruby25.patch (77.4 KB) rubygems-276-for-ruby25.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM
rubygems-276-for-ruby24.patch (19.5 KB) rubygems-276-for-ruby24.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM
rubygems-276-for-ruby23.patch (19.5 KB) rubygems-276-for-ruby23.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM
rubygems-276-for-ruby22.patch (15.5 KB) rubygems-276-for-ruby22.patch hsbt (Hiroshi SHIBATA), 02/16/2018 10:55 AM
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0