Project

General

Profile

Bug #15637

Backport RubyGems 3.0.3/2.7.9

Added by hsbt (Hiroshi SHIBATA) 8 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:91665]

Description

I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

I attached the patches for Ruby 2.4, 2.5 and 2.6.


Files

ruby-2.4.5-rubygems.patch (12.4 KB) ruby-2.4.5-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.5.3-rubygems.patch (12.4 KB) ruby-2.5.3-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.6.1-rubygems.patch (17.6 KB) ruby-2.6.1-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.4.5-rubygems-v2.patch (12.5 KB) ruby-2.4.5-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM
ruby-2.5.3-rubygems-v2.patch (12.5 KB) ruby-2.5.3-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM
ruby-2.6.1-rubygems-v2.patch (17.7 KB) ruby-2.6.1-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM

Associated revisions

Revision e0005fdc
Added by naruse (Yui NARUSE) 8 months ago

Backport RubyGems 3.0.3: [Backport #15637]

    * Fixed following vulnerabilities:
      * CVE-2019-8320: Delete directory using symlink when decompressing tar
      * CVE-2019-8321: Escape sequence injection vulnerability in verbose
      * CVE-2019-8322: Escape sequence injection vulnerability in gem owner
      * CVE-2019-8323: Escape sequence injection vulnerability in API response handling
      * CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
      * CVE-2019-8325: Escape sequence injection vulnerability in errors

    * see also https://blog.rubygems.org/2019/03/05/3.0.3-released.html

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67182 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 67182
Added by naruse (Yui NARUSE) 8 months ago

Backport RubyGems 3.0.3: [Backport #15637]

* Fixed following vulnerabilities:
  * CVE-2019-8320: Delete directory using symlink when decompressing tar
  * CVE-2019-8321: Escape sequence injection vulnerability in verbose
  * CVE-2019-8322: Escape sequence injection vulnerability in gem owner
  * CVE-2019-8323: Escape sequence injection vulnerability in API response handling
  * CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
  * CVE-2019-8325: Escape sequence injection vulnerability in errors

* see also https://blog.rubygems.org/2019/03/05/3.0.3-released.html

Revision 213582c8
Added by nagachika (Tomoyuki Chikanaga) 7 months ago

Merge RubyGems 2.7.6.1 patch [Bug #15637]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67234 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 67234
Added by nagachika (Tomoyuki Chikanaga) 7 months ago

Merge RubyGems 2.7.6.1 patch [Bug #15637]

History

Updated by duerst (Martin Dürst) 8 months ago

It says "They contain multiple vulnerabilities.". I hope the intent was to write something like "They fix multiple vulnerabilities." or "They contain multiple vulnerability fixes.".

Updated by hsbt (Hiroshi SHIBATA) 8 months ago

  • Description updated (diff)

duerst (Martin Dürst)

Thanks for your proofreading :)

Updated by hsbt (Hiroshi SHIBATA) 8 months ago

I added a test fix at r67171 for Windows platform. Please backport it too.

Updated by jeremyevans0 (Jeremy Evans) 8 months ago

It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:

patch: **** malformed patch at line 391:      package = Gem::Package.new @gem

Line 350 in both patch files should probably be changed from:

@@ -480,6 +480,40 @@ def test_extract_symlink_parent

to

@@ -480,6 +480,42 @@ def test_extract_symlink_parent

as there were 36 lines added by that patch hunk.

Updated by jeremyevans0 (Jeremy Evans) 8 months ago

hsbt (Hiroshi SHIBATA) wrote:

Thanks, I fixed it at v2 patches. Can you try them again?

Yes, all patches apply now, thank you very much.

Updated by naruse (Yui NARUSE) 8 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67182 merged the patch.

Updated by nagachika (Tomoyuki Chikanaga) 7 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

The patch for 2.5.3 was merged at r67234.

Updated by jeremyevans0 (Jeremy Evans) 7 months ago

Are there plans to backport the Rubygems security patches to Ruby 2.3? Ruby 2.3 is still in security maintenance status until the end of the month, so I think this would qualify, but I'm not sure.

#11

Updated by usa (Usaku NAKAMURA) 7 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: DONE, 2.6: DONE to 2.4: DONE, 2.5: DONE, 2.6: DONE

Updated by jaruga (Jun Aruga) 6 months ago

Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.

In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?

Merge branch 'h1-328571' into master-private

Updated by hsbt (Hiroshi SHIBATA) 5 months ago

jaruga (Jun Aruga)

Sorry, my late response. your list is correct commits..

Updated by jaruga (Jun Aruga) 5 months ago

hsbt (Hiroshi SHIBATA), sure. Thank you for the checking!

Also available in: Atom PDF