Project

General

Profile

Bug #15637

Backport RubyGems 3.0.3/2.7.9

Added by hsbt (Hiroshi SHIBATA) 4 months ago. Updated 15 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:91665]

Description

I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

I attached the patches for Ruby 2.4, 2.5 and 2.6.


Files

ruby-2.4.5-rubygems.patch (12.4 KB) ruby-2.4.5-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.5.3-rubygems.patch (12.4 KB) ruby-2.5.3-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.6.1-rubygems.patch (17.6 KB) ruby-2.6.1-rubygems.patch hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM
ruby-2.4.5-rubygems-v2.patch (12.5 KB) ruby-2.4.5-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM
ruby-2.5.3-rubygems-v2.patch (12.5 KB) ruby-2.5.3-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM
ruby-2.6.1-rubygems-v2.patch (17.7 KB) ruby-2.6.1-rubygems-v2.patch hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM

Associated revisions

Revision e0005fdc
Added by naruse (Yui NARUSE) 3 months ago

Backport RubyGems 3.0.3: [Backport #15637]

    * Fixed following vulnerabilities:
      * CVE-2019-8320: Delete directory using symlink when decompressing tar
      * CVE-2019-8321: Escape sequence injection vulnerability in verbose
      * CVE-2019-8322: Escape sequence injection vulnerability in gem owner
      * CVE-2019-8323: Escape sequence injection vulnerability in API response handling
      * CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
      * CVE-2019-8325: Escape sequence injection vulnerability in errors

    * see also https://blog.rubygems.org/2019/03/05/3.0.3-released.html

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67182 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 67182
Added by naruse (Yui NARUSE) 3 months ago

Backport RubyGems 3.0.3: [Backport #15637]

* Fixed following vulnerabilities:
  * CVE-2019-8320: Delete directory using symlink when decompressing tar
  * CVE-2019-8321: Escape sequence injection vulnerability in verbose
  * CVE-2019-8322: Escape sequence injection vulnerability in gem owner
  * CVE-2019-8323: Escape sequence injection vulnerability in API response handling
  * CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
  * CVE-2019-8325: Escape sequence injection vulnerability in errors

* see also https://blog.rubygems.org/2019/03/05/3.0.3-released.html

Revision 213582c8
Added by nagachika (Tomoyuki Chikanaga) 3 months ago

Merge RubyGems 2.7.6.1 patch [Bug #15637]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67234 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 67234
Added by nagachika (Tomoyuki Chikanaga) 3 months ago

Merge RubyGems 2.7.6.1 patch [Bug #15637]

History

Updated by duerst (Martin Dürst) 4 months ago

It says "They contain multiple vulnerabilities.". I hope the intent was to write something like "They fix multiple vulnerabilities." or "They contain multiple vulnerability fixes.".

Updated by hsbt (Hiroshi SHIBATA) 4 months ago

  • Description updated (diff)

duerst (Martin Dürst)

Thanks for your proofreading :)

Updated by hsbt (Hiroshi SHIBATA) 3 months ago

I added a test fix at r67171 for Windows platform. Please backport it too.

Updated by jeremyevans0 (Jeremy Evans) 3 months ago

It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:

patch: **** malformed patch at line 391:      package = Gem::Package.new @gem

Line 350 in both patch files should probably be changed from:

@@ -480,6 +480,40 @@ def test_extract_symlink_parent

to

@@ -480,6 +480,42 @@ def test_extract_symlink_parent

as there were 36 lines added by that patch hunk.

Updated by jeremyevans0 (Jeremy Evans) 3 months ago

hsbt (Hiroshi SHIBATA) wrote:

Thanks, I fixed it at v2 patches. Can you try them again?

Yes, all patches apply now, thank you very much.

Updated by naruse (Yui NARUSE) 3 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67182 merged the patch.

Updated by nagachika (Tomoyuki Chikanaga) 3 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

The patch for 2.5.3 was merged at r67234.

Updated by jeremyevans0 (Jeremy Evans) 3 months ago

Are there plans to backport the Rubygems security patches to Ruby 2.3? Ruby 2.3 is still in security maintenance status until the end of the month, so I think this would qualify, but I'm not sure.

#11

Updated by usa (Usaku NAKAMURA) 3 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: DONE, 2.6: DONE to 2.4: DONE, 2.5: DONE, 2.6: DONE

Updated by jaruga (Jun Aruga) 2 months ago

Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.

In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?

Merge branch 'h1-328571' into master-private

Updated by hsbt (Hiroshi SHIBATA) 16 days ago

jaruga (Jun Aruga)

Sorry, my late response. your list is correct commits..

Updated by jaruga (Jun Aruga) 15 days ago

hsbt (Hiroshi SHIBATA), sure. Thank you for the checking!

Also available in: Atom PDF