Backport RubyGems 3.0.3/2.7.9
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.
I attached the patches for Ruby 2.4, 2.5 and 2.6.
Updated by jeremyevans0 (Jeremy Evans) over 3 years ago
It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:
patch: **** malformed patch at line 391: package = Gem::Package.new @gem
Line 350 in both patch files should probably be changed from:
@@ -480,6 +480,40 @@ def test_extract_symlink_parent
@@ -480,6 +480,42 @@ def test_extract_symlink_parent
as there were 36 lines added by that patch hunk.
Updated by hsbt (Hiroshi SHIBATA) over 3 years ago
- File ruby-2.6.1-rubygems-v2.patch ruby-2.6.1-rubygems-v2.patch added
- File ruby-2.5.3-rubygems-v2.patch ruby-2.5.3-rubygems-v2.patch added
- File ruby-2.4.5-rubygems-v2.patch ruby-2.4.5-rubygems-v2.patch added
I attached the patches with r67171.
Thanks, I fixed it at v2 patches. Can you try them again?
Updated by jaruga (Jun Aruga) over 3 years ago
Thanks for fixing the vulnerability issues.
I have just a question.
In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?
Merge branch 'h1-328571' into master-private