https://bugs.ruby-lang.org/
https://bugs.ruby-lang.org/favicon.ico?1711330511
2019-03-04T23:57:39Z
Ruby Issue Tracking System
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76925
2019-03-04T23:57:39Z
hsbt (Hiroshi SHIBATA)
hsbt@ruby-lang.org
<ul><li><strong>File</strong> <a href="/attachments/7662">ruby-2.4.5-rubygems.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/7662/ruby-2.4.5-rubygems.patch">ruby-2.4.5-rubygems.patch</a> added</li><li><strong>File</strong> <a href="/attachments/7663">ruby-2.5.3-rubygems.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/7663/ruby-2.5.3-rubygems.patch">ruby-2.5.3-rubygems.patch</a> added</li><li><strong>File</strong> <a href="/attachments/7664">ruby-2.6.1-rubygems.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/7664/ruby-2.6.1-rubygems.patch">ruby-2.6.1-rubygems.patch</a> added</li></ul>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76927
2019-03-05T00:22:37Z
duerst (Martin Dürst)
duerst@it.aoyama.ac.jp
<ul></ul><p>It says "They contain multiple vulnerabilities.". I hope the intent was to write something like "They fix multiple vulnerabilities." or "They contain multiple vulnerability fixes.".</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76933
2019-03-05T07:27:16Z
hsbt (Hiroshi SHIBATA)
hsbt@ruby-lang.org
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/76933/diff?detail_id=51311">diff</a>)</li></ul><p><a class="user active user-mention" href="https://bugs.ruby-lang.org/users/50">@duerst (Martin Dürst)</a></p>
<p>Thanks for your proofreading :)</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76946
2019-03-06T02:13:07Z
hsbt (Hiroshi SHIBATA)
hsbt@ruby-lang.org
<ul></ul><p>I added a test fix at r67171 for Windows platform. Please backport it too.</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76947
2019-03-06T02:52:37Z
jeremyevans0 (Jeremy Evans)
merch-redmine@jeremyevans.net
<ul></ul><p>It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:</p>
<pre><code>patch: **** malformed patch at line 391: package = Gem::Package.new @gem
</code></pre>
<p>Line 350 in both patch files should probably be changed from:</p>
<pre><code>@@ -480,6 +480,40 @@ def test_extract_symlink_parent
</code></pre>
<p>to</p>
<pre><code>@@ -480,6 +480,42 @@ def test_extract_symlink_parent
</code></pre>
<p>as there were 36 lines added by that patch hunk.</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76949
2019-03-06T05:04:43Z
hsbt (Hiroshi SHIBATA)
hsbt@ruby-lang.org
<ul><li><strong>File</strong> <a href="/attachments/7669">ruby-2.4.5-rubygems-v2.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/7669/ruby-2.4.5-rubygems-v2.patch">ruby-2.4.5-rubygems-v2.patch</a> added</li><li><strong>File</strong> <a href="/attachments/7670">ruby-2.5.3-rubygems-v2.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/7670/ruby-2.5.3-rubygems-v2.patch">ruby-2.5.3-rubygems-v2.patch</a> added</li><li><strong>File</strong> <a href="/attachments/7671">ruby-2.6.1-rubygems-v2.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/7671/ruby-2.6.1-rubygems-v2.patch">ruby-2.6.1-rubygems-v2.patch</a> added</li></ul><p>I attached the patches with r67171.</p>
<p><a class="user active user-mention" href="https://bugs.ruby-lang.org/users/1604">@jeremyevans0 (Jeremy Evans)</a></p>
<p>Thanks, I fixed it at v2 patches. Can you try them again?</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76950
2019-03-06T05:19:56Z
jeremyevans0 (Jeremy Evans)
merch-redmine@jeremyevans.net
<ul></ul><p>hsbt (Hiroshi SHIBATA) wrote:</p>
<blockquote>
<p>Thanks, I fixed it at v2 patches. Can you try them again?</p>
</blockquote>
<p>Yes, all patches apply now, thank you very much.</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=76963
2019-03-06T09:06:27Z
naruse (Yui NARUSE)
naruse@airemix.jp
<ul><li><strong>Backport</strong> changed from <i>2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED</i> to <i>2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE</i></li></ul><p>ruby_2_6 r67182 merged the patch.</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=77067
2019-03-12T21:33:21Z
nagachika (Tomoyuki Chikanaga)
nagachika00@gmail.com
<ul><li><strong>Backport</strong> changed from <i>2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE</i> to <i>2.4: REQUIRED, 2.5: DONE, 2.6: DONE</i></li></ul><p>The patch for 2.5.3 was merged at r67234.</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=77122
2019-03-15T19:50:41Z
jeremyevans0 (Jeremy Evans)
merch-redmine@jeremyevans.net
<ul></ul><p>Are there plans to backport the Rubygems security patches to Ruby 2.3? Ruby 2.3 is still in security maintenance status until the end of the month, so I think this would qualify, but I'm not sure.</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=77388
2019-03-31T14:51:57Z
usa (Usaku NAKAMURA)
usa@garbagecollect.jp
<ul><li><strong>Backport</strong> changed from <i>2.4: REQUIRED, 2.5: DONE, 2.6: DONE</i> to <i>2.4: DONE, 2.5: DONE, 2.6: DONE</i></li></ul>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=77637
2019-04-15T13:33:55Z
jaruga (Jun Aruga)
<ul></ul><p>Hi htbt,<br>
Thanks for fixing the vulnerability issues.<br>
I have just a question.</p>
<p>In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?</p>
<p>Merge branch 'h1-328571' into master-private</p>
<ul>
<li>master: <a href="https://github.com/rubygems/rubygems/commit/bcc96123e916a2b8d302dc0f350d9068bd014188" class="external">https://github.com/rubygems/rubygems/commit/bcc96123e916a2b8d302dc0f350d9068bd014188</a>
</li>
<li>v3.0.3: <a href="https://github.com/rubygems/rubygems/commit/1e6f6a0561a8531ab99c608655c4fb15524ceee2" class="external">https://github.com/rubygems/rubygems/commit/1e6f6a0561a8531ab99c608655c4fb15524ceee2</a>
</li>
<li>v2.7.9: <a href="https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f" class="external">https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f</a>
</li>
</ul>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=78305
2019-06-02T12:26:53Z
hsbt (Hiroshi SHIBATA)
hsbt@ruby-lang.org
<ul></ul><p><a class="user active user-mention" href="https://bugs.ruby-lang.org/users/11018">@jaruga (Jun Aruga)</a></p>
<p>Sorry, my late response. your list is correct commits..</p>
Ruby master - Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637?journal_id=78312
2019-06-03T11:09:11Z
jaruga (Jun Aruga)
<ul></ul><p><a class="user active user-mention" href="https://bugs.ruby-lang.org/users/572">@hsbt (Hiroshi SHIBATA)</a>, sure. Thank you for the checking!</p>