Ruby » Ruby master

It says "They contain multiple vulnerabilities.". I hope the intent was to write something like "They fix multiple vulnerabilities." or "They contain multiple vulnerability fixes.".

I added a test fix at r67171 for Windows platform. Please backport it too.

It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:

patch: **** malformed patch at line 391:      package = Gem::Package.new @gem

Line 350 in both patch files should probably be changed from:

@@ -480,6 +480,40 @@ def test_extract_symlink_parent

to

@@ -480,6 +480,42 @@ def test_extract_symlink_parent

as there were 36 lines added by that patch hunk.

hsbt (Hiroshi SHIBATA) wrote:

Thanks, I fixed it at v2 patches. Can you try them again?

Yes, all patches apply now, thank you very much.

Are there plans to backport the Rubygems security patches to Ruby 2.3? Ruby 2.3 is still in security maintenance status until the end of the month, so I think this would qualify, but I'm not sure.

Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.

In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?

Merge branch 'h1-328571' into master-private

• master: https://github.com/rubygems/rubygems/commit/bcc96123e916a2b8d302dc0f350d9068bd014188
• v3.0.3: https://github.com/rubygems/rubygems/commit/1e6f6a0561a8531ab99c608655c4fb15524ceee2
• v2.7.9: https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f

@jaruga (Jun Aruga)

Sorry, my late response. your list is correct commits..

@hsbt (Hiroshi SHIBATA), sure. Thank you for the checking!