Backport RubyGems 3.0.3/2.7.9
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.
I attached the patches for Ruby 2.4, 2.5 and 2.6.
|ruby-2.4.5-rubygems.patch (12.4 KB) ruby-2.4.5-rubygems.patch||hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM|
|ruby-2.5.3-rubygems.patch (12.4 KB) ruby-2.5.3-rubygems.patch||hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM|
|ruby-2.6.1-rubygems.patch (17.6 KB) ruby-2.6.1-rubygems.patch||hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM|
|ruby-2.4.5-rubygems-v2.patch (12.5 KB) ruby-2.4.5-rubygems-v2.patch||hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM|
|ruby-2.5.3-rubygems-v2.patch (12.5 KB) ruby-2.5.3-rubygems-v2.patch||hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM|
|ruby-2.6.1-rubygems-v2.patch (17.7 KB) ruby-2.6.1-rubygems-v2.patch||hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM|
Updated by jeremyevans0 (Jeremy Evans) over 3 years ago
It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:
patch: **** malformed patch at line 391: package = Gem::Package.new @gem
Line 350 in both patch files should probably be changed from:
@@ -480,6 +480,40 @@ def test_extract_symlink_parent
@@ -480,6 +480,42 @@ def test_extract_symlink_parent
as there were 36 lines added by that patch hunk.
Updated by hsbt (Hiroshi SHIBATA) over 3 years ago
- File ruby-2.4.5-rubygems-v2.patch ruby-2.4.5-rubygems-v2.patch added
- File ruby-2.5.3-rubygems-v2.patch ruby-2.5.3-rubygems-v2.patch added
- File ruby-2.6.1-rubygems-v2.patch ruby-2.6.1-rubygems-v2.patch added
I attached the patches with r67171.
Thanks, I fixed it at v2 patches. Can you try them again?
Updated by jaruga (Jun Aruga) over 3 years ago
Thanks for fixing the vulnerability issues.
I have just a question.
In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?
Merge branch 'h1-328571' into master-private