Bug #15637
closed
Backport RubyGems 3.0.3/2.7.9
Added by hsbt (Hiroshi SHIBATA) about 5 years ago. Updated almost 5 years ago.
Description
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.
- https://blog.rubygems.org/2019/03/05/3.0.3-released.html
- https://blog.rubygems.org/2019/03/05/2.7.9-released.html
I attached the patches for Ruby 2.4, 2.5 and 2.6.
Files
| ruby-2.4.5-rubygems.patch (12.4 KB) ruby-2.4.5-rubygems.patch | hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM | ||
| ruby-2.5.3-rubygems.patch (12.4 KB) ruby-2.5.3-rubygems.patch | hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM | ||
| ruby-2.6.1-rubygems.patch (17.6 KB) ruby-2.6.1-rubygems.patch | hsbt (Hiroshi SHIBATA), 03/04/2019 11:57 PM | ||
| ruby-2.4.5-rubygems-v2.patch (12.5 KB) ruby-2.4.5-rubygems-v2.patch | hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM | ||
| ruby-2.5.3-rubygems-v2.patch (12.5 KB) ruby-2.5.3-rubygems-v2.patch | hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM | ||
| ruby-2.6.1-rubygems-v2.patch (17.7 KB) ruby-2.6.1-rubygems-v2.patch | hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM |
Updated by hsbt (Hiroshi SHIBATA) about 5 years ago
- File ruby-2.4.5-rubygems.patch ruby-2.4.5-rubygems.patch added
- File ruby-2.5.3-rubygems.patch ruby-2.5.3-rubygems.patch added
- File ruby-2.6.1-rubygems.patch ruby-2.6.1-rubygems.patch added
Updated by duerst (Martin Dürst) about 5 years ago
It says "They contain multiple vulnerabilities.". I hope the intent was to write something like "They fix multiple vulnerabilities." or "They contain multiple vulnerability fixes.".
Updated by hsbt (Hiroshi SHIBATA) about 5 years ago
- Description updated (diff)
Thanks for your proofreading :)
Updated by hsbt (Hiroshi SHIBATA) about 5 years ago
I added a test fix at r67171 for Windows platform. Please backport it too.
Updated by jeremyevans0 (Jeremy Evans) about 5 years ago
It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:
patch: **** malformed patch at line 391: package = Gem::Package.new @gem
Line 350 in both patch files should probably be changed from:
@@ -480,6 +480,40 @@ def test_extract_symlink_parent
to
@@ -480,6 +480,42 @@ def test_extract_symlink_parent
as there were 36 lines added by that patch hunk.
Updated by hsbt (Hiroshi SHIBATA) about 5 years ago
- File ruby-2.4.5-rubygems-v2.patch ruby-2.4.5-rubygems-v2.patch added
- File ruby-2.5.3-rubygems-v2.patch ruby-2.5.3-rubygems-v2.patch added
- File ruby-2.6.1-rubygems-v2.patch ruby-2.6.1-rubygems-v2.patch added
I attached the patches with r67171.
Thanks, I fixed it at v2 patches. Can you try them again?
Updated by jeremyevans0 (Jeremy Evans) about 5 years ago
hsbt (Hiroshi SHIBATA) wrote:
Thanks, I fixed it at v2 patches. Can you try them again?
Yes, all patches apply now, thank you very much.
Updated by naruse (Yui NARUSE) about 5 years ago
- Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE
ruby_2_6 r67182 merged the patch.
Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago
- Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE
The patch for 2.5.3 was merged at r67234.
Updated by jeremyevans0 (Jeremy Evans) about 5 years ago
Are there plans to backport the Rubygems security patches to Ruby 2.3? Ruby 2.3 is still in security maintenance status until the end of the month, so I think this would qualify, but I'm not sure.
Updated by usa (Usaku NAKAMURA) about 5 years ago
- Backport changed from 2.4: REQUIRED, 2.5: DONE, 2.6: DONE to 2.4: DONE, 2.5: DONE, 2.6: DONE
Updated by jaruga (Jun Aruga) about 5 years ago
Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.
In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?
Merge branch 'h1-328571' into master-private
Updated by hsbt (Hiroshi SHIBATA) almost 5 years ago
Sorry, my late response. your list is correct commits..
Updated by jaruga (Jun Aruga) almost 5 years ago
@hsbt (Hiroshi SHIBATA), sure. Thank you for the checking!