0e5448af50
We unfortunately cannot use the upstream patches directly as they are not in 'patch -p1' format, so convert them and include instead. Fixes: CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. For more details, see https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
446 lines
14 KiB
Diff
446 lines
14 KiB
Diff
[PATCH] bump rubygems to 2.6.12
|
|
|
|
Downloaded from upstream:
|
|
https://bugs.ruby-lang.org/attachments/download/6692/rubygems-2612-ruby24.patch
|
|
|
|
And converted to patch-p1.
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
|
|
index 5cd1a4c47a..bc5bf9b4c2 100644
|
|
--- a/lib/rubygems.rb
|
|
+++ b/lib/rubygems.rb
|
|
@@ -10,7 +10,7 @@
|
|
require 'thread'
|
|
|
|
module Gem
|
|
- VERSION = "2.6.11"
|
|
+ VERSION = "2.6.12"
|
|
end
|
|
|
|
# Must be first since it unloads the prelude from 1.9.2
|
|
@@ -234,6 +234,7 @@ def self.needs
|
|
|
|
def self.finish_resolve(request_set=Gem::RequestSet.new)
|
|
request_set.import Gem::Specification.unresolved_deps.values
|
|
+ request_set.import Gem.loaded_specs.values.map {|s| Gem::Dependency.new(s.name, s.version) }
|
|
|
|
request_set.resolve_current.each do |s|
|
|
s.full_spec.activate
|
|
diff --git a/lib/rubygems/commands/open_command.rb b/lib/rubygems/commands/open_command.rb
|
|
index a89b7421e3..059635e835 100644
|
|
--- a/lib/rubygems/commands/open_command.rb
|
|
+++ b/lib/rubygems/commands/open_command.rb
|
|
@@ -72,7 +72,7 @@ def open_editor path
|
|
end
|
|
|
|
def spec_for name
|
|
- spec = Gem::Specification.find_all_by_name(name, @version).last
|
|
+ spec = Gem::Specification.find_all_by_name(name, @version).first
|
|
|
|
return spec if spec
|
|
|
|
diff --git a/lib/rubygems/commands/query_command.rb b/lib/rubygems/commands/query_command.rb
|
|
index f25d120b88..70f8127292 100644
|
|
--- a/lib/rubygems/commands/query_command.rb
|
|
+++ b/lib/rubygems/commands/query_command.rb
|
|
@@ -86,7 +86,7 @@ def execute
|
|
name = Array(options[:name])
|
|
else
|
|
args = options[:args].to_a
|
|
- name = options[:exact] ? args : args.map{|arg| /#{arg}/i }
|
|
+ name = options[:exact] ? args.map{|arg| /\A#{Regexp.escape(arg)}\Z/ } : args.map{|arg| /#{arg}/i }
|
|
end
|
|
|
|
prerelease = options[:prerelease]
|
|
diff --git a/lib/rubygems/commands/sources_command.rb b/lib/rubygems/commands/sources_command.rb
|
|
index 9832afd214..7e46963a4c 100644
|
|
--- a/lib/rubygems/commands/sources_command.rb
|
|
+++ b/lib/rubygems/commands/sources_command.rb
|
|
@@ -44,7 +44,7 @@ def add_source source_uri # :nodoc:
|
|
source = Gem::Source.new source_uri
|
|
|
|
begin
|
|
- if Gem.sources.include? source_uri then
|
|
+ if Gem.sources.include? source then
|
|
say "source #{source_uri} already present in the cache"
|
|
else
|
|
source.load_specs :released
|
|
diff --git a/lib/rubygems/dependency_list.rb b/lib/rubygems/dependency_list.rb
|
|
index 35fe7c4c1a..d8314eaf60 100644
|
|
--- a/lib/rubygems/dependency_list.rb
|
|
+++ b/lib/rubygems/dependency_list.rb
|
|
@@ -104,7 +104,7 @@ def find_name(full_name)
|
|
end
|
|
|
|
def inspect # :nodoc:
|
|
- "#<%s:0x%x %p>" % [self.class, object_id, map { |s| s.full_name }]
|
|
+ "%s %p>" % [super[0..-2], map { |s| s.full_name }]
|
|
end
|
|
|
|
##
|
|
diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
|
|
index f4d3e728de..967543c2d1 100644
|
|
--- a/lib/rubygems/installer.rb
|
|
+++ b/lib/rubygems/installer.rb
|
|
@@ -214,7 +214,7 @@ def check_executable_overwrite filename # :nodoc:
|
|
|
|
ruby_executable = true
|
|
existing = io.read.slice(%r{
|
|
- ^(
|
|
+ ^\s*(
|
|
gem \s |
|
|
load \s Gem\.bin_path\( |
|
|
load \s Gem\.activate_bin_path\(
|
|
@@ -701,6 +701,8 @@ def verify_gem_home(unpack = false) # :nodoc:
|
|
# Return the text for an application file.
|
|
|
|
def app_script_text(bin_file_name)
|
|
+ # note that the `load` lines cannot be indented, as old RG versions match
|
|
+ # against the beginning of the line
|
|
return <<-TEXT
|
|
#{shebang bin_file_name}
|
|
#
|
|
@@ -723,7 +725,12 @@ def app_script_text(bin_file_name)
|
|
end
|
|
end
|
|
|
|
+if Gem.respond_to?(:activate_bin_path)
|
|
load Gem.activate_bin_path('#{spec.name}', '#{bin_file_name}', version)
|
|
+else
|
|
+gem #{spec.name.dump}, version
|
|
+load Gem.bin_path(#{spec.name.dump}, #{bin_file_name.dump}, version)
|
|
+end
|
|
TEXT
|
|
end
|
|
|
|
diff --git a/lib/rubygems/platform.rb b/lib/rubygems/platform.rb
|
|
index d22d91ae54..2dd9ed5782 100644
|
|
--- a/lib/rubygems/platform.rb
|
|
+++ b/lib/rubygems/platform.rb
|
|
@@ -112,7 +112,7 @@ def initialize(arch)
|
|
end
|
|
|
|
def inspect
|
|
- "#<%s:0x%x @cpu=%p, @os=%p, @version=%p>" % [self.class, object_id, *to_a]
|
|
+ "%s @cpu=%p, @os=%p, @version=%p>" % [super[0..-2], *to_a]
|
|
end
|
|
|
|
def to_a
|
|
diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
|
|
index 119d6d56f7..6963ca156f 100644
|
|
--- a/lib/rubygems/security.rb
|
|
+++ b/lib/rubygems/security.rb
|
|
@@ -455,7 +455,7 @@ def self.create_cert_self_signed subject, key, age = ONE_YEAR,
|
|
|
|
##
|
|
# Creates a new key pair of the specified +length+ and +algorithm+. The
|
|
- # default is a 2048 bit RSA key.
|
|
+ # default is a 3072 bit RSA key.
|
|
|
|
def self.create_key length = KEY_LENGTH, algorithm = KEY_ALGORITHM
|
|
algorithm.new length
|
|
diff --git a/lib/rubygems/server.rb b/lib/rubygems/server.rb
|
|
index 81df0e608e..df4eb566d3 100644
|
|
--- a/lib/rubygems/server.rb
|
|
+++ b/lib/rubygems/server.rb
|
|
@@ -657,7 +657,7 @@ def root(req, res)
|
|
"only_one_executable" => true,
|
|
"full_name" => "rubygems-#{Gem::VERSION}",
|
|
"has_deps" => false,
|
|
- "homepage" => "http://docs.rubygems.org/",
|
|
+ "homepage" => "http://guides.rubygems.org/",
|
|
"name" => 'rubygems',
|
|
"ri_installed" => true,
|
|
"summary" => "RubyGems itself",
|
|
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
|
|
index a2f289d162..500f0af768 100644
|
|
--- a/lib/rubygems/specification.rb
|
|
+++ b/lib/rubygems/specification.rb
|
|
@@ -2105,7 +2105,7 @@ def inspect # :nodoc:
|
|
if $DEBUG
|
|
super
|
|
else
|
|
- "#<#{self.class}:0x#{__id__.to_s(16)} #{full_name}>"
|
|
+ "#{super[0..-2]} #{full_name}>"
|
|
end
|
|
end
|
|
|
|
diff --git a/lib/rubygems/test_case.rb b/lib/rubygems/test_case.rb
|
|
index 86b68e1efb..4e48f1eb4c 100644
|
|
--- a/lib/rubygems/test_case.rb
|
|
+++ b/lib/rubygems/test_case.rb
|
|
@@ -484,7 +484,7 @@ def git_gem name = 'a', version = 1
|
|
|
|
system @git, 'add', gemspec
|
|
system @git, 'commit', '-a', '-m', 'a non-empty commit message', '--quiet'
|
|
- head = Gem::Util.popen('git', 'rev-parse', 'master').strip
|
|
+ head = Gem::Util.popen(@git, 'rev-parse', 'master').strip
|
|
end
|
|
|
|
return name, git_spec.version, directory, head
|
|
@@ -1498,6 +1498,8 @@ def self.key_path key_name
|
|
begin
|
|
gem 'rdoc'
|
|
require 'rdoc'
|
|
+
|
|
+ require 'rubygems/rdoc'
|
|
rescue LoadError, Gem::LoadError
|
|
end
|
|
|
|
@@ -1514,3 +1516,4 @@ def self.key_path key_name
|
|
pid = $$
|
|
END {tmpdirs.each {|dir| Dir.rmdir(dir)} if $$ == pid}
|
|
Gem.clear_paths
|
|
+Gem.loaded_specs.clear
|
|
diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb
|
|
index a605f9cdfe..62b36dfd41 100644
|
|
--- a/test/rubygems/test_gem.rb
|
|
+++ b/test/rubygems/test_gem.rb
|
|
@@ -75,6 +75,29 @@ def test_self_finish_resolve_wtf
|
|
end
|
|
end
|
|
|
|
+ def test_self_finish_resolve_respects_loaded_specs
|
|
+ save_loaded_features do
|
|
+ a1 = new_spec "a", "1", "b" => "> 0"
|
|
+ b1 = new_spec "b", "1", "c" => ">= 1"
|
|
+ b2 = new_spec "b", "2", "c" => ">= 2"
|
|
+ c1 = new_spec "c", "1"
|
|
+ c2 = new_spec "c", "2"
|
|
+
|
|
+ install_specs c1, c2, b1, b2, a1
|
|
+
|
|
+ a1.activate
|
|
+ c1.activate
|
|
+
|
|
+ assert_equal %w(a-1 c-1), loaded_spec_names
|
|
+ assert_equal ["b (> 0)"], unresolved_names
|
|
+
|
|
+ Gem.finish_resolve
|
|
+
|
|
+ assert_equal %w(a-1 b-1 c-1), loaded_spec_names
|
|
+ assert_equal [], unresolved_names
|
|
+ end
|
|
+ end
|
|
+
|
|
def test_self_install
|
|
spec_fetcher do |f|
|
|
f.gem 'a', 1
|
|
@@ -492,7 +515,7 @@ def test_self_find_files_with_gemfile
|
|
skip if RUBY_VERSION <= "1.8.7"
|
|
|
|
cwd = File.expand_path("test/rubygems", @@project_dir)
|
|
- $LOAD_PATH.unshift cwd
|
|
+ actual_load_path = $LOAD_PATH.unshift(cwd).dup
|
|
|
|
discover_path = File.join 'lib', 'sff', 'discover.rb'
|
|
|
|
@@ -518,12 +541,12 @@ def test_self_find_files_with_gemfile
|
|
expected = [
|
|
File.expand_path('test/rubygems/sff/discover.rb', @@project_dir),
|
|
File.join(foo1.full_gem_path, discover_path)
|
|
- ]
|
|
+ ].sort
|
|
|
|
- assert_equal expected, Gem.find_files('sff/discover')
|
|
- assert_equal expected, Gem.find_files('sff/**.rb'), '[ruby-core:31730]'
|
|
+ assert_equal expected, Gem.find_files('sff/discover').sort
|
|
+ assert_equal expected, Gem.find_files('sff/**.rb').sort, '[ruby-core:31730]'
|
|
ensure
|
|
- assert_equal cwd, $LOAD_PATH.shift unless RUBY_VERSION <= "1.8.7"
|
|
+ assert_equal cwd, actual_load_path.shift unless RUBY_VERSION <= "1.8.7"
|
|
end
|
|
|
|
def test_self_find_latest_files
|
|
diff --git a/test/rubygems/test_gem_commands_open_command.rb b/test/rubygems/test_gem_commands_open_command.rb
|
|
index 3ec38972e6..a96fa6ea23 100644
|
|
--- a/test/rubygems/test_gem_commands_open_command.rb
|
|
+++ b/test/rubygems/test_gem_commands_open_command.rb
|
|
@@ -24,7 +24,8 @@ def test_execute
|
|
@cmd.options[:args] = %w[foo]
|
|
@cmd.options[:editor] = "#{Gem.ruby} -e0 --"
|
|
|
|
- spec = gem 'foo'
|
|
+ gem 'foo', '1.0.0'
|
|
+ spec = gem 'foo', '1.0.1'
|
|
mock = MiniTest::Mock.new
|
|
mock.expect(:call, true, [spec.full_gem_path])
|
|
|
|
diff --git a/test/rubygems/test_gem_commands_query_command.rb b/test/rubygems/test_gem_commands_query_command.rb
|
|
index 223f205b2d..d8d682b136 100644
|
|
--- a/test/rubygems/test_gem_commands_query_command.rb
|
|
+++ b/test/rubygems/test_gem_commands_query_command.rb
|
|
@@ -642,7 +642,7 @@ def test_execute_local_details
|
|
assert_equal expected, @ui.output
|
|
end
|
|
|
|
- def test_execute_exact
|
|
+ def test_execute_exact_remote
|
|
spec_fetcher do |fetcher|
|
|
fetcher.spec 'coolgem-omg', 3
|
|
fetcher.spec 'coolgem', '4.2.1'
|
|
@@ -665,6 +665,60 @@ def test_execute_exact
|
|
assert_equal expected, @ui.output
|
|
end
|
|
|
|
+ def test_execute_exact_local
|
|
+ spec_fetcher do |fetcher|
|
|
+ fetcher.spec 'coolgem-omg', 3
|
|
+ fetcher.spec 'coolgem', '4.2.1'
|
|
+ fetcher.spec 'wow_coolgem', 1
|
|
+ end
|
|
+
|
|
+ @cmd.handle_options %w[--exact coolgem]
|
|
+
|
|
+ use_ui @ui do
|
|
+ @cmd.execute
|
|
+ end
|
|
+
|
|
+ expected = <<-EOF
|
|
+
|
|
+*** LOCAL GEMS ***
|
|
+
|
|
+coolgem (4.2.1)
|
|
+ EOF
|
|
+
|
|
+ assert_equal expected, @ui.output
|
|
+ end
|
|
+
|
|
+ def test_execute_exact_multiple
|
|
+ spec_fetcher do |fetcher|
|
|
+ fetcher.spec 'coolgem-omg', 3
|
|
+ fetcher.spec 'coolgem', '4.2.1'
|
|
+ fetcher.spec 'wow_coolgem', 1
|
|
+
|
|
+ fetcher.spec 'othergem-omg', 3
|
|
+ fetcher.spec 'othergem', '1.2.3'
|
|
+ fetcher.spec 'wow_othergem', 1
|
|
+ end
|
|
+
|
|
+ @cmd.handle_options %w[--exact coolgem othergem]
|
|
+
|
|
+ use_ui @ui do
|
|
+ @cmd.execute
|
|
+ end
|
|
+
|
|
+ expected = <<-EOF
|
|
+
|
|
+*** LOCAL GEMS ***
|
|
+
|
|
+coolgem (4.2.1)
|
|
+
|
|
+*** LOCAL GEMS ***
|
|
+
|
|
+othergem (1.2.3)
|
|
+ EOF
|
|
+
|
|
+ assert_equal expected, @ui.output
|
|
+ end
|
|
+
|
|
private
|
|
|
|
def add_gems_to_fetcher
|
|
diff --git a/test/rubygems/test_gem_commands_sources_command.rb b/test/rubygems/test_gem_commands_sources_command.rb
|
|
index 014b4b4c12..d5b6d99419 100644
|
|
--- a/test/rubygems/test_gem_commands_sources_command.rb
|
|
+++ b/test/rubygems/test_gem_commands_sources_command.rb
|
|
@@ -108,6 +108,58 @@ def test_execute_add_redundant_source
|
|
assert_equal '', @ui.error
|
|
end
|
|
|
|
+ def test_execute_add_redundant_source_trailing_slash
|
|
+ # Remove pre-existing gem source (w/ slash)
|
|
+ repo_with_slash = "http://gems.example.com/"
|
|
+ @cmd.handle_options %W[--remove #{repo_with_slash}]
|
|
+ use_ui @ui do
|
|
+ @cmd.execute
|
|
+ end
|
|
+ source = Gem::Source.new repo_with_slash
|
|
+ assert_equal false, Gem.sources.include?(source)
|
|
+
|
|
+ expected = <<-EOF
|
|
+#{repo_with_slash} removed from sources
|
|
+ EOF
|
|
+
|
|
+ assert_equal expected, @ui.output
|
|
+ assert_equal '', @ui.error
|
|
+
|
|
+ # Re-add pre-existing gem source (w/o slash)
|
|
+ repo_without_slash = "http://gems.example.com"
|
|
+ @cmd.handle_options %W[--add #{repo_without_slash}]
|
|
+ use_ui @ui do
|
|
+ @cmd.execute
|
|
+ end
|
|
+ source = Gem::Source.new repo_without_slash
|
|
+ assert_equal true, Gem.sources.include?(source)
|
|
+
|
|
+ expected = <<-EOF
|
|
+http://gems.example.com/ removed from sources
|
|
+http://gems.example.com added to sources
|
|
+ EOF
|
|
+
|
|
+ assert_equal expected, @ui.output
|
|
+ assert_equal '', @ui.error
|
|
+
|
|
+ # Re-add original gem source (w/ slash)
|
|
+ @cmd.handle_options %W[--add #{repo_with_slash}]
|
|
+ use_ui @ui do
|
|
+ @cmd.execute
|
|
+ end
|
|
+ source = Gem::Source.new repo_with_slash
|
|
+ assert_equal true, Gem.sources.include?(source)
|
|
+
|
|
+ expected = <<-EOF
|
|
+http://gems.example.com/ removed from sources
|
|
+http://gems.example.com added to sources
|
|
+source http://gems.example.com/ already present in the cache
|
|
+ EOF
|
|
+
|
|
+ assert_equal expected, @ui.output
|
|
+ assert_equal '', @ui.error
|
|
+ end
|
|
+
|
|
def test_execute_add_http_rubygems_org
|
|
http_rubygems_org = 'http://rubygems.org'
|
|
|
|
diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb
|
|
index 6ceb2c6dfc..882981d344 100644
|
|
--- a/test/rubygems/test_gem_installer.rb
|
|
+++ b/test/rubygems/test_gem_installer.rb
|
|
@@ -62,7 +62,12 @@ def test_app_script_text
|
|
end
|
|
end
|
|
|
|
+if Gem.respond_to?(:activate_bin_path)
|
|
load Gem.activate_bin_path('a', 'executable', version)
|
|
+else
|
|
+gem "a", version
|
|
+load Gem.bin_path("a", "executable", version)
|
|
+end
|
|
EOF
|
|
|
|
wrapper = @installer.app_script_text 'executable'
|
|
diff --git a/test/rubygems/test_require.rb b/test/rubygems/test_require.rb
|
|
index dd606e44d4..936f78fb2a 100644
|
|
--- a/test/rubygems/test_require.rb
|
|
+++ b/test/rubygems/test_require.rb
|
|
@@ -301,6 +301,17 @@ def test_default_gem_only
|
|
assert_equal %w(default-2.0.0.0), loaded_spec_names
|
|
end
|
|
|
|
+ def test_realworld_default_gem
|
|
+ skip "no default gems on ruby < 2.0" unless RUBY_VERSION >= "2"
|
|
+ cmd = <<-RUBY
|
|
+ $stderr = $stdout
|
|
+ require "json"
|
|
+ puts Gem.loaded_specs["json"].default_gem?
|
|
+ RUBY
|
|
+ output = Gem::Util.popen(Gem.ruby, "-e", cmd).strip
|
|
+ assert_equal "true", output
|
|
+ end
|
|
+
|
|
def test_default_gem_and_normal_gem
|
|
default_gem_spec = new_default_spec("default", "2.0.0.0",
|
|
nil, "default/gem.rb")
|