[ruby-core:91665] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[ruby-core:91665] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[hsbt]

Issue #15637 has been reported by hsbt (Hiroshi SHIBATA).

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerabilities.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.



-- 
https://bugs.ruby-lang.org/

[ruby-core:91667] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[duerst]

Issue #15637 has been updated by duerst (Martin Dürst).


It says "They contain multiple vulnerabilities.". I hope the intent was to write something like "They fix multiple vulnerabilities." or "They contain multiple vulnerability fixes.".


----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-76927

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerabilities.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>

[ruby-core:91671] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[hsbt]

Issue #15637 has been updated by hsbt (Hiroshi SHIBATA).

Description updated

@duerst

Thanks for your proofreading :)

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-76933

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:91684] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[hsbt]

Issue #15637 has been updated by hsbt (Hiroshi SHIBATA).


I added a test fix at r67171 for Windows platform. Please backport it too.

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-76946

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:91685] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[merch-redmine]

Issue #15637 has been updated by jeremyevans0 (Jeremy Evans).


It looks like the uploaded patch files for 2.4.5 and 2.5.3 do not apply with either BSD or GNU patch, resulting in:

```
patch: **** malformed patch at line 391:      package = Gem::Package.new @gem
```

Line 350 in both patch files should probably be changed from:

```
@@ -480,6 +480,40 @@ def test_extract_symlink_parent
```

to

```
@@ -480,6 +480,42 @@ def test_extract_symlink_parent
```

as there were 36 lines added by that patch hunk.

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-76947

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:91687] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[hsbt]

Issue #15637 has been updated by hsbt (Hiroshi SHIBATA).

File ruby-2.6.1-rubygems-v2.patch added
File ruby-2.5.3-rubygems-v2.patch added
File ruby-2.4.5-rubygems-v2.patch added

I attached the patches with r67171.

@jeremyevans0

Thanks, I fixed it at v2 patches. Can you try them again?

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-76949

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:91689] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[merch-redmine]

Issue #15637 has been updated by jeremyevans0 (Jeremy Evans).


hsbt (Hiroshi SHIBATA) wrote:
> Thanks, I fixed it at v2 patches. Can you try them again?

Yes, all patches apply now, thank you very much.

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-76950

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:91698] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[naruse]

Issue #15637 has been updated by naruse (Yui NARUSE).

Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67182 merged the patch.

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-76963

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:91793] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[nagachika00]

Issue #15637 has been updated by nagachika (Tomoyuki Chikanaga).

Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

The patch for 2.5.3 was merged at r67234.

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-77067

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: DONE, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:91851] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[merch-redmine]

Issue #15637 has been updated by jeremyevans0 (Jeremy Evans).


Are there plans to backport the Rubygems security patches to Ruby 2.3?  Ruby 2.3 is still in security maintenance status until the end of the month, so I think this would qualify, but I'm not sure.

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-77122

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: REQUIRED, 2.5: DONE, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:92296] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[jaruga]

Issue #15637 has been updated by jaruga (Jun Aruga).


Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.

In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?

Merge branch 'h1-328571' into master-private 
* master: https://github.com/rubygems/rubygems/commit/bcc96123e916a2b8d302dc0f350d9068bd014188
* v3.0.3: https://github.com/rubygems/rubygems/commit/1e6f6a0561a8531ab99c608655c4fb15524ceee2
* v2.7.9: https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f


----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-77637

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: DONE, 2.5: DONE, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:92929] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[hsbt]

Issue #15637 has been updated by hsbt (Hiroshi SHIBATA).


@jaruga

Sorry, my late response. your list is correct commits..

----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-78305

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: DONE, 2.5: DONE, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:92936] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9

[jaruga]

Issue #15637 has been updated by jaruga (Jun Aruga).


@hsbt, sure. Thank you for the checking!


----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-78312

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: DONE, 2.5: DONE, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/