From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruby-core-bounces@ruby-lang.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS4713 221.184.0.0/13
X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2
Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75])
	by dcvr.yhbt.net (Postfix) with ESMTP id DFCB920248
	for <normalperson@yhbt.net>; Mon, 15 Apr 2019 13:34:03 +0000 (UTC)
Received: from neon.ruby-lang.org (localhost [IPv6:::1])
	by neon.ruby-lang.org (Postfix) with ESMTP id 152A6120F5B;
	Mon, 15 Apr 2019 22:33:59 +0900 (JST)
Received: from o1678948x4.outbound-mail.sendgrid.net
 (o1678948x4.outbound-mail.sendgrid.net [167.89.48.4])
 by neon.ruby-lang.org (Postfix) with ESMTPS id 60CE1120D7E
 for <ruby-core@ruby-lang.org>; Mon, 15 Apr 2019 22:33:56 +0900 (JST)
Received: by filter0076p3las1.sendgrid.net with SMTP id
 filter0076p3las1-9957-5CB48844-1E
 2019-04-15 13:33:56.377535041 +0000 UTC m=+570769.997918199
Received: from herokuapp.com (unknown [54.242.244.177])
 by ismtpd0063p1mdw1.sendgrid.net (SG) with ESMTP id a0_b1eUbS-Skdd7SIyqfRA
 for <ruby-core@ruby-lang.org>; Mon, 15 Apr 2019 13:33:56.292 +0000 (UTC)
Date: Mon, 15 Apr 2019 13:33:56 +0000 (UTC)
From: jaruga@redhat.com
Message-ID: <redmine.journal-77637.20190415133355.4aa553d849c8d381@ruby-lang.org>
References: <redmine.issue-15637.20190304235719@ruby-lang.org>
Mime-Version: 1.0
X-Redmine-MailingListIntegration-Message-Ids: 67779
X-Redmine-Project: ruby-trunk
X-Redmine-Issue-Id: 15637
X-Redmine-Issue-Author: hsbt
X-Redmine-Sender: jaruga
X-Mailer: Redmine
X-Redmine-Host: bugs.ruby-lang.org
X-Redmine-Site: Ruby Issue Tracking System
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
X-SG-EID: =?us-ascii?Q?yXpFNqRr1dEY0snEQ6vUpjORBmm3WV3CBkaa8tOjsKm4xCXIbGIl1v102iUpy=2F?=
 =?us-ascii?Q?rxDGN+oIhe+MX=2FmNIktuWIpgLbXBCSuceeO+ueR?=
 =?us-ascii?Q?8r2VpJLnwnHzO6w2OKsqc4QGhQT1gM7FEMWP6mX?=
 =?us-ascii?Q?=2FQ6SbD4Bl5Cm8mSb8JbOgg8kieTISKdshmyjT+J?=
 =?us-ascii?Q?gho2v71n3HDkk4KwkGo9rH+AAtQs2Kjfm2g=3D=3D?=
To: ruby-core@ruby-lang.org
X-ML-Name: ruby-core
X-Mail-Count: 92296
Subject: [ruby-core:92296] [Ruby trunk Bug#15637] Backport RubyGems
	3.0.3/2.7.9
X-BeenThere: ruby-core@ruby-lang.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Ruby developers <ruby-core@ruby-lang.org>
List-Id: Ruby developers <ruby-core.ruby-lang.org>
List-Unsubscribe: <https://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
List-Post: <mailto:ruby-core@ruby-lang.org>
List-Help: <mailto:ruby-core-request@ruby-lang.org?subject=help>
List-Subscribe: <https://lists.ruby-lang.org/cgi-bin/mailman/listinfo/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ruby-core-bounces@ruby-lang.org
Sender: "ruby-core" <ruby-core-bounces@ruby-lang.org>

Issue #15637 has been updated by jaruga (Jun Aruga).


Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.

In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?

Merge branch 'h1-328571' into master-private 
* master: https://github.com/rubygems/rubygems/commit/bcc96123e916a2b8d302dc0f350d9068bd014188
* v3.0.3: https://github.com/rubygems/rubygems/commit/1e6f6a0561a8531ab99c608655c4fb15524ceee2
* v2.7.9: https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f


----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-77637

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: DONE, 2.5: DONE, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/