[rubygems] Update to 2.0.9
Mamoru Tasaka
mtasaka at fedoraproject.org
Tue Sep 24 21:11:52 UTC 2013
commit ffcce57aced75401e7f4bf1940d687aee8a11f97
Author: Mamoru TASAKA <mtasaka at fedoraproject.org>
Date: Mon Sep 23 11:27:03 2013 +0900
Update to 2.0.9
- Fix %gem_dir/doc ownership (bug 1008866)
- Patch for CVE-2013-4363
check_CVE-2013-4287.rb | 29 ++++++++++++++
check_CVE-2013-4363.rb | 29 ++++++++++++++
rubygems-2.0.9-CVE-2013-4363.patch | 73 ++++++++++++++++++++++++++++++++++++
rubygems.spec | 27 ++++++++++++-
4 files changed, 155 insertions(+), 3 deletions(-)
---
diff --git a/check_CVE-2013-4287.rb b/check_CVE-2013-4287.rb
new file mode 100644
index 0000000..a643b57
--- /dev/null
+++ b/check_CVE-2013-4287.rb
@@ -0,0 +1,29 @@
+require 'benchmark'
+require 'rubygems'
+
+valid = Benchmark.measure do
+ Gem::Version.new '1.22.333.4444.55555.666666.7777777'
+end
+
+puts 'Valid version time:'
+puts valid
+
+invalid = Benchmark.measure do
+ begin
+ Gem::Version.new '1.22.333.4444.55555.666666.7777777.'
+ rescue
+ end
+end
+
+puts 'Invalid version time:'
+puts invalid
+
+n = (valid.real - invalid.real).abs
+
+if 0.1 < n then
+ puts 'You are vulnerable to CVE-2013-4287.'
+ exit(1)
+else
+ puts 'You are NOT vulnerable to CVE-2013-4287.'
+end
+
diff --git a/check_CVE-2013-4363.rb b/check_CVE-2013-4363.rb
new file mode 100644
index 0000000..7843fcd
--- /dev/null
+++ b/check_CVE-2013-4363.rb
@@ -0,0 +1,29 @@
+require 'benchmark'
+require 'rubygems'
+
+valid = Benchmark.measure do
+ Gem::Version.new '111111111111111111111111'
+end
+
+puts 'Valid version time:'
+puts valid
+
+invalid = Benchmark.measure do
+ begin
+ Gem::Version.new '111111111111111111111111.'
+ rescue
+ end
+end
+
+puts 'Invalid version time:'
+puts invalid
+
+n = (valid.real - invalid.real).abs
+
+if 0.1 < n then
+ puts 'You are vulnerable to CVE-2013-XXXX.'
+ exit(1)
+else
+ puts 'You are NOT vulnerable to CVE-2013-XXXX.'
+end
+
diff --git a/rubygems-2.0.9-CVE-2013-4363.patch b/rubygems-2.0.9-CVE-2013-4363.patch
new file mode 100644
index 0000000..cb42401
--- /dev/null
+++ b/rubygems-2.0.9-CVE-2013-4363.patch
@@ -0,0 +1,73 @@
+diff --git a/lib/rubygems/version.rb b/lib/rubygems/version.rb
+index bbf04f5..5084985 100644
+--- a/lib/rubygems/version.rb
++++ b/lib/rubygems/version.rb
+@@ -148,7 +148,7 @@ class Gem::Version
+ # FIX: These are only used once, in .correct?. Do they deserve to be
+ # constants?
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
++ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+ ##
+ # A string representation of this Version.
+diff --git a/test/rubygems/test_gem_requirement.rb b/test/rubygems/test_gem_requirement.rb
+index 1de0f41..01db08e 100644
+--- a/test/rubygems/test_gem_requirement.rb
++++ b/test/rubygems/test_gem_requirement.rb
+@@ -47,18 +47,20 @@ class TestGemRequirement < Gem::TestCase
+ end
+
+ def test_parse_bad
+- e = assert_raises Gem::Requirement::BadRequirementError do
+- Gem::Requirement.parse nil
+- end
+-
+- assert_equal 'Illformed requirement [nil]', e.message
++ [
++ nil,
++ '',
++ '! 1',
++ '= junk',
++ '1..2',
++ ].each do |bad|
++ e = assert_raises Gem::Requirement::BadRequirementError do
++ Gem::Requirement.parse bad
++ end
+
+- e = assert_raises Gem::Requirement::BadRequirementError do
+- Gem::Requirement.parse ""
++ assert_equal "Illformed requirement [#{bad.inspect}]", e.message
+ end
+
+- assert_equal 'Illformed requirement [""]', e.message
+-
+ assert_equal Gem::Requirement::BadRequirementError.superclass, ArgumentError
+ end
+
+diff --git a/test/rubygems/test_gem_version.rb b/test/rubygems/test_gem_version.rb
+index da3b87d..4775950 100644
+--- a/test/rubygems/test_gem_version.rb
++++ b/test/rubygems/test_gem_version.rb
+@@ -67,12 +67,18 @@ class TestGemVersion < Gem::TestCase
+ end
+
+ def test_initialize_bad
+- ["junk", "1.0\n2.0"].each do |bad|
+- e = assert_raises ArgumentError do
++ %W[
++ junk
++ 1.0\n2.0
++ 1..2
++ 1.2\ 3.4
++ 1-2-3
++ ].each do |bad|
++ e = assert_raises ArgumentError, bad do
+ Gem::Version.new bad
+ end
+
+- assert_equal "Malformed version number string #{bad}", e.message
++ assert_equal "Malformed version number string #{bad}", e.message, bad
+ end
+ end
+
diff --git a/rubygems.spec b/rubygems.spec
index 9d1075d..f48abf6 100644
--- a/rubygems.spec
+++ b/rubygems.spec
@@ -24,13 +24,21 @@
Summary: The Ruby standard for packaging ruby libraries
Name: rubygems
-Version: 2.0.8
-Release: 104%{?dist}
+Version: 2.0.9
+Release: 105%{?dist}
Group: Development/Libraries
License: Ruby or MIT
URL: https://rubygems.org/
Source0: http://production.cf.rubygems.org/rubygems/%{name}-%{version}.tgz
+# http://seclists.org/oss-sec/2013/q3/att-576/check_CVE-2013-4287_rb.bin
+# Slightly modified for exit status
+Source10: check_CVE-2013-4287.rb
+# http://seclists.org/oss-sec/2013/q3/att-621/check_CVE-2013-XXXX_rb.bin
+# Slightly modified for exit status,
+# Also modified to match:
+# http://seclists.org/oss-sec/2013/q3/605
+Source11: check_CVE-2013-4363.rb
# Sources from the works by Vít Ondruch <vondruch at redhat.com>
# Please keep Source100 and Patch{109,113,114} in sync with ruby.spec
@@ -46,6 +54,8 @@ Source100: operating_system.rb
#Patch3: rubygems-1.8.5-show-rdoc-process-verbosely.patch
# Fix Gem.all_load_paths (although it is deprecated and will be removed
# on 2011-10-01)
+# http://seclists.org/oss-sec/2013/q3/att-634/CVE-2013-XXXX_2_0.patch
+Patch4: rubygems-2.0.9-CVE-2013-4363.patch
# Add support for installing binary extensions according to FHS.
# https://github.com/rubygems/rubygems/issues/210
@@ -116,6 +126,7 @@ Documentation for %{name}
#%%patch3 -p1 -b .rdoc_v
#%%patch6 -p1 -b .load_path
%endif
+%patch4 -p1 -b .CVE_2013_4363
%patch109 -p1 -b .109
%patch113 -p1 -b .113
%patch114 -p1 -b .114
@@ -230,6 +241,10 @@ export RUBYOPT
#"/usr/bin/ruby extconf.rb\n/usr/bin/ruby-mri: No such file or directory -- extconf.rb (LoadError)\n".
#DEBUG: 1207 tests, 3731 assertions, 1 failures, 0 errors, 3 skips
testrb test || testrb test -x test_gem_installer.rb
+
+# CVE vulnerability check
+ruby -Ilib %{SOURCE10}
+ruby -Ilib %{SOURCE11}
%endif
%files
@@ -240,6 +255,7 @@ testrb test || testrb test -x test_gem_installer.rb
%dir %{gem_dir}
%dir %{gem_dir}/build_info
%dir %{gem_dir}/cache
+%dir %{gem_dir}/doc
%dir %{gem_dir}/gems
%dir %{gem_dir}/specifications
%dir %{gem_dir}/specifications/default
@@ -262,10 +278,15 @@ testrb test || testrb test -x test_gem_installer.rb
%{_sysconfdir}/rpm/macros.rubygems
%files doc
-%doc %{gem_dir}/doc
+%doc %{gem_dir}/doc/*
%changelog
+* Mon Sep 23 2013 Mamoru TASAKA <mtasaka at fedoraproject.org> - 2.0.9-105
+- Update to 2.0.9
+- Fix %%gem_dir/doc ownership (bug 1008866)
+- Patch for CVE-2013-4363
+
* Tue Sep 10 2013 Mamoru TASAKA <mtasaka at fedoraproject.org> - 2.0.8-104
- Update to 2.0.8, which fixes CVE-2013-4287
More information about the scm-commits
mailing list