rubygems-update 1.8.26 → 1.8.27

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rubygems-update might be problematic. Click here for more details.

Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/CVE-2013-4363.txt +45 -0
  5. data/History.txt +9 -0
  6. data/Manifest.txt +1 -0
  7. data/lib/rubygems.rb +1 -1
  8. data/lib/rubygems/version.rb +1 -1
  9. data/test/rubygems/test_gem_requirement.rb +11 -9
  10. data/test/rubygems/test_gem_version.rb +9 -3
  11. metadata +6 -4
  12. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 96e012cc53e235e197d84c2d2a4eea42b89bc4e5
4
- data.tar.gz: 6963749517681827506e11a24b0e7c1fb75ae347
3
+ metadata.gz: f702ffa3ece9550894623e67f76dc80ae70e8318
4
+ data.tar.gz: 9a6dead1815ab005f0d9daedc74ab5e034485773
5
5
  SHA512:
6
- metadata.gz: 09a61481c125c0740fc699d29b1ee5567bb3ef6e6b7c9622f546d496b09319fcaa12282b7056d1ee961cda99739f2849114b6d81fd550f5786baf842474a0a85
7
- data.tar.gz: bdb3d9f8e46d4ba2270589f7085e844c59052485a990d557e506e57ad30132e196e05684cfaf3ee0c94bfbc9ca241e927048a9961236677b6d3f94bdefedbd01
6
+ metadata.gz: c4514f8b10c7aa5c45639d9690120be56684846c82ccbc1d6d4bd7f5deff8386cd1715a24e6dac06d7468a1bb1e378a227f0b15bc4c4320e27919938590e9aac
7
+ data.tar.gz: aff569a6495ea9a955ff89f7832ac41d0fdf659c2a568dc048678b6bc7e438fc990acf3f004d22b7b201ded65adf1883e7927f54f8a9d5d231eb0183e89e510d
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/CVE-2013-4363.txt ADDED
@@ -0,0 +1,45 @@
1
+ = Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
2
+
3
+ The patch for CVE-2013-4287 was insufficiently verified so the combined
4
+ regular expression for verifying gem version remains vulnerable following
5
+ CVE-2013-4287.
6
+
7
+ RubyGems validates versions with a regular expression that is vulnerable to
8
+ denial of service due to backtracking. For specially crafted RubyGems
9
+ versions attackers can cause denial of service through CPU consumption.
10
+
11
+ RubyGems versions 2.1.4 and older are vulnerable.
12
+
13
+ Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
14
+ versions of RubyGems.
15
+
16
+ It does not appear to be possible to exploit this vulnerability by installing a
17
+ gem for RubyGems 1.8.x or newer. Vulnerable uses of RubyGems API include
18
+ packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
19
+ sending user input to Gem::Version.new, Gem::Version.correct? or use of the
20
+ Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
21
+ constants.
22
+
23
+ Notably, users of bundler that install gems from git are vulnerable if a
24
+ malicious author changes the gemspec to an invalid version.
25
+
26
+ The vulnerability can be fixed by changing the "*" repetition to a "?"
27
+ repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
28
+ lib/rubygems/version.rb. For RubyGems 2.1.x:
29
+
30
+ - ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
31
+ + ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
32
+
33
+ For RubyGems 2.0.x:
34
+
35
+ - ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
36
+ + ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
37
+
38
+ For RubyGems 1.8.x:
39
+
40
+ - ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
41
+ + ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
42
+
43
+
44
+ This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>
45
+
data/History.txt CHANGED
@@ -1,5 +1,14 @@
1
1
  # coding: UTF-8
2
2
 
3
+ === 1.8.26 / 2013-09-24
4
+
5
+ Security fixes:
6
+
7
+ * RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
8
+ backtracking in Gem::Version validation. See CVE-2013-4363 for full details
9
+ including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
10
+ 1.8.23.2 (for Ruby 1.9.3).
11
+
3
12
  === 1.8.26 / 2013-09-09
4
13
 
5
14
  Security fixes:
data/Manifest.txt CHANGED
@@ -1,6 +1,7 @@
1
1
  .autotest
2
2
  .document
3
3
  CVE-2013-4287.txt
4
+ CVE-2013-4363.txt
4
5
  History.txt
5
6
  LICENSE.txt
6
7
  MIT.txt
data/lib/rubygems.rb CHANGED
@@ -121,7 +121,7 @@ require "rubygems/deprecate"
121
121
  # -The RubyGems Team
122
122
 
123
123
  module Gem
124
- VERSION = '1.8.26'
124
+ VERSION = '1.8.27'
125
125
 
126
126
  ##
127
127
  # Raised when RubyGems is unable to load or activate a gem. Contains the
data/lib/rubygems/version.rb CHANGED
@@ -146,7 +146,7 @@ class Gem::Version
146
146
  include Comparable
147
147
 
148
148
  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
149
- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
149
+ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
150
150
 
151
151
  ##
152
152
  # A string representation of this Version.
data/test/rubygems/test_gem_requirement.rb CHANGED
@@ -37,17 +37,19 @@ class TestGemRequirement < Gem::TestCase
37
37
  end
38
38
 
39
39
  def test_parse_bad
40
- e = assert_raises ArgumentError do
41
- Gem::Requirement.parse nil
42
- end
43
-
44
- assert_equal 'Illformed requirement [nil]', e.message
40
+ [
41
+ nil,
42
+ '',
43
+ '! 1',
44
+ '= junk',
45
+ '1..2',
46
+ ].each do |bad|
47
+ e = assert_raises ArgumentError do
48
+ Gem::Requirement.parse bad
49
+ end
45
50
 
46
- e = assert_raises ArgumentError do
47
- Gem::Requirement.parse ""
51
+ assert_equal "Illformed requirement [#{bad.inspect}]", e.message
48
52
  end
49
-
50
- assert_equal 'Illformed requirement [""]', e.message
51
53
  end
52
54
 
53
55
  def test_prerelease_eh
data/test/rubygems/test_gem_version.rb CHANGED
@@ -67,12 +67,18 @@ class TestGemVersion < Gem::TestCase
67
67
  end
68
68
 
69
69
  def test_initialize_bad
70
- ["junk", "1.0\n2.0"].each do |bad|
71
- e = assert_raises ArgumentError do
70
+ %W[
71
+ junk
72
+ 1.0\n2.0
73
+ 1..2
74
+ 1.2\ 3.4
75
+ 1-2-3
76
+ ].each do |bad|
77
+ e = assert_raises ArgumentError, bad do
72
78
  Gem::Version.new bad
73
79
  end
74
80
 
75
- assert_equal "Malformed version number string #{bad}", e.message
81
+ assert_equal "Malformed version number string #{bad}", e.message, bad
76
82
  end
77
83
  end
78
84
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubygems-update
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.8.26
4
+ version: 1.8.27
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jim Weirich
@@ -32,7 +32,7 @@ cert_chain:
32
32
  KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
33
33
  wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
34
34
  -----END CERTIFICATE-----
35
- date: 2013-09-09 00:00:00.000000000 Z
35
+ date: 2013-09-24 00:00:00.000000000 Z
36
36
  dependencies:
37
37
  - !ruby/object:Gem::Dependency
38
38
  name: minitest
@@ -178,6 +178,7 @@ executables:
178
178
  extensions: []
179
179
  extra_rdoc_files:
180
180
  - CVE-2013-4287.txt
181
+ - CVE-2013-4363.txt
181
182
  - History.txt
182
183
  - LICENSE.txt
183
184
  - MIT.txt
@@ -189,6 +190,7 @@ files:
189
190
  - .autotest
190
191
  - .document
191
192
  - CVE-2013-4287.txt
193
+ - CVE-2013-4363.txt
192
194
  - History.txt
193
195
  - LICENSE.txt
194
196
  - MIT.txt
@@ -400,7 +402,7 @@ post_install_message:
400
402
  rdoc_options:
401
403
  - --main
402
404
  - README.rdoc
403
- - --title=RubyGems 1.8.26 Documentation
405
+ - --title=RubyGems 1.8.27 Documentation
404
406
  require_paths:
405
407
  - hide_lib_for_update
406
408
  required_ruby_version: !ruby/object:Gem::Requirement
@@ -415,7 +417,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
415
417
  version: '0'
416
418
  requirements: []
417
419
  rubyforge_project: rubygems
418
- rubygems_version: 2.1.0
420
+ rubygems_version: 2.1.4
419
421
  signing_key:
420
422
  specification_version: 4
421
423
  summary: RubyGems is a package management framework for Ruby
metadata.gz.sig CHANGED
Binary file