rubygems-update 2.0.17 → 2.1.0.rc.1

data/CVE-2013-4287.txt

@@ -1,36 +0,0 @@
-= Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
-
-RubyGems validates versions with a regular expression that is vulnerable to
-denial of service due to a backtracking regular expression.  For specially
-crafted RubyGems versions attackers can cause denial of service through CPU
-consumption.
-
-RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
-
-Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
-versions of RubyGems.
-
-It does not appear to be possible to exploit this vulnerability by installing a
-gem for RubyGems 1.8.x or 2.0.x.  Vulnerable uses of RubyGems API include
-packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
-sending user input to Gem::Version.new, Gem::Version.correct? or use of the
-Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
-constants.
-
-Notably, users of bundler that install gems from git are vulnerable if a
-malicious author changes the gemspec to an invalid version.
-
-The vulnerability can be fixed by changing the first grouping to an atomic
-grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
-RubyGems 2.0.x:
-
-  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
-  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
-
-For RubyGems 1.8.x:
-
-  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
-  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
-
-This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>
-

data/CVE-2013-4363.txt

@@ -1,45 +0,0 @@
-= Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
-
-The patch for CVE-2013-4287 was insufficiently verified so the combined
-regular expression for verifying gem version remains vulnerable following
-CVE-2013-4287.
-
-RubyGems validates versions with a regular expression that is vulnerable to
-denial of service due to backtracking.  For specially crafted RubyGems
-versions attackers can cause denial of service through CPU consumption.
-
-RubyGems versions 2.1.4 and older are vulnerable.
-
-Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
-versions of RubyGems.
-
-It does not appear to be possible to exploit this vulnerability by installing a
-gem for RubyGems 1.8.x or newer.  Vulnerable uses of RubyGems API include
-packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
-sending user input to Gem::Version.new, Gem::Version.correct? or use of the
-Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
-constants.
-
-Notably, users of bundler that install gems from git are vulnerable if a
-malicious author changes the gemspec to an invalid version.
-
-The vulnerability can be fixed by changing the "*" repetition to a "?"
-repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
-lib/rubygems/version.rb.  For RubyGems 2.1.x:
-
-  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
-  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
-
-For RubyGems 2.0.x:
-
-  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
-  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
-
-For RubyGems 1.8.x:
-
-  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
-  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
-
-
-This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>
-

data/lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem

@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
-MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
-IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
-MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
-FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
-bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
-H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
-uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
-mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
-a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
-E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
-WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
-VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
-Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
-cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
-IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
-AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
-YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
-6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
-Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
-c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
-mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
------END CERTIFICATE-----

data/lib/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem

@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
-A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
-cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
-MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
-BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
-YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
-BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
-I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
-CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
-lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
-AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
------END CERTIFICATE-----

data/lib/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
-ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
-MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
-LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
-RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
-+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
-PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
-xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
-Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
-hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
-EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
-FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
-nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
-eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
-hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
-Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
-vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
-+OkuE6N36B9K
------END CERTIFICATE-----

data/lib/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem

@@ -1,28 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
-VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
-ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
-KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
-ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
-MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
-ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
-b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
-bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
-U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
-A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
-I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
-wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
-AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
-oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
-BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
-dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
-MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
-dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
-MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
-E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
-MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
-hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
-95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
-2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
------END CERTIFICATE-----

data/test/rubygems/test_bundled_ca.rb

@@ -1,59 +0,0 @@
-require 'rubygems/test_case'
-require 'net/https'
-
-# = Testing Bundled CA
-#
-# The tested hosts are explained in detail here: https://github.com/rubygems/rubygems/commit/5e16a5428f973667cabfa07e94ff939e7a83ebd9
-#
-class TestBundledCA < Gem::TestCase
-
-  THIS_FILE = File.expand_path __FILE__
-
-  def bundled_certificate_store
-    store = OpenSSL::X509::Store.new
-
-    ssl_cert_glob =
-      File.expand_path '../../../lib/rubygems/ssl_certs/*.pem', THIS_FILE
-
-    Dir[ssl_cert_glob].each do |ssl_cert|
-      store.add_file ssl_cert
-    end
-
-    store
-  end
-
-  def assert_https(host)
-    if self.respond_to? :_assertions # minitest <= 4
-      self._assertions += 1
-    else # minitest >= 5
-      self.assertions += 1
-    end
-    http = Net::HTTP.new(host, 443)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    http.cert_store = bundled_certificate_store
-    http.get('/')
-  rescue Errno::ENOENT
-    skip "#{host} seems offline, I can't tell whether ssl would work."
-  rescue OpenSSL::SSL::SSLError => e
-    # Only fail for certificate verification errors
-    if e.message =~ /certificate verify failed/
-      flunk "#{host} is not verifiable using the included certificates. Error was: #{e.message}"
-    end
-    raise
-  end
-
-  def test_accessing_rubygems
-    assert_https('rubygems.org')
-  end
-
-  def test_accessing_cloudfront
-    assert_https('d2chzxaqi4y7f8.cloudfront.net')
-  end
-
-  def test_accessing_s3
-    assert_https('s3.amazonaws.com')
-  end
-
-end if ENV['TRAVIS']
-

data/util/update_bundled_ca_certificates.rb

@@ -1,103 +0,0 @@
-require 'net/http'
-require 'openssl'
-
-URIS = [
-  URI('https://rubygems.org'),
-  URI('https://s3.amazonaws.com'),
-  URI('https://d2chzxaqi4y7f8.cloudfront.net'),
-  URI('https://rubygems.global.ssl.fastly.net'),
-]
-
-def connect_to uri, store
-  http = Net::HTTP.new uri.hostname, uri.port
-
-  http.use_ssl = uri.scheme.downcase == 'https'
-  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-  http.cert_store = store
-
-  http.get '/'
-
-  true
-rescue OpenSSL::SSL::SSLError
-  false
-end
-
-def load_certificates io
-  cert_texts =
-    io.read.scan(/^-{5}BEGIN CERTIFICATE-{5}.*?^-{5}END CERTIFICATE-{5}/m)
-
-  cert_texts.map do |cert_text|
-    OpenSSL::X509::Certificate.new cert_text
-  end
-end
-
-def show_certificates certificates
-  certificates.each do |certificate|
-    p certificate.subject.to_a
-  end
-end
-
-def store_for certificates
-  store = OpenSSL::X509::Store.new
-  certificates.each do |certificate|
-    store.add_cert certificate
-  end
-
-  store
-end
-
-def test_certificates certificates, uri
-  1.upto certificates.length do |n|
-    puts "combinations of #{n} certificates"
-    certificates.combination(n).each do |combination|
-      match = test_uri uri, combination
-
-      if match then
-        $needed_combinations << match
-        puts
-        return
-      else
-        print '.'
-      end
-    end
-    puts
-  end
-end
-
-def test_uri uri, certificates
-  store = store_for certificates
-
-  verified = connect_to uri, store
-
-  return certificates if verified
-
-  nil
-end
-
-def write_certificates certificates
-  certificates.each do |certificate|
-    subject = certificate.subject.to_a
-    name = (subject.assoc('CN') || subject.assoc('OU'))[1]
-    name = name.delete ' .-'
-
-    open "lib/rubygems/ssl_certs/#{name}.pem", 'w' do |io|
-      io.write certificate.to_pem
-    end
-  end
-end
-
-certificates = load_certificates ARGF
-puts "loaded #{certificates.length} certificates"
-
-$needed_combinations = []
-
-URIS.each do |uri|
-  puts uri
-
-  test_certificates certificates, uri
-end
-
-needed = $needed_combinations.flatten.uniq
-
-write_certificates needed
-