rubygems-update 2.0.7 → 2.0.8
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rubygems-update might be problematic. Click here for more details.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +2 -1
- data.tar.gz.sig +1 -1
- data/.autotest +1 -1
- data/CVE-2013-4287.txt +36 -0
- data/History.txt +14 -2
- data/Manifest.txt +1 -0
- data/Rakefile +3 -1
- data/lib/rubygems.rb +2 -2
- data/lib/rubygems/version.rb +1 -1
- metadata +5 -3
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 91ef9091ddee5ecdd6f0fcb5b693a22c2e0184c6
|
4
|
+
data.tar.gz: b39e56d72971a75c73269237f952620f31a65e6f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a06cc15ee1e43192e446360c58c80d4c97dbafa0fb4114528aaeefad5be2c9678e1b89d092d07cac04c2e1124cfa80071c75857d7d04f225dbf403cb6162e43c
|
7
|
+
data.tar.gz: 456ba6216bef9b550ed28163baec53b8dd08a853fbc185f577781dddb71cfa1b7d8f28463bafcc8932e54b17e28a998b3e835539c49a3cbc73f0ceb4d65d0d6c
|
checksums.yaml.gz.sig
CHANGED
@@ -1 +1,2 @@
|
|
1
|
-
|
1
|
+
z�="oP�[���� ����3��Kၮ
|
2
|
+
Oe�����[�[:
|
data.tar.gz.sig
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
U�@���G�(Fۡ@2�2�{�Mt��[էwe$0��A!-��a�"]�������]I���l� �d>���`��'>��g�;�,�i��e���Պ/P��!ѐ�+��>F���F�}M��;&�t��֠f�����ԌK��qPB��I��:j �<�.˿��_�U������6��?ᯒ�6�))1��q6�LI[��5�G��8�e�bE�/9���Xh�]F�9���W��$�0�| �uvB�d�Y4
|
data/.autotest
CHANGED
data/CVE-2013-4287.txt
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
= Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
|
2
|
+
|
3
|
+
RubyGems validates versions with a regular expression that is vulnerable to
|
4
|
+
denial of service due to a backtracking regular expression. For specially
|
5
|
+
crafted RubyGems versions attackers can cause denial of service through CPU
|
6
|
+
consumption.
|
7
|
+
|
8
|
+
RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
|
9
|
+
|
10
|
+
Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
|
11
|
+
versions of RubyGems.
|
12
|
+
|
13
|
+
It does not appear to be possible to exploit this vulnerability by installing a
|
14
|
+
gem for RubyGems 1.8.x or 2.0.x. Vulnerable uses of RubyGems API include
|
15
|
+
packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
|
16
|
+
sending user input to Gem::Version.new, Gem::Version.correct? or use of the
|
17
|
+
Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
|
18
|
+
constants.
|
19
|
+
|
20
|
+
Notably, users of bundler that install gems from git are vulnerable if a
|
21
|
+
malicious author changes the gemspec to an invalid version.
|
22
|
+
|
23
|
+
The vulnerability can be fixed by changing the first grouping to an atomic
|
24
|
+
grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb. For
|
25
|
+
RubyGems 2.0.x:
|
26
|
+
|
27
|
+
- VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
|
28
|
+
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
|
29
|
+
|
30
|
+
For RubyGems 1.8.x:
|
31
|
+
|
32
|
+
- VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
|
33
|
+
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
|
34
|
+
|
35
|
+
This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>
|
36
|
+
|
data/History.txt
CHANGED
@@ -1,11 +1,23 @@
|
|
1
1
|
# coding: UTF-8
|
2
2
|
|
3
|
-
=== 2.0.
|
3
|
+
=== 2.0.8 / 2013-09-09
|
4
|
+
|
5
|
+
Security fixes:
|
6
|
+
|
7
|
+
* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
|
8
|
+
backtracking in Gem::Version validation. See CVE-2013-4287 for full details
|
9
|
+
including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and
|
10
|
+
1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.
|
4
11
|
|
5
12
|
Bug fixes:
|
6
13
|
|
14
|
+
* Fixed Gem.clear_paths when Security is defined at top-level. Pull request
|
15
|
+
#625 by elarkin
|
16
|
+
|
17
|
+
=== 2.0.7 / 2013-08-15
|
18
|
+
|
7
19
|
* Extensions may now be built in parallel (therefore gems may be installed in
|
8
|
-
parallel). Bug #
|
20
|
+
parallel). Bug #607 by Hemant Kumar.
|
9
21
|
* Changed broken link to RubyGems Bookshelf to point to RubyGems guides. Ruby
|
10
22
|
pull request #369 by 謝致邦.
|
11
23
|
* Fixed various test failures due to platform differences or poor tests.
|
data/Manifest.txt
CHANGED
data/Rakefile
CHANGED
@@ -56,7 +56,9 @@ hoe = Hoe.spec 'rubygems-update' do
|
|
56
56
|
extra_dev_deps << ['ZenTest', '~> 4.5']
|
57
57
|
extra_dev_deps << ['rake', '~> 0.9.3']
|
58
58
|
|
59
|
-
self.extra_rdoc_files = Dir["*.rdoc"]
|
59
|
+
self.extra_rdoc_files = Dir["*.rdoc"] + %w[
|
60
|
+
CVE-2013-4287.txt
|
61
|
+
]
|
60
62
|
|
61
63
|
spec_extras['rdoc_options'] = proc do |rdoc_options|
|
62
64
|
rdoc_options << "--title=RubyGems Update Documentation"
|
data/lib/rubygems.rb
CHANGED
@@ -8,7 +8,7 @@
|
|
8
8
|
require 'rbconfig'
|
9
9
|
|
10
10
|
module Gem
|
11
|
-
VERSION = '2.0.
|
11
|
+
VERSION = '2.0.8'
|
12
12
|
end
|
13
13
|
|
14
14
|
# Must be first since it unloads the prelude from 1.9.2
|
@@ -307,7 +307,7 @@ module Gem
|
|
307
307
|
@paths = nil
|
308
308
|
@user_home = nil
|
309
309
|
Gem::Specification.reset
|
310
|
-
Gem::Security.reset if
|
310
|
+
Gem::Security.reset if defined?(Gem::Security)
|
311
311
|
end
|
312
312
|
|
313
313
|
##
|
data/lib/rubygems/version.rb
CHANGED
@@ -147,7 +147,7 @@ class Gem::Version
|
|
147
147
|
|
148
148
|
# FIX: These are only used once, in .correct?. Do they deserve to be
|
149
149
|
# constants?
|
150
|
-
VERSION_PATTERN = '[0-9]+(
|
150
|
+
VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
|
151
151
|
ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
|
152
152
|
|
153
153
|
##
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubygems-update
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jim Weirich
|
@@ -32,7 +32,7 @@ cert_chain:
|
|
32
32
|
KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
|
33
33
|
wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
|
34
34
|
-----END CERTIFICATE-----
|
35
|
-
date: 2013-
|
35
|
+
date: 2013-09-09 00:00:00.000000000 Z
|
36
36
|
dependencies:
|
37
37
|
- !ruby/object:Gem::Dependency
|
38
38
|
name: minitest
|
@@ -163,6 +163,7 @@ executables:
|
|
163
163
|
- update_rubygems
|
164
164
|
extensions: []
|
165
165
|
extra_rdoc_files:
|
166
|
+
- CVE-2013-4287.txt
|
166
167
|
- History.txt
|
167
168
|
- LICENSE.txt
|
168
169
|
- MIT.txt
|
@@ -173,6 +174,7 @@ extra_rdoc_files:
|
|
173
174
|
files:
|
174
175
|
- .autotest
|
175
176
|
- .document
|
177
|
+
- CVE-2013-4287.txt
|
176
178
|
- History.txt
|
177
179
|
- LICENSE.txt
|
178
180
|
- MIT.txt
|
@@ -452,7 +454,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
452
454
|
version: '0'
|
453
455
|
requirements: []
|
454
456
|
rubyforge_project: rubygems-update
|
455
|
-
rubygems_version: 2.0
|
457
|
+
rubygems_version: 2.1.0
|
456
458
|
signing_key:
|
457
459
|
specification_version: 4
|
458
460
|
summary: RubyGems is a package management framework for Ruby
|
metadata.gz.sig
CHANGED
Binary file
|