rubygems-update 2.1.4 → 2.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of rubygems-update might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b1fa94d6b820abe075a10e423fc13e4d1a42ff58
4
- data.tar.gz: 12967cad3de5815451c7fa652d39caf75b91281d
3
+ metadata.gz: 547e9e32aaae7d7c3e3bdbbb062487fcf8cc74ba
4
+ data.tar.gz: c4a1eb35b004dccf640ee945f60180ff788fd55a
5
5
  SHA512:
6
- metadata.gz: 03c8e214c07144821e02af71a49f73d860835b293013eeb8ca03ad22751c6283a50ad0d1c8bd50f824764edd96566922a0275416de2ebbc4a172301a94f3413c
7
- data.tar.gz: d5cd8d2ea741cbe7198e1e1ce6352b24cdb58b1468fdb7c7fd249fb3796f275c0d3ab023945054a904f44204406eeb26b492418dc22937c9ca0d0777e28ccf36
6
+ metadata.gz: 1eaa80a01f37f17db7f43a904dfda441286c919b493110923f28735d1b540f73e954e7ce74b99d625ffc834420a6c7fd88b1f37999c59f550c9949381e402c27
7
+ data.tar.gz: 11f86585794ca193303b9316107a44be25de32c6791eec0385f4f7f0aa4388007d9f25b3880f778db0fbf86adb62a68278f66a79e644b8850d40a4b0021322de
Binary file
data.tar.gz.sig CHANGED
Binary file
@@ -0,0 +1,45 @@
1
+ = Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
2
+
3
+ The patch for CVE-2013-4287 was insufficiently verified so the combined
4
+ regular expression for verifying gem version remains vulnerable following
5
+ CVE-2013-4287.
6
+
7
+ RubyGems validates versions with a regular expression that is vulnerable to
8
+ denial of service due to backtracking. For specially crafted RubyGems
9
+ versions attackers can cause denial of service through CPU consumption.
10
+
11
+ RubyGems versions 2.1.4 and older are vulnerable.
12
+
13
+ Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
14
+ versions of RubyGems.
15
+
16
+ It does not appear to be possible to exploit this vulnerability by installing a
17
+ gem for RubyGems 1.8.x or newer. Vulnerable uses of RubyGems API include
18
+ packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
19
+ sending user input to Gem::Version.new, Gem::Version.correct? or use of the
20
+ Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
21
+ constants.
22
+
23
+ Notably, users of bundler that install gems from git are vulnerable if a
24
+ malicious author changes the gemspec to an invalid version.
25
+
26
+ The vulnerability can be fixed by changing the "*" repetition to a "?"
27
+ repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
28
+ lib/rubygems/version.rb. For RubyGems 2.1.x:
29
+
30
+ - ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
31
+ + ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
32
+
33
+ For RubyGems 2.0.x:
34
+
35
+ - ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
36
+ + ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
37
+
38
+ For RubyGems 1.8.x:
39
+
40
+ - ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
41
+ + ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
42
+
43
+
44
+ This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>
45
+
@@ -1,5 +1,14 @@
1
1
  # coding: UTF-8
2
2
 
3
+ === 2.1.5 / 2013-09-24
4
+
5
+ Security fixes:
6
+
7
+ * RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
8
+ backtracking in Gem::Version validation. See CVE-2013-4363 for full details
9
+ including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
10
+ 1.8.23.2 (for Ruby 1.9.3).
11
+
3
12
  === 2.1.4 / 2013-09-17
4
13
 
5
14
  Bug fixes:
@@ -1,6 +1,7 @@
1
1
  .autotest
2
2
  .document
3
3
  CVE-2013-4287.txt
4
+ CVE-2013-4363.txt
4
5
  History.txt
5
6
  LICENSE.txt
6
7
  MIT.txt
data/Rakefile CHANGED
@@ -127,6 +127,7 @@ desc "Upload release to rubyforge and gemcutter"
127
127
  task :upload => %w[upload_to_gemcutter]
128
128
 
129
129
  on_master = `git branch --list master`.strip == '* master'
130
+ on_master = true if ENV['FORCE']
130
131
 
131
132
  Rake::Task['publish_docs'].clear unless on_master
132
133
 
@@ -8,7 +8,7 @@
8
8
  require 'rbconfig'
9
9
 
10
10
  module Gem
11
- VERSION = '2.1.4'
11
+ VERSION = '2.1.5'
12
12
  end
13
13
 
14
14
  # Must be first since it unloads the prelude from 1.9.2
@@ -148,7 +148,7 @@ class Gem::Version
148
148
  # FIX: These are only used once, in .correct?. Do they deserve to be
149
149
  # constants?
150
150
  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
151
- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
151
+ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
152
152
 
153
153
  ##
154
154
  # A string representation of this Version.
@@ -47,18 +47,20 @@ class TestGemRequirement < Gem::TestCase
47
47
  end
48
48
 
49
49
  def test_parse_bad
50
- e = assert_raises Gem::Requirement::BadRequirementError do
51
- Gem::Requirement.parse nil
52
- end
53
-
54
- assert_equal 'Illformed requirement [nil]', e.message
50
+ [
51
+ nil,
52
+ '',
53
+ '! 1',
54
+ '= junk',
55
+ '1..2',
56
+ ].each do |bad|
57
+ e = assert_raises Gem::Requirement::BadRequirementError do
58
+ Gem::Requirement.parse bad
59
+ end
55
60
 
56
- e = assert_raises Gem::Requirement::BadRequirementError do
57
- Gem::Requirement.parse ""
61
+ assert_equal "Illformed requirement [#{bad.inspect}]", e.message
58
62
  end
59
63
 
60
- assert_equal 'Illformed requirement [""]', e.message
61
-
62
64
  assert_equal Gem::Requirement::BadRequirementError.superclass, ArgumentError
63
65
  end
64
66
 
@@ -67,12 +67,17 @@ class TestGemVersion < Gem::TestCase
67
67
  end
68
68
 
69
69
  def test_initialize_bad
70
- ["junk", "1.0\n2.0"].each do |bad|
71
- e = assert_raises ArgumentError do
70
+ %W[
71
+ junk
72
+ 1.0\n2.0
73
+ 1..2
74
+ 1.2\ 3.4
75
+ ].each do |bad|
76
+ e = assert_raises ArgumentError, bad do
72
77
  Gem::Version.new bad
73
78
  end
74
79
 
75
- assert_equal "Malformed version number string #{bad}", e.message
80
+ assert_equal "Malformed version number string #{bad}", e.message, bad
76
81
  end
77
82
  end
78
83
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubygems-update
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.4
4
+ version: 2.1.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jim Weirich
@@ -32,7 +32,7 @@ cert_chain:
32
32
  KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
33
33
  wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
34
34
  -----END CERTIFICATE-----
35
- date: 2013-09-17 00:00:00.000000000 Z
35
+ date: 2013-09-24 00:00:00.000000000 Z
36
36
  dependencies:
37
37
  - !ruby/object:Gem::Dependency
38
38
  name: minitest
@@ -164,6 +164,7 @@ executables:
164
164
  extensions: []
165
165
  extra_rdoc_files:
166
166
  - CVE-2013-4287.txt
167
+ - CVE-2013-4363.txt
167
168
  - History.txt
168
169
  - LICENSE.txt
169
170
  - MIT.txt
@@ -174,8 +175,8 @@ extra_rdoc_files:
174
175
  files:
175
176
  - .autotest
176
177
  - .document
177
- - .gemtest
178
178
  - CVE-2013-4287.txt
179
+ - CVE-2013-4363.txt
179
180
  - History.txt
180
181
  - LICENSE.txt
181
182
  - MIT.txt
@@ -468,6 +469,7 @@ files:
468
469
  - util/CL2notes
469
470
  - util/create_certs.rb
470
471
  - util/create_encrypted_key.rb
472
+ - .gemtest
471
473
  homepage: http://rubygems.org
472
474
  licenses:
473
475
  - Ruby
@@ -492,7 +494,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
492
494
  version: '0'
493
495
  requirements: []
494
496
  rubyforge_project: rubygems-update
495
- rubygems_version: 2.2.0
497
+ rubygems_version: 2.1.4
496
498
  signing_key:
497
499
  specification_version: 4
498
500
  summary: RubyGems is a package management framework for Ruby
metadata.gz.sig CHANGED
Binary file