rubygems-update 1.8.23 → 1.8.23.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4485176fa4a497c3790dc6a32bd8e55bb2f77534
+  data.tar.gz: 6dc935f3b3e6ec40bb7200a3a3809395f2020e70
+SHA512:
+  metadata.gz: baf41d09f58583dc2e7576c16cca00a10831f12c446f570acec68cafcaedf15c202c208c65fdb20b0df28c9545189b4f78ddec0db24340bf05b2697db4eb5b38
+  data.tar.gz: c971a892d2221997ac3bb54f1ffc44a171c2c956605a9127acc99415890d30e390052f1fdd458ea016fd55499ad4309fc2b0f7093b9997c71232c3ba268b0cf4

checksums.yaml.gz.sig

@@ -0,0 +1,2 @@
+j�C_1� 	R|�A���3(h�@�d
~|${�]"��yz�{zbJm��v�"�F4�7���y�Cn;jD�4B%�4��c��8�<1|�/A2,bi������~Hk��
+�����e

data/CVE-2013-4287.txt

@@ -0,0 +1,36 @@
+= Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
+
+RubyGems validates versions with a regular expression that is vulnerable to
+denial of service due to a backtracking regular expression.  For specially
+crafted RubyGems versions attackers can cause denial of service through CPU
+consumption.
+
+RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
+
+Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
+versions of RubyGems.
+
+It does not appear to be possible to exploit this vulnerability by installing a
+gem for RubyGems 1.8.x or 2.0.x.  Vulnerable uses of RubyGems API include
+packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
+sending user input to Gem::Version.new, Gem::Version.correct? or use of the
+Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
+constants.
+
+Notably, users of bundler that install gems from git are vulnerable if a
+malicious author changes the gemspec to an invalid version.
+
+The vulnerability can be fixed by changing the first grouping to an atomic
+grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
+RubyGems 2.0.x:
+
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+
+For RubyGems 1.8.x:
+
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+
+This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>
+

data/CVE-2013-4363.txt

@@ -0,0 +1,45 @@
+= Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
+
+The patch for CVE-2013-4287 was insufficiently verified so the combined
+regular expression for verifying gem version remains vulnerable following
+CVE-2013-4287.
+
+RubyGems validates versions with a regular expression that is vulnerable to
+denial of service due to backtracking.  For specially crafted RubyGems
+versions attackers can cause denial of service through CPU consumption.
+
+RubyGems versions 2.1.4 and older are vulnerable.
+
+Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
+versions of RubyGems.
+
+It does not appear to be possible to exploit this vulnerability by installing a
+gem for RubyGems 1.8.x or newer.  Vulnerable uses of RubyGems API include
+packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
+sending user input to Gem::Version.new, Gem::Version.correct? or use of the
+Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
+constants.
+
+Notably, users of bundler that install gems from git are vulnerable if a
+malicious author changes the gemspec to an invalid version.
+
+The vulnerability can be fixed by changing the "*" repetition to a "?"
+repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
+lib/rubygems/version.rb.  For RubyGems 2.1.x:
+
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+For RubyGems 2.0.x:
+
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+For RubyGems 1.8.x:
+
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+
+This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>
+

data/History.txt

@@ -1,5 +1,23 @@
 # coding: UTF-8
 
+=== 1.8.23.2 / 2013-09-24
+
+Security fixes:
+
+* RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4363 for full details
+  including vulnerable APIs.  Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
+  1.8.23.2 (for Ruby 1.9.3).
+
+=== 1.8.23.1 / 2013-09-09
+
+Security fixes:
+
+* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4287 for full details
+  including vulnerable APIs.  Fixed versions include 2.0.8, 1.8.26 and
+  1.8.23.1 (for Ruby 1.9.3).  Issue #626 by Damir Sharipov.
+
 === 1.8.23 / 2012-04-19
 
 This release increases the security used when RubyGems is talking to

data/Manifest.txt

@@ -1,6 +1,7 @@
 .autotest
 .document
-.travis.yml
+CVE-2013-4287.txt
+CVE-2013-4363.txt
 History.txt
 LICENSE.txt
 MIT.txt

data/Rakefile

@@ -50,7 +50,9 @@ hoe = Hoe.spec 'rubygems-update' do
   extra_dev_deps << ['rcov', '~> 0.9.0']
   extra_dev_deps << ['ZenTest', '~> 4.5']
 
-  self.extra_rdoc_files = Dir["*.rdoc"]
+  self.extra_rdoc_files = Dir["*.rdoc"] + %w[
+    CVE-2013-4287.txt
+  ]
 
   spec_extras['rdoc_options'] = proc do |rdoc_options|
     rdoc_options << "--title=RubyGems #{self.version} Documentation"

data/lib/rubygems.rb

@@ -121,7 +121,7 @@ require "rubygems/deprecate"
 # -The RubyGems Team
 
 module Gem
-  VERSION = '1.8.23'
+  VERSION = '1.8.23.2'
 
   ##
   # Raised when RubyGems is unable to load or activate a gem.  Contains the

data/lib/rubygems/version.rb

@@ -145,8 +145,8 @@ class Gem::Version
 
   include Comparable
 
-  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
-  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
 
   ##
   # A string representation of this Version.

data/test/rubygems/test_gem_requirement.rb

@@ -37,17 +37,19 @@ class TestGemRequirement < Gem::TestCase
   end
 
   def test_parse_bad
-    e = assert_raises ArgumentError do
-      Gem::Requirement.parse nil
-    end
-
-    assert_equal 'Illformed requirement [nil]', e.message
+    [
+      nil,
+      '',
+      '! 1',
+      '= junk',
+      '1..2',
+    ].each do |bad|
+      e = assert_raises ArgumentError do
+        Gem::Requirement.parse bad
+      end
 
-    e = assert_raises ArgumentError do
-      Gem::Requirement.parse ""
+      assert_equal "Illformed requirement [#{bad.inspect}]", e.message
     end
-
-    assert_equal 'Illformed requirement [""]', e.message
   end
 
   def test_prerelease_eh

data/test/rubygems/test_gem_version.rb

@@ -64,12 +64,18 @@ class TestGemVersion < Gem::TestCase
   end
 
   def test_initialize_bad
-    ["junk", "1.0\n2.0"].each do |bad|
-      e = assert_raises ArgumentError do
+    %W[
+      junk
+      1.0\n2.0
+      1..2
+      1.2\ 3.4
+      1-2-3
+    ].each do |bad|
+      e = assert_raises ArgumentError, bad do
         Gem::Version.new bad
       end
 
-      assert_equal "Malformed version number string #{bad}", e.message
+      assert_equal "Malformed version number string #{bad}", e.message, bad
     end
   end
 

metadata

@@ -1,177 +1,184 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: rubygems-update
-version: !ruby/object:Gem::Version 
-  hash: 25
-  prerelease: 
-  segments: 
-  - 1
-  - 8
-  - 23
-  version: 1.8.23
+version: !ruby/object:Gem::Version
+  version: 1.8.23.2
 platform: ruby
-authors: 
+authors:
 - Jim Weirich
 - Chad Fowler
 - Eric Hodel
 autorequire: 
 bindir: bin
-cert_chain: []
-
-date: 2012-04-20 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
+  YWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZFgNu
+  ZXQwHhcNMTMwMjI4MDUyMjA4WhcNMTQwMjI4MDUyMjA4WjBBMRAwDgYDVQQDDAdk
+  cmJyYWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZ
+  FgNuZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbbgLrGLGIDE76
+  LV/cvxdEzCuYuS3oG9PrSZnuDweySUfdp/so0cDq+j8bqy6OzZSw07gdjwFMSd6J
+  U5ddZCVywn5nnAQ+Ui7jMW54CYt5/H6f2US6U0hQOjJR6cpfiymgxGdfyTiVcvTm
+  Gj/okWrQl0NjYOYBpDi+9PPmaH2RmLJu0dB/NylsDnW5j6yN1BEI8MfJRR+HRKZY
+  mUtgzBwF1V4KIZQ8EuL6I/nHVu07i6IkrpAgxpXUfdJQJi0oZAqXurAV3yTxkFwd
+  g62YrrW26mDe+pZBzR6bpLE+PmXCzz7UxUq3AE0gPHbiMXie3EFE0oxnsU3lIduh
+  sCANiQ8BAgMBAAGjezB5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
+  BBS5k4Z75VSpdM0AclG2UvzFA/VW5DAfBgNVHREEGDAWgRRkcmJyYWluQHNlZ21l
+  bnQ3Lm5ldDAfBgNVHRIEGDAWgRRkcmJyYWluQHNlZ21lbnQ3Lm5ldDANBgkqhkiG
+  9w0BAQUFAAOCAQEAOflo4Md5aJF//EetzXIGZ2EI5PzKWX/mMpp7cxFyDcVPtTv0
+  js/6zWrWSbd60W9Kn4ch3nYiATFKhisgeYotDDz2/pb/x1ivJn4vEvs9kYKVvbF8
+  V7MV/O5HDW8Q0pA1SljI6GzcOgejtUMxZCyyyDdbUpyAMdt9UpqTZkZ5z1sicgQk
+  5o2XJ+OhceOIUVqVh1r6DNY5tLVaGJabtBmJAYFVznDcHiSFybGKBa5n25Egql1t
+  KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
+  wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
+  -----END CERTIFICATE-----
+date: 2013-09-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: minitest
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 27
-        segments: 
-        - 2
-        - 12
-        version: "2.12"
+      - !ruby/object:Gem::Version
+        version: '5.0'
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: builder
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 1
-        segments: 
-        - 2
-        - 1
-        version: "2.1"
+      - !ruby/object:Gem::Version
+        version: '4.0'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: hoe-seattlerb
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: builder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 11
-        segments: 
-        - 1
-        - 2
-        version: "1.2"
+      - !ruby/object:Gem::Version
+        version: '2.1'
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: session
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: hoe-seattlerb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 11
-        segments: 
-        - 2
-        - 4
-        version: "2.4"
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :development
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: rdoc
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 7
-        segments: 
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: session
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.4'
   type: :development
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: rcov
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 59
-        segments: 
-        - 0
-        - 9
-        - 0
+      - !ruby/object:Gem::Version
+        version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: rcov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
         version: 0.9.0
   type: :development
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency 
-  name: ZenTest
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 17
-        segments: 
-        - 4
-        - 5
-        version: "4.5"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+- !ruby/object:Gem::Dependency
+  name: ZenTest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.5'
   type: :development
-  version_requirements: *id007
-- !ruby/object:Gem::Dependency 
-  name: hoe
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 35
-        segments: 
-        - 2
-        - 16
-        version: "2.16"
+      - !ruby/object:Gem::Version
+        version: '4.5'
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.7'
   type: :development
-  version_requirements: *id008
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.7'
 description: |-
   RubyGems is a package management framework for Ruby.
-  
+
   This gem is an update for the RubyGems software. You must have an
   installation of RubyGems before this update can be applied.
-  
+
   See Gem for information on RubyGems (or `ri Gem`)
-  
+
   To upgrade to the latest RubyGems, run:
-  
+
     $ gem update --system  # you might need to be an administrator or root
-  
+
   See UPGRADING.rdoc for more details and alternative instructions.
-  
+
   -----
-  
+
   If you don't have RubyGems installed, your can still do it manually:
-  
+
   * Download from: https://rubygems.org/pages/download
   * Unpack into a directory and cd there
   * Install with: ruby setup.rb  # you may need admin/root privilege
-  
+
   For more details and other options, see:
-  
+
     ruby setup.rb --help
-email: 
+email:
 - rubygems-developers@rubyforge.org
-executables: 
+executables:
 - update_rubygems
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
+- CVE-2013-4287.txt
+- CVE-2013-4363.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -179,10 +186,11 @@ extra_rdoc_files:
 - README.rdoc
 - UPGRADING.rdoc
 - hide_lib_for_update/note.txt
-files: 
+files:
 - .autotest
 - .document
-- .travis.yml
+- CVE-2013-4287.txt
+- CVE-2013-4363.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -385,43 +393,33 @@ files:
 - util/CL2notes
 - .gemtest
 homepage: http://rubygems.org
-licenses: []
-
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
-rdoc_options: 
+rdoc_options:
 - --main
 - README.rdoc
-- --title=RubyGems 1.8.23 Documentation
-require_paths: 
+- --title=RubyGems 1.8.23.2 Documentation
+require_paths:
 - hide_lib_for_update
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 57
-      segments: 
-      - 1
-      - 8
-      - 7
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: rubygems
-rubygems_version: 1.8.22
+rubygems_version: 2.1.4
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: RubyGems is a package management framework for Ruby
-test_files: 
+test_files:
 - test/rubygems/test_config.rb
 - test/rubygems/test_gem.rb
 - test/rubygems/test_gem_builder.rb

data/.travis.yml

@@ -1,14 +0,0 @@
-before_script:
-  - gem install minitest
-  - gem install rdoc
-  - gem install hoe
-  - gem install hoe-seattlerb
-rvm:
-  - 1.8.7
-  - 1.9.2
-  - 1.9.3
-  - ruby-head
-notifications:
-  email:
-    - drbrain@segment7.net
-    - evan+notify@phx.io