rubygems-update 1.8.23.2 → 1.8.24

data/History.txt

@@ -1,22 +1,11 @@
 # coding: UTF-8
 
-=== 1.8.23.2 / 2013-09-24
+=== 1.8.24 / 2012-04-27
 
-Security fixes:
-
-* RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
-  backtracking in Gem::Version validation.  See CVE-2013-4363 for full details
-  including vulnerable APIs.  Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
-  1.8.23.2 (for Ruby 1.9.3).
-
-=== 1.8.23.1 / 2013-09-09
-
-Security fixes:
+* 1 bug fix:
 
-* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
-  backtracking in Gem::Version validation.  See CVE-2013-4287 for full details
-  including vulnerable APIs.  Fixed versions include 2.0.8, 1.8.26 and
-  1.8.23.1 (for Ruby 1.9.3).  Issue #626 by Damir Sharipov.
+  * Install the .pem files properly. Fixes #320
+  * Remove OpenSSL dependency from the http code path
 
 === 1.8.23 / 2012-04-19
 

data/Manifest.txt

@@ -1,7 +1,5 @@
 .autotest
 .document
-CVE-2013-4287.txt
-CVE-2013-4363.txt
 History.txt
 LICENSE.txt
 MIT.txt

data/Rakefile

@@ -50,9 +50,7 @@ hoe = Hoe.spec 'rubygems-update' do
   extra_dev_deps << ['rcov', '~> 0.9.0']
   extra_dev_deps << ['ZenTest', '~> 4.5']
 
-  self.extra_rdoc_files = Dir["*.rdoc"] + %w[
-    CVE-2013-4287.txt
-  ]
+  self.extra_rdoc_files = Dir["*.rdoc"]
 
   spec_extras['rdoc_options'] = proc do |rdoc_options|
     rdoc_options << "--title=RubyGems #{self.version} Documentation"

data/lib/rubygems.rb

@@ -121,7 +121,7 @@ require "rubygems/deprecate"
 # -The RubyGems Team
 
 module Gem
-  VERSION = '1.8.23.2'
+  VERSION = '1.8.24'
 
   ##
   # Raised when RubyGems is unable to load or activate a gem.  Contains the

data/lib/rubygems/commands/setup_command.rb

@@ -209,7 +209,10 @@ TEXT
     say "Installing RubyGems" if @verbose
 
     Dir.chdir 'lib' do
-      lib_files = Dir[File.join('**', '*rb')]
+      lib_files =  Dir[File.join('**', '*rb')]
+
+      # Be sure to include our SSL ca bundles
+      lib_files += Dir[File.join('**', '*pem')]
 
       lib_files.each do |lib_file|
         dest_file = File.join lib_dir, lib_file

data/lib/rubygems/remote_fetcher.rb

@@ -321,13 +321,24 @@ class Gem::RemoteFetcher
 
     if https?(uri) and !connection.started? then
       configure_connection_for_https(connection)
-    end
 
-    connection.start unless connection.started?
+      # Don't refactor this with the else branch. We don't want the
+      # http-only code path to not depend on anything in OpenSSL.
+      #
+      begin
+        connection.start
+      rescue OpenSSL::SSL::SSLError, Errno::EHOSTDOWN => e
+        raise FetchError.new(e.message, uri)
+      end
+    else
+      begin
+        connection.start unless connection.started?
+      rescue Errno::EHOSTDOWN => e
+        raise FetchError.new(e.message, uri)
+      end
+    end
 
     connection
-  rescue OpenSSL::SSL::SSLError, Errno::EHOSTDOWN => e
-    raise FetchError.new(e.message, uri)
   end
 
   def configure_connection_for_https(connection)

data/lib/rubygems/version.rb

@@ -145,8 +145,8 @@ class Gem::Version
 
   include Comparable
 
-  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
-  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
 
   ##
   # A string representation of this Version.

data/test/rubygems/test_gem_requirement.rb

@@ -37,19 +37,17 @@ class TestGemRequirement < Gem::TestCase
   end
 
   def test_parse_bad
-    [
-      nil,
-      '',
-      '! 1',
-      '= junk',
-      '1..2',
-    ].each do |bad|
-      e = assert_raises ArgumentError do
-        Gem::Requirement.parse bad
-      end
+    e = assert_raises ArgumentError do
+      Gem::Requirement.parse nil
+    end
 
-      assert_equal "Illformed requirement [#{bad.inspect}]", e.message
+    assert_equal 'Illformed requirement [nil]', e.message
+
+    e = assert_raises ArgumentError do
+      Gem::Requirement.parse ""
     end
+
+    assert_equal 'Illformed requirement [""]', e.message
   end
 
   def test_prerelease_eh

data/test/rubygems/test_gem_version.rb

@@ -64,18 +64,12 @@ class TestGemVersion < Gem::TestCase
   end
 
   def test_initialize_bad
-    %W[
-      junk
-      1.0\n2.0
-      1..2
-      1.2\ 3.4
-      1-2-3
-    ].each do |bad|
-      e = assert_raises ArgumentError, bad do
+    ["junk", "1.0\n2.0"].each do |bad|
+      e = assert_raises ArgumentError do
         Gem::Version.new bad
       end
 
-      assert_equal "Malformed version number string #{bad}", e.message, bad
+      assert_equal "Malformed version number string #{bad}", e.message
     end
   end
 

metadata

@@ -1,184 +1,177 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: rubygems-update
-version: !ruby/object:Gem::Version
-  version: 1.8.23.2
+version: !ruby/object:Gem::Version 
+  hash: 7
+  prerelease: 
+  segments: 
+  - 1
+  - 8
+  - 24
+  version: 1.8.24
 platform: ruby
-authors:
+authors: 
 - Jim Weirich
 - Chad Fowler
 - Eric Hodel
 autorequire: 
 bindir: bin
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
-  YWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZFgNu
-  ZXQwHhcNMTMwMjI4MDUyMjA4WhcNMTQwMjI4MDUyMjA4WjBBMRAwDgYDVQQDDAdk
-  cmJyYWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZ
-  FgNuZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbbgLrGLGIDE76
-  LV/cvxdEzCuYuS3oG9PrSZnuDweySUfdp/so0cDq+j8bqy6OzZSw07gdjwFMSd6J
-  U5ddZCVywn5nnAQ+Ui7jMW54CYt5/H6f2US6U0hQOjJR6cpfiymgxGdfyTiVcvTm
-  Gj/okWrQl0NjYOYBpDi+9PPmaH2RmLJu0dB/NylsDnW5j6yN1BEI8MfJRR+HRKZY
-  mUtgzBwF1V4KIZQ8EuL6I/nHVu07i6IkrpAgxpXUfdJQJi0oZAqXurAV3yTxkFwd
-  g62YrrW26mDe+pZBzR6bpLE+PmXCzz7UxUq3AE0gPHbiMXie3EFE0oxnsU3lIduh
-  sCANiQ8BAgMBAAGjezB5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
-  BBS5k4Z75VSpdM0AclG2UvzFA/VW5DAfBgNVHREEGDAWgRRkcmJyYWluQHNlZ21l
-  bnQ3Lm5ldDAfBgNVHRIEGDAWgRRkcmJyYWluQHNlZ21lbnQ3Lm5ldDANBgkqhkiG
-  9w0BAQUFAAOCAQEAOflo4Md5aJF//EetzXIGZ2EI5PzKWX/mMpp7cxFyDcVPtTv0
-  js/6zWrWSbd60W9Kn4ch3nYiATFKhisgeYotDDz2/pb/x1ivJn4vEvs9kYKVvbF8
-  V7MV/O5HDW8Q0pA1SljI6GzcOgejtUMxZCyyyDdbUpyAMdt9UpqTZkZ5z1sicgQk
-  5o2XJ+OhceOIUVqVh1r6DNY5tLVaGJabtBmJAYFVznDcHiSFybGKBa5n25Egql1t
-  KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
-  wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
-  -----END CERTIFICATE-----
-date: 2013-09-24 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+cert_chain: []
+
+date: 2012-04-27 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '5.0'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '5.0'
-- !ruby/object:Gem::Dependency
-  name: rdoc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '4.0'
+      - !ruby/object:Gem::Version 
+        hash: 21
+        segments: 
+        - 2
+        - 11
+        version: "2.11"
   type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '4.0'
-- !ruby/object:Gem::Dependency
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: builder
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.1'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.1'
-- !ruby/object:Gem::Dependency
-  name: hoe-seattlerb
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.2'
+      - !ruby/object:Gem::Version 
+        hash: 1
+        segments: 
+        - 2
+        - 1
+        version: "2.1"
   type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: hoe-seattlerb
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.2'
-- !ruby/object:Gem::Dependency
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 1
+        - 2
+        version: "1.2"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
   name: session
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.4'
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 2
+        - 4
+        version: "2.4"
   type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: rdoc
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.4'
-- !ruby/object:Gem::Dependency
-  name: rcov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 0.9.0
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
   type: :development
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: rcov
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
+      - !ruby/object:Gem::Version 
+        hash: 59
+        segments: 
+        - 0
+        - 9
+        - 0
         version: 0.9.0
-- !ruby/object:Gem::Dependency
-  name: ZenTest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '4.5'
   type: :development
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency 
+  name: ZenTest
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
+  requirement: &id007 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '4.5'
-- !ruby/object:Gem::Dependency
-  name: hoe
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.7'
+      - !ruby/object:Gem::Version 
+        hash: 17
+        segments: 
+        - 4
+        - 5
+        version: "4.5"
   type: :development
+  version_requirements: *id007
+- !ruby/object:Gem::Dependency 
+  name: hoe
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
+  requirement: &id008 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.7'
+      - !ruby/object:Gem::Version 
+        hash: 31
+        segments: 
+        - 2
+        - 14
+        version: "2.14"
+  type: :development
+  version_requirements: *id008
 description: |-
   RubyGems is a package management framework for Ruby.
-
+  
   This gem is an update for the RubyGems software. You must have an
   installation of RubyGems before this update can be applied.
-
+  
   See Gem for information on RubyGems (or `ri Gem`)
-
+  
   To upgrade to the latest RubyGems, run:
-
+  
     $ gem update --system  # you might need to be an administrator or root
-
+  
   See UPGRADING.rdoc for more details and alternative instructions.
-
+  
   -----
-
+  
   If you don't have RubyGems installed, your can still do it manually:
-
+  
   * Download from: https://rubygems.org/pages/download
   * Unpack into a directory and cd there
   * Install with: ruby setup.rb  # you may need admin/root privilege
-
+  
   For more details and other options, see:
-
+  
     ruby setup.rb --help
-email:
+email: 
 - rubygems-developers@rubyforge.org
-executables:
+executables: 
 - update_rubygems
 extensions: []
-extra_rdoc_files:
-- CVE-2013-4287.txt
-- CVE-2013-4363.txt
+
+extra_rdoc_files: 
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -186,11 +179,9 @@ extra_rdoc_files:
 - README.rdoc
 - UPGRADING.rdoc
 - hide_lib_for_update/note.txt
-files:
+files: 
 - .autotest
 - .document
-- CVE-2013-4287.txt
-- CVE-2013-4363.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -393,33 +384,43 @@ files:
 - util/CL2notes
 - .gemtest
 homepage: http://rubygems.org
-licenses:
-- MIT
-metadata: {}
+licenses: []
+
 post_install_message: 
-rdoc_options:
+rdoc_options: 
 - --main
 - README.rdoc
-- --title=RubyGems 1.8.23.2 Documentation
-require_paths:
+- --title=RubyGems 1.8.24 Documentation
+require_paths: 
 - hide_lib_for_update
-required_ruby_version: !ruby/object:Gem::Requirement
-  requirements:
-  - - '>='
-    - !ruby/object:Gem::Version
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 57
+      segments: 
+      - 1
+      - 8
+      - 7
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement
-  requirements:
-  - - '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: rubygems
-rubygems_version: 2.1.4
+rubygems_version: 1.8.18
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: RubyGems is a package management framework for Ruby
-test_files:
+test_files: 
 - test/rubygems/test_config.rb
 - test/rubygems/test_gem.rb
 - test/rubygems/test_gem_builder.rb

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: 4485176fa4a497c3790dc6a32bd8e55bb2f77534
-  data.tar.gz: 6dc935f3b3e6ec40bb7200a3a3809395f2020e70
-SHA512:
-  metadata.gz: baf41d09f58583dc2e7576c16cca00a10831f12c446f570acec68cafcaedf15c202c208c65fdb20b0df28c9545189b4f78ddec0db24340bf05b2697db4eb5b38
-  data.tar.gz: c971a892d2221997ac3bb54f1ffc44a171c2c956605a9127acc99415890d30e390052f1fdd458ea016fd55499ad4309fc2b0f7093b9997c71232c3ba268b0cf4

checksums.yaml.gz.sig

@@ -1,2 +0,0 @@
-j�C_1� 	R|�A���3(h�@�d
~|${�]"��yz�{zbJm��v�"�F4�7���y�Cn;jD�4B%�4��c��8�<1|�/A2,bi������~Hk��
-�����e

data/CVE-2013-4287.txt

@@ -1,36 +0,0 @@
-= Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
-
-RubyGems validates versions with a regular expression that is vulnerable to
-denial of service due to a backtracking regular expression.  For specially
-crafted RubyGems versions attackers can cause denial of service through CPU
-consumption.
-
-RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
-
-Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
-versions of RubyGems.
-
-It does not appear to be possible to exploit this vulnerability by installing a
-gem for RubyGems 1.8.x or 2.0.x.  Vulnerable uses of RubyGems API include
-packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
-sending user input to Gem::Version.new, Gem::Version.correct? or use of the
-Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
-constants.
-
-Notably, users of bundler that install gems from git are vulnerable if a
-malicious author changes the gemspec to an invalid version.
-
-The vulnerability can be fixed by changing the first grouping to an atomic
-grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
-RubyGems 2.0.x:
-
-  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
-  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
-
-For RubyGems 1.8.x:
-
-  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
-  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
-
-This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>
-

data/CVE-2013-4363.txt

@@ -1,45 +0,0 @@
-= Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
-
-The patch for CVE-2013-4287 was insufficiently verified so the combined
-regular expression for verifying gem version remains vulnerable following
-CVE-2013-4287.
-
-RubyGems validates versions with a regular expression that is vulnerable to
-denial of service due to backtracking.  For specially crafted RubyGems
-versions attackers can cause denial of service through CPU consumption.
-
-RubyGems versions 2.1.4 and older are vulnerable.
-
-Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
-versions of RubyGems.
-
-It does not appear to be possible to exploit this vulnerability by installing a
-gem for RubyGems 1.8.x or newer.  Vulnerable uses of RubyGems API include
-packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
-sending user input to Gem::Version.new, Gem::Version.correct? or use of the
-Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
-constants.
-
-Notably, users of bundler that install gems from git are vulnerable if a
-malicious author changes the gemspec to an invalid version.
-
-The vulnerability can be fixed by changing the "*" repetition to a "?"
-repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
-lib/rubygems/version.rb.  For RubyGems 2.1.x:
-
-  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
-  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
-
-For RubyGems 2.0.x:
-
-  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
-  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
-
-For RubyGems 1.8.x:
-
-  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
-  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
-
-
-This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>
-