rubygems-update 2.0.9 → 2.0.10
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rubygems-update might be problematic. Click here for more details.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CVE-2013-4363.txt +45 -0
- data/History.txt +11 -0
- data/Manifest.txt +1 -0
- data/lib/rubygems.rb +1 -1
- data/lib/rubygems/version.rb +1 -1
- data/test/rubygems/test_gem_requirement.rb +11 -9
- data/test/rubygems/test_gem_version.rb +9 -3
- metadata +5 -3
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8b2344c4d8d3fb9c5a9ea8646efdee781ff1a212
|
|
4
|
+
data.tar.gz: 1a5e3cf9b7a7232ff9bf013e966c043b90909555
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fd136dd51f425a090a3e7807351d82e20f578c585fbcca0ef157928a1dcbdadbe634961245e0bbf52071f9f3f005f6df0778dd9bce1779dfe5ba6ba7e590fd15
|
|
7
|
+
data.tar.gz: bec33a22ee5ff4e607b248455c2dc946f4952360eeebd581a9180dd12721302099e1833406510111f9c914fa9714121d22a1c9cda54be7be2cfad83318969823
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
data/CVE-2013-4363.txt
ADDED
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
= Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
|
|
2
|
+
|
|
3
|
+
The patch for CVE-2013-4287 was insufficiently verified so the combined
|
|
4
|
+
regular expression for verifying gem version remains vulnerable following
|
|
5
|
+
CVE-2013-4287.
|
|
6
|
+
|
|
7
|
+
RubyGems validates versions with a regular expression that is vulnerable to
|
|
8
|
+
denial of service due to backtracking. For specially crafted RubyGems
|
|
9
|
+
versions attackers can cause denial of service through CPU consumption.
|
|
10
|
+
|
|
11
|
+
RubyGems versions 2.1.4 and older are vulnerable.
|
|
12
|
+
|
|
13
|
+
Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
|
|
14
|
+
versions of RubyGems.
|
|
15
|
+
|
|
16
|
+
It does not appear to be possible to exploit this vulnerability by installing a
|
|
17
|
+
gem for RubyGems 1.8.x or newer. Vulnerable uses of RubyGems API include
|
|
18
|
+
packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
|
|
19
|
+
sending user input to Gem::Version.new, Gem::Version.correct? or use of the
|
|
20
|
+
Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
|
|
21
|
+
constants.
|
|
22
|
+
|
|
23
|
+
Notably, users of bundler that install gems from git are vulnerable if a
|
|
24
|
+
malicious author changes the gemspec to an invalid version.
|
|
25
|
+
|
|
26
|
+
The vulnerability can be fixed by changing the "*" repetition to a "?"
|
|
27
|
+
repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
|
|
28
|
+
lib/rubygems/version.rb. For RubyGems 2.1.x:
|
|
29
|
+
|
|
30
|
+
- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
|
|
31
|
+
+ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
|
|
32
|
+
|
|
33
|
+
For RubyGems 2.0.x:
|
|
34
|
+
|
|
35
|
+
- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
|
|
36
|
+
+ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
|
|
37
|
+
|
|
38
|
+
For RubyGems 1.8.x:
|
|
39
|
+
|
|
40
|
+
- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
|
|
41
|
+
+ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
|
|
42
|
+
|
|
43
|
+
|
|
44
|
+
This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>
|
|
45
|
+
|
data/History.txt
CHANGED
|
@@ -1,7 +1,18 @@
|
|
|
1
1
|
# coding: UTF-8
|
|
2
2
|
|
|
3
|
+
=== 2.0.10 / 2013-09-24
|
|
4
|
+
|
|
5
|
+
Security fixes:
|
|
6
|
+
|
|
7
|
+
* RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
|
|
8
|
+
backtracking in Gem::Version validation. See CVE-2013-4363 for full details
|
|
9
|
+
including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
|
|
10
|
+
1.8.23.2 (for Ruby 1.9.3).
|
|
11
|
+
|
|
3
12
|
=== 2.0.9 / 2013-09-13
|
|
4
13
|
|
|
14
|
+
Bug fixes:
|
|
15
|
+
|
|
5
16
|
* Gem fetch now fetches the newest (not oldest) gem when --version is given.
|
|
6
17
|
Issue #643 by Brian Shirai.
|
|
7
18
|
* Fixed credential creation for `gem push` when `--host` is not given. Pull
|
data/Manifest.txt
CHANGED
data/lib/rubygems.rb
CHANGED
data/lib/rubygems/version.rb
CHANGED
|
@@ -148,7 +148,7 @@ class Gem::Version
|
|
|
148
148
|
# FIX: These are only used once, in .correct?. Do they deserve to be
|
|
149
149
|
# constants?
|
|
150
150
|
VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
|
|
151
|
-
ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})
|
|
151
|
+
ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
|
|
152
152
|
|
|
153
153
|
##
|
|
154
154
|
# A string representation of this Version.
|
|
@@ -47,18 +47,20 @@ class TestGemRequirement < Gem::TestCase
|
|
|
47
47
|
end
|
|
48
48
|
|
|
49
49
|
def test_parse_bad
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
50
|
+
[
|
|
51
|
+
nil,
|
|
52
|
+
'',
|
|
53
|
+
'! 1',
|
|
54
|
+
'= junk',
|
|
55
|
+
'1..2',
|
|
56
|
+
].each do |bad|
|
|
57
|
+
e = assert_raises Gem::Requirement::BadRequirementError do
|
|
58
|
+
Gem::Requirement.parse bad
|
|
59
|
+
end
|
|
55
60
|
|
|
56
|
-
|
|
57
|
-
Gem::Requirement.parse ""
|
|
61
|
+
assert_equal "Illformed requirement [#{bad.inspect}]", e.message
|
|
58
62
|
end
|
|
59
63
|
|
|
60
|
-
assert_equal 'Illformed requirement [""]', e.message
|
|
61
|
-
|
|
62
64
|
assert_equal Gem::Requirement::BadRequirementError.superclass, ArgumentError
|
|
63
65
|
end
|
|
64
66
|
|
|
@@ -67,12 +67,18 @@ class TestGemVersion < Gem::TestCase
|
|
|
67
67
|
end
|
|
68
68
|
|
|
69
69
|
def test_initialize_bad
|
|
70
|
-
[
|
|
71
|
-
|
|
70
|
+
%W[
|
|
71
|
+
junk
|
|
72
|
+
1.0\n2.0
|
|
73
|
+
1..2
|
|
74
|
+
1.2\ 3.4
|
|
75
|
+
1-2-3
|
|
76
|
+
].each do |bad|
|
|
77
|
+
e = assert_raises ArgumentError, bad do
|
|
72
78
|
Gem::Version.new bad
|
|
73
79
|
end
|
|
74
80
|
|
|
75
|
-
assert_equal "Malformed version number string #{bad}", e.message
|
|
81
|
+
assert_equal "Malformed version number string #{bad}", e.message, bad
|
|
76
82
|
end
|
|
77
83
|
end
|
|
78
84
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rubygems-update
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.10
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jim Weirich
|
|
@@ -32,7 +32,7 @@ cert_chain:
|
|
|
32
32
|
KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
|
|
33
33
|
wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
|
|
34
34
|
-----END CERTIFICATE-----
|
|
35
|
-
date: 2013-09-
|
|
35
|
+
date: 2013-09-24 00:00:00.000000000 Z
|
|
36
36
|
dependencies:
|
|
37
37
|
- !ruby/object:Gem::Dependency
|
|
38
38
|
name: minitest
|
|
@@ -164,6 +164,7 @@ executables:
|
|
|
164
164
|
extensions: []
|
|
165
165
|
extra_rdoc_files:
|
|
166
166
|
- CVE-2013-4287.txt
|
|
167
|
+
- CVE-2013-4363.txt
|
|
167
168
|
- History.txt
|
|
168
169
|
- LICENSE.txt
|
|
169
170
|
- MIT.txt
|
|
@@ -175,6 +176,7 @@ files:
|
|
|
175
176
|
- .autotest
|
|
176
177
|
- .document
|
|
177
178
|
- CVE-2013-4287.txt
|
|
179
|
+
- CVE-2013-4363.txt
|
|
178
180
|
- History.txt
|
|
179
181
|
- LICENSE.txt
|
|
180
182
|
- MIT.txt
|
|
@@ -454,7 +456,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
454
456
|
version: '0'
|
|
455
457
|
requirements: []
|
|
456
458
|
rubyforge_project: rubygems-update
|
|
457
|
-
rubygems_version: 2.1.
|
|
459
|
+
rubygems_version: 2.1.4
|
|
458
460
|
signing_key:
|
|
459
461
|
specification_version: 4
|
|
460
462
|
summary: RubyGems is a package management framework for Ruby
|
metadata.gz.sig
CHANGED
|
Binary file
|