rubygems-update 2.0.7 → 2.0.8

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rubygems-update might be problematic. Click here for more details.

Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +2 -1
  3. data.tar.gz.sig +1 -1
  4. data/.autotest +1 -1
  5. data/CVE-2013-4287.txt +36 -0
  6. data/History.txt +14 -2
  7. data/Manifest.txt +1 -0
  8. data/Rakefile +3 -1
  9. data/lib/rubygems.rb +2 -2
  10. data/lib/rubygems/version.rb +1 -1
  11. metadata +5 -3
  12. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5e9f42bf721ffd1d55ba8454036327f4c39d7b72
4
- data.tar.gz: a37596374bcf4403abab869e8909ab2ecc28ab18
3
+ metadata.gz: 91ef9091ddee5ecdd6f0fcb5b693a22c2e0184c6
4
+ data.tar.gz: b39e56d72971a75c73269237f952620f31a65e6f
5
5
  SHA512:
6
- metadata.gz: 4f3ac7f781ff7d1e8657ee683b27570dab4900f98ce685da00ddc9e5200fcf42edebdb54e4514652ea1bdd5f624bedf16288f1fa9dc299246f9c38bb632c5ba4
7
- data.tar.gz: 06c7f64a81da01e747b6062d2c76210e97eeef08bd785b3da08105004ab312eb96d926a63f0d77d741f21e15dc7027f9a4bdfe0b2629e4de4087a77afc770d25
6
+ metadata.gz: a06cc15ee1e43192e446360c58c80d4c97dbafa0fb4114528aaeefad5be2c9678e1b89d092d07cac04c2e1124cfa80071c75857d7d04f225dbf403cb6162e43c
7
+ data.tar.gz: 456ba6216bef9b550ed28163baec53b8dd08a853fbc185f577781dddb71cfa1b7d8f28463bafcc8932e54b17e28a998b3e835539c49a3cbc73f0ceb4d65d0d6c
checksums.yaml.gz.sig CHANGED
@@ -1 +1,2 @@
1
- ���J" �3�sy�C��:�iU<�d��}�%.����E�_��)�=�����bO���R�J~�!�v��텝!,�(Vkz=�$?5�D=�?%�騥����"�?Ӗ@�o�����G�*�eLH��o�ã~`� �3�K�x8����Jb�ZI.[�hU�6+>�c�������W�9cY�hr*�;�V�t~�oF�|�������rs�&�����hz�i_�G�1*���ď⟄k�z�%�]�huW�
1
+ z�="o޹P[���� ����3��K
2
+ Oe�����[�[:
data.tar.gz.sig CHANGED
@@ -1 +1 @@
1
- j�^ZXNlc��A�2�|*ڴZ���+�e�l�FŁRW�d4x����<���4K��N�Q�`T ����+dQZ���7VXkUKBQ)G|����tx��zX���T ��D;��^��MYW�������6b~΃�l,#9�w�FK�����j���)��ڬ�i[����%���?ŕ�l"��C������K0.L��չ��P  �s1ȤxS-ϤJ=@�Z ��I���_�ꠁ�wc
1
+ U�@���G(Fۡ@2�2�{�Mt��[էwe$0��A!-��a�"]�������]I���l� d>���`��'>��g�;�,�i��e���Պ/P��!ѐ�+��>F���F}M��;&�t��֠f�����ԌK��qPB��I��:j �<�.˿��_U������6��?ᯒ�6�))1��q6LI[��5�G��8ebE�/9���Xh]F9���W��$�0 | �uvBdY4
data/.autotest CHANGED
@@ -6,7 +6,7 @@ require 'autotest/restart'
6
6
  require 'autotest/isolate'
7
7
 
8
8
  Autotest.add_hook :initialize do |at|
9
- at.testlib = 'minitest/autorun'
9
+ at.testlib = ''
10
10
 
11
11
  at.add_exception %r%/\.git/%
12
12
  at.add_exception %r%/\.svn/%
data/CVE-2013-4287.txt ADDED
@@ -0,0 +1,36 @@
1
+ = Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
2
+
3
+ RubyGems validates versions with a regular expression that is vulnerable to
4
+ denial of service due to a backtracking regular expression. For specially
5
+ crafted RubyGems versions attackers can cause denial of service through CPU
6
+ consumption.
7
+
8
+ RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
9
+
10
+ Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
11
+ versions of RubyGems.
12
+
13
+ It does not appear to be possible to exploit this vulnerability by installing a
14
+ gem for RubyGems 1.8.x or 2.0.x. Vulnerable uses of RubyGems API include
15
+ packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
16
+ sending user input to Gem::Version.new, Gem::Version.correct? or use of the
17
+ Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
18
+ constants.
19
+
20
+ Notably, users of bundler that install gems from git are vulnerable if a
21
+ malicious author changes the gemspec to an invalid version.
22
+
23
+ The vulnerability can be fixed by changing the first grouping to an atomic
24
+ grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb. For
25
+ RubyGems 2.0.x:
26
+
27
+ - VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
28
+ + VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
29
+
30
+ For RubyGems 1.8.x:
31
+
32
+ - VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
33
+ + VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
34
+
35
+ This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>
36
+
data/History.txt CHANGED
@@ -1,11 +1,23 @@
1
1
  # coding: UTF-8
2
2
 
3
- === 2.0.7 / 2013-08-15
3
+ === 2.0.8 / 2013-09-09
4
+
5
+ Security fixes:
6
+
7
+ * RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
8
+ backtracking in Gem::Version validation. See CVE-2013-4287 for full details
9
+ including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and
10
+ 1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.
4
11
 
5
12
  Bug fixes:
6
13
 
14
+ * Fixed Gem.clear_paths when Security is defined at top-level. Pull request
15
+ #625 by elarkin
16
+
17
+ === 2.0.7 / 2013-08-15
18
+
7
19
  * Extensions may now be built in parallel (therefore gems may be installed in
8
- parallel). Bug #606 by Hemant Kumar.
20
+ parallel). Bug #607 by Hemant Kumar.
9
21
  * Changed broken link to RubyGems Bookshelf to point to RubyGems guides. Ruby
10
22
  pull request #369 by 謝致邦.
11
23
  * Fixed various test failures due to platform differences or poor tests.
data/Manifest.txt CHANGED
@@ -1,5 +1,6 @@
1
1
  .autotest
2
2
  .document
3
+ CVE-2013-4287.txt
3
4
  History.txt
4
5
  LICENSE.txt
5
6
  MIT.txt
data/Rakefile CHANGED
@@ -56,7 +56,9 @@ hoe = Hoe.spec 'rubygems-update' do
56
56
  extra_dev_deps << ['ZenTest', '~> 4.5']
57
57
  extra_dev_deps << ['rake', '~> 0.9.3']
58
58
 
59
- self.extra_rdoc_files = Dir["*.rdoc"]
59
+ self.extra_rdoc_files = Dir["*.rdoc"] + %w[
60
+ CVE-2013-4287.txt
61
+ ]
60
62
 
61
63
  spec_extras['rdoc_options'] = proc do |rdoc_options|
62
64
  rdoc_options << "--title=RubyGems Update Documentation"
data/lib/rubygems.rb CHANGED
@@ -8,7 +8,7 @@
8
8
  require 'rbconfig'
9
9
 
10
10
  module Gem
11
- VERSION = '2.0.7'
11
+ VERSION = '2.0.8'
12
12
  end
13
13
 
14
14
  # Must be first since it unloads the prelude from 1.9.2
@@ -307,7 +307,7 @@ module Gem
307
307
  @paths = nil
308
308
  @user_home = nil
309
309
  Gem::Specification.reset
310
- Gem::Security.reset if const_defined? :Security
310
+ Gem::Security.reset if defined?(Gem::Security)
311
311
  end
312
312
 
313
313
  ##
data/lib/rubygems/version.rb CHANGED
@@ -147,7 +147,7 @@ class Gem::Version
147
147
 
148
148
  # FIX: These are only used once, in .correct?. Do they deserve to be
149
149
  # constants?
150
- VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
150
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
151
151
  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
152
152
 
153
153
  ##
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubygems-update
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.7
4
+ version: 2.0.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jim Weirich
@@ -32,7 +32,7 @@ cert_chain:
32
32
  KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
33
33
  wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
34
34
  -----END CERTIFICATE-----
35
- date: 2013-08-15 00:00:00.000000000 Z
35
+ date: 2013-09-09 00:00:00.000000000 Z
36
36
  dependencies:
37
37
  - !ruby/object:Gem::Dependency
38
38
  name: minitest
@@ -163,6 +163,7 @@ executables:
163
163
  - update_rubygems
164
164
  extensions: []
165
165
  extra_rdoc_files:
166
+ - CVE-2013-4287.txt
166
167
  - History.txt
167
168
  - LICENSE.txt
168
169
  - MIT.txt
@@ -173,6 +174,7 @@ extra_rdoc_files:
173
174
  files:
174
175
  - .autotest
175
176
  - .document
177
+ - CVE-2013-4287.txt
176
178
  - History.txt
177
179
  - LICENSE.txt
178
180
  - MIT.txt
@@ -452,7 +454,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
452
454
  version: '0'
453
455
  requirements: []
454
456
  rubyforge_project: rubygems-update
455
- rubygems_version: 2.0.7
457
+ rubygems_version: 2.1.0
456
458
  signing_key:
457
459
  specification_version: 4
458
460
  summary: RubyGems is a package management framework for Ruby
metadata.gz.sig CHANGED
Binary file