RubyGems - rubygems-update - Versions diffs - 2.0.7 → 2.0.8 - Mend

rubygems-update 2.0.7 → 2.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5e9f42bf721ffd1d55ba8454036327f4c39d7b72
-  data.tar.gz: a37596374bcf4403abab869e8909ab2ecc28ab18
+  metadata.gz: 91ef9091ddee5ecdd6f0fcb5b693a22c2e0184c6
+  data.tar.gz: b39e56d72971a75c73269237f952620f31a65e6f
 SHA512:
-  metadata.gz: 4f3ac7f781ff7d1e8657ee683b27570dab4900f98ce685da00ddc9e5200fcf42edebdb54e4514652ea1bdd5f624bedf16288f1fa9dc299246f9c38bb632c5ba4
-  data.tar.gz: 06c7f64a81da01e747b6062d2c76210e97eeef08bd785b3da08105004ab312eb96d926a63f0d77d741f21e15dc7027f9a4bdfe0b2629e4de4087a77afc770d25
+  metadata.gz: a06cc15ee1e43192e446360c58c80d4c97dbafa0fb4114528aaeefad5be2c9678e1b89d092d07cac04c2e1124cfa80071c75857d7d04f225dbf403cb6162e43c
+  data.tar.gz: 456ba6216bef9b550ed28163baec53b8dd08a853fbc185f577781dddb71cfa1b7d8f28463bafcc8932e54b17e28a998b3e835539c49a3cbc73f0ceb4d65d0d6c

checksums.yaml.gz.sig CHANGED Viewed

@@ -1 +1,2 @@
-���J"�3�sy�C��:�iU<�d��}�%.����E�_��)�=�����bO���R�J~�!�v��텝!,�(Vkz=�$?5�D=�?%�騥����"�?Ӗ@�o�����G�*�eLH��o�ã~`� �3�K�x8����Jb�ZI.[�hU�6+>�c�������W�9cY�hr*�;�V�t~�oF�|�������rs�&�����hz�i_�G�1*���ď⟄k�z�%�]�huW�
+z�="o޹P�[���� ����3��Kၮ
+Oe�����[�[:

data.tar.gz.sig CHANGED Viewed

	@@ -1 +1 @@
1	- ~~j�^ZXN~~�~~lc��A~~�2~~�\|*ڴZ��+�e~~�l�~~FŁR~~�~~W�d4~~�~~x��<��4K~~��~~N�Q�`T��+dQZ��7~~�~~VXkUKB~~�Q�)G~~\|��tx~~��~~zX��T ��D;��^��MY~~�~~W��6~~�~~b~΃�l,#~~9~~�w�FK��j~~��~~)��ڬ�i~~�~~[��%��?ŕ�l~~�~~"��C��K0.L��չ��P �s~~�~~1Ȥx~~�~~S-ϤJ=@�Z ��I��_�ꠁ�wc~~�
1	+ U�@��G�(Fۡ@2�2�{�Mt��[էwe$0��A!-��a�"]��]I��l� �d>��`��'>��g�;�,�i��e��Պ/P��!ѐ�+��>F��F�}M��;&�t��֠f��ԌK��qPB��I��:j �<�.˿��_�U��6��?ᯒ�6�))1��q6�LI[��5�G��8�e�bE�/9��Xh�]F�9��W��$�0�\| �uvB�d�Y4

data/.autotest CHANGED Viewed

@@ -6,7 +6,7 @@ require 'autotest/restart'
 require 'autotest/isolate'
 Autotest.add_hook :initialize do |at|
-  at.testlib = 'minitest/autorun'
+  at.testlib = ''
   at.add_exception %r%/\.git/%
   at.add_exception %r%/\.svn/%

data/CVE-2013-4287.txt ADDED Viewed

@@ -0,0 +1,36 @@
+= Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
+RubyGems validates versions with a regular expression that is vulnerable to
+denial of service due to a backtracking regular expression.  For specially
+crafted RubyGems versions attackers can cause denial of service through CPU
+consumption.
+RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
+Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
+versions of RubyGems.
+It does not appear to be possible to exploit this vulnerability by installing a
+gem for RubyGems 1.8.x or 2.0.x.  Vulnerable uses of RubyGems API include
+packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
+sending user input to Gem::Version.new, Gem::Version.correct? or use of the
+Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
+constants.
+Notably, users of bundler that install gems from git are vulnerable if a
+malicious author changes the gemspec to an invalid version.
+The vulnerability can be fixed by changing the first grouping to an atomic
+grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
+RubyGems 2.0.x:
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+For RubyGems 1.8.x:
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>

data/History.txt CHANGED Viewed

@@ -1,11 +1,23 @@
 # coding: UTF-8
-=== 2.0.7 / 2013-08-15
+=== 2.0.8 / 2013-09-09
+Security fixes:
+* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4287 for full details
+  including vulnerable APIs.  Fixed versions include 2.0.8, 1.8.26 and
+  1.8.23.1 (for Ruby 1.9.3).  Issue #626 by Damir Sharipov.
 Bug fixes:
+* Fixed Gem.clear_paths when Security is defined at top-level.  Pull request
+  #625 by elarkin
+=== 2.0.7 / 2013-08-15
 * Extensions may now be built in parallel (therefore gems may be installed in
-  parallel).  Bug #606 by Hemant Kumar.
+  parallel).  Bug #607 by Hemant Kumar.
 * Changed broken link to RubyGems Bookshelf to point to RubyGems guides.  Ruby
   pull request #369 by 謝致邦.
 * Fixed various test failures due to platform differences or poor tests.

data/Manifest.txt CHANGED Viewed

@@ -1,5 +1,6 @@
 .autotest
 .document
+CVE-2013-4287.txt
 History.txt
 LICENSE.txt
 MIT.txt

data/Rakefile CHANGED Viewed

@@ -56,7 +56,9 @@ hoe = Hoe.spec 'rubygems-update' do
   extra_dev_deps << ['ZenTest', '~> 4.5']
   extra_dev_deps << ['rake', '~> 0.9.3']
-  self.extra_rdoc_files = Dir["*.rdoc"]
+  self.extra_rdoc_files = Dir["*.rdoc"] + %w[
+    CVE-2013-4287.txt
+  ]
   spec_extras['rdoc_options'] = proc do |rdoc_options|
     rdoc_options << "--title=RubyGems Update Documentation"

data/lib/rubygems.rb CHANGED Viewed

@@ -8,7 +8,7 @@
 require 'rbconfig'
 module Gem
-  VERSION = '2.0.7'
+  VERSION = '2.0.8'
 end
 # Must be first since it unloads the prelude from 1.9.2
@@ -307,7 +307,7 @@ module Gem
     @paths         = nil
     @user_home     = nil
     Gem::Specification.reset
-    Gem::Security.reset if const_defined? :Security
+    Gem::Security.reset if defined?(Gem::Security)
   end
   ##

data/lib/rubygems/version.rb CHANGED Viewed

@@ -147,7 +147,7 @@ class Gem::Version
   # FIX: These are only used once, in .correct?. Do they deserve to be
   # constants?
-  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
   ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
   ##

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.0.7
+  version: 2.0.8
 platform: ruby
 authors:
 - Jim Weirich
@@ -32,7 +32,7 @@ cert_chain:
   KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
   wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
   -----END CERTIFICATE-----
-date: 2013-08-15 00:00:00.000000000 Z
+date: 2013-09-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -163,6 +163,7 @@ executables:
 - update_rubygems
 extensions: []
 extra_rdoc_files:
+- CVE-2013-4287.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -173,6 +174,7 @@ extra_rdoc_files:
 files:
 - .autotest
 - .document
+- CVE-2013-4287.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -452,7 +454,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rubygems-update
-rubygems_version: 2.0.7
+rubygems_version: 2.1.0
 signing_key:
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby

metadata.gz.sig CHANGED Viewed

Binary file