RubyGems - rubygems-update - Versions diffs - 2.1.4 → 2.1.5 - Mend

rubygems-update 2.1.4 → 2.1.5

Potentially problematic release.

This version of rubygems-update might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/CVE-2013-4363.txt +45 -0
data/History.txt +9 -0
data/Manifest.txt +1 -0
data/Rakefile +1 -0
data/lib/rubygems.rb +1 -1
data/lib/rubygems/version.rb +1 -1
data/test/rubygems/test_gem_requirement.rb +11 -9
data/test/rubygems/test_gem_version.rb +8 -3
metadata +6 -4
metadata.gz.sig +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b1fa94d6b820abe075a10e423fc13e4d1a42ff58
-  data.tar.gz: 12967cad3de5815451c7fa652d39caf75b91281d
+  metadata.gz: 547e9e32aaae7d7c3e3bdbbb062487fcf8cc74ba
+  data.tar.gz: c4a1eb35b004dccf640ee945f60180ff788fd55a
 SHA512:
-  metadata.gz: 03c8e214c07144821e02af71a49f73d860835b293013eeb8ca03ad22751c6283a50ad0d1c8bd50f824764edd96566922a0275416de2ebbc4a172301a94f3413c
-  data.tar.gz: d5cd8d2ea741cbe7198e1e1ce6352b24cdb58b1468fdb7c7fd249fb3796f275c0d3ab023945054a904f44204406eeb26b492418dc22937c9ca0d0777e28ccf36
+  metadata.gz: 1eaa80a01f37f17db7f43a904dfda441286c919b493110923f28735d1b540f73e954e7ce74b99d625ffc834420a6c7fd88b1f37999c59f550c9949381e402c27
+  data.tar.gz: 11f86585794ca193303b9316107a44be25de32c6791eec0385f4f7f0aa4388007d9f25b3880f778db0fbf86adb62a68278f66a79e644b8850d40a4b0021322de

checksums.yaml.gz.sig CHANGED

Binary file

data.tar.gz.sig CHANGED

Binary file

data/CVE-2013-4363.txt ADDED

@@ -0,0 +1,45 @@
+= Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
+The patch for CVE-2013-4287 was insufficiently verified so the combined
+regular expression for verifying gem version remains vulnerable following
+CVE-2013-4287.
+RubyGems validates versions with a regular expression that is vulnerable to
+denial of service due to backtracking.  For specially crafted RubyGems
+versions attackers can cause denial of service through CPU consumption.
+RubyGems versions 2.1.4 and older are vulnerable.
+Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
+versions of RubyGems.
+It does not appear to be possible to exploit this vulnerability by installing a
+gem for RubyGems 1.8.x or newer.  Vulnerable uses of RubyGems API include
+packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
+sending user input to Gem::Version.new, Gem::Version.correct? or use of the
+Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
+constants.
+Notably, users of bundler that install gems from git are vulnerable if a
+malicious author changes the gemspec to an invalid version.
+The vulnerability can be fixed by changing the "*" repetition to a "?"
+repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
+lib/rubygems/version.rb.  For RubyGems 2.1.x:
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+For RubyGems 2.0.x:
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+For RubyGems 1.8.x:
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>

data/History.txt CHANGED

@@ -1,5 +1,14 @@
 # coding: UTF-8
+=== 2.1.5 / 2013-09-24
+Security fixes:
+* RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4363 for full details
+  including vulnerable APIs.  Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
+  1.8.23.2 (for Ruby 1.9.3).
 === 2.1.4 / 2013-09-17
 Bug fixes:

data/Manifest.txt CHANGED

@@ -1,6 +1,7 @@
 .autotest
 .document
 CVE-2013-4287.txt
+CVE-2013-4363.txt
 History.txt
 LICENSE.txt
 MIT.txt

data/Rakefile CHANGED

@@ -127,6 +127,7 @@ desc "Upload release to rubyforge and gemcutter"
 task :upload => %w[upload_to_gemcutter]
 on_master = `git branch --list master`.strip == '* master'
+on_master = true if ENV['FORCE']
 Rake::Task['publish_docs'].clear unless on_master

data/lib/rubygems.rb CHANGED

@@ -8,7 +8,7 @@
 require 'rbconfig'
 module Gem
-  VERSION = '2.1.4'
+  VERSION = '2.1.5'
 end
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/version.rb CHANGED

@@ -148,7 +148,7 @@ class Gem::Version
   # FIX: These are only used once, in .correct?. Do they deserve to be
   # constants?
   VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
-  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
   ##
   # A string representation of this Version.

data/test/rubygems/test_gem_requirement.rb CHANGED

@@ -47,18 +47,20 @@ class TestGemRequirement < Gem::TestCase
   end
   def test_parse_bad
-    e = assert_raises Gem::Requirement::BadRequirementError do
-      Gem::Requirement.parse nil
-    end
-    assert_equal 'Illformed requirement [nil]', e.message
+    [
+      nil,
+      '',
+      '! 1',
+      '= junk',
+      '1..2',
+    ].each do |bad|
+      e = assert_raises Gem::Requirement::BadRequirementError do
+        Gem::Requirement.parse bad
+      end
-    e = assert_raises Gem::Requirement::BadRequirementError do
-      Gem::Requirement.parse ""
+      assert_equal "Illformed requirement [#{bad.inspect}]", e.message
     end
-    assert_equal 'Illformed requirement [""]', e.message
     assert_equal Gem::Requirement::BadRequirementError.superclass, ArgumentError
   end

data/test/rubygems/test_gem_version.rb CHANGED

@@ -67,12 +67,17 @@ class TestGemVersion < Gem::TestCase
   end
   def test_initialize_bad
-    ["junk", "1.0\n2.0"].each do |bad|
-      e = assert_raises ArgumentError do
+    %W[
+      junk
+      1.0\n2.0
+      1..2
+      1.2\ 3.4
+    ].each do |bad|
+      e = assert_raises ArgumentError, bad do
         Gem::Version.new bad
       end
-      assert_equal "Malformed version number string #{bad}", e.message
+      assert_equal "Malformed version number string #{bad}", e.message, bad
     end
   end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.1.4
+  version: 2.1.5
 platform: ruby
 authors:
 - Jim Weirich
@@ -32,7 +32,7 @@ cert_chain:
   KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
   wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
   -----END CERTIFICATE-----
-date: 2013-09-17 00:00:00.000000000 Z
+date: 2013-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -164,6 +164,7 @@ executables:
 extensions: []
 extra_rdoc_files:
 - CVE-2013-4287.txt
+- CVE-2013-4363.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -174,8 +175,8 @@ extra_rdoc_files:
 files:
 - .autotest
 - .document
-- .gemtest
 - CVE-2013-4287.txt
+- CVE-2013-4363.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -468,6 +469,7 @@ files:
 - util/CL2notes
 - util/create_certs.rb
 - util/create_encrypted_key.rb
+- .gemtest
 homepage: http://rubygems.org
 licenses:
 - Ruby
@@ -492,7 +494,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rubygems-update
-rubygems_version: 2.2.0
+rubygems_version: 2.1.4
 signing_key:
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby

metadata.gz.sig CHANGED

Binary file