rubygems-update 2.6.13 → 2.6.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c355e9814c4bd683190f6d71b5451fc9c7299aa4
-  data.tar.gz: 5086e33f6dbf1c20876379c2d31feed694c7f2ba
+SHA256:
+  metadata.gz: 57912bb77dd87dcd42c101212129e693553e4d31b01e3475f423d69606d054f2
+  data.tar.gz: 6c57e3463ebe2e2dec90d8c99ba48212622faac0cdfc7bb90ab91d1299a2af97
 SHA512:
-  metadata.gz: 6fc702c906ba6bca4b5495934b856487c35aed3eb45037be622019074aa1b415dced89750e0329b63471d6428088162ff96341367c999fdd6274b2617ffe8c38
-  data.tar.gz: ad369475ea2d97b69940858dbd0e864fc57220c0472b0c7e4b68bc2c703debcb559efbd5c37af9b562607b180233fd97af6a36c076d4722254d26d9106227693
+  metadata.gz: ea7514aa2ffa01b8d84c0834933fdd8f8682bbbb272faaf8980c398e0fdce05131225132449ae51aab1852905a82bab8cf2e88a94f7fef83c442791735e37c4e
+  data.tar.gz: c2b993fac57b622ad7f95622e5724c79f0c82f612c88d7f94c2db7be01d9eb2c93bdcaabc59b3adbd4cb530e4ccc4ebdcacc31e97ce2b2d4cf65af6c3d54c79d

data/History.txt

@@ -1,5 +1,13 @@
 # coding: UTF-8
 
+=== 2.6.14 / 2017-10-09
+
+Security fixes:
+
+* Whitelist classes and symbols that are in loaded YAML.
+  See CVE-2017-0903 for full details.
+  Fix by Aaron Patterson.
+
 === 2.6.13 / 2017-08-27
 
 Security fixes:

data/Manifest.txt

@@ -387,6 +387,7 @@ lib/rubygems/resolver/specification.rb
 lib/rubygems/resolver/stats.rb
 lib/rubygems/resolver/vendor_set.rb
 lib/rubygems/resolver/vendor_specification.rb
+lib/rubygems/safe_yaml.rb
 lib/rubygems/security.rb
 lib/rubygems/security/policies.rb
 lib/rubygems/security/policy.rb

data/lib/rubygems.rb

@@ -10,7 +10,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = "2.6.13"
+  VERSION = "2.6.14"
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -675,7 +675,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
 
     unless test_syck
       begin
-        gem 'psych', '>= 1.2.1'
+        gem 'psych', '>= 2.0.0'
       rescue Gem::LoadError
         # It's OK if the user does not have the psych gem installed.  We will
         # attempt to require the stdlib version
@@ -699,6 +699,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
     end
 
     require 'yaml'
+    require 'rubygems/safe_yaml'
 
     # If we're supposed to be using syck, then we may have to force
     # activate it via the YAML::ENGINE API.

data/lib/rubygems/config_file.rb

@@ -345,7 +345,7 @@ if you believe they were disclosed to a third party.
     return {} unless filename and File.exist? filename
 
     begin
-      content = YAML.load(File.read(filename))
+      content = Gem::SafeYAML.load(File.read(filename))
       unless content.kind_of? Hash
         warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
         return {}

data/lib/rubygems/package.rb

@@ -468,7 +468,7 @@ EOM
 
     @checksums = gem.seek 'checksums.yaml.gz' do |entry|
       Zlib::GzipReader.wrap entry do |gz_io|
-        YAML.load gz_io.read
+        Gem::SafeYAML.safe_load gz_io.read
       end
     end
   end

data/lib/rubygems/package/old.rb

@@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package
       header << line
     end
 
-    YAML.load header
+    Gem::SafeYAML.safe_load header
   end
 
   ##

data/lib/rubygems/safe_yaml.rb

@@ -0,0 +1,48 @@
+module Gem
+
+  ###
+  # This module is used for safely loading YAML specs from a gem.  The
+  # `safe_load` method defined on this module is specifically designed for
+  # loading Gem specifications.  For loading other YAML safely, please see
+  # Psych.safe_load
+
+  module SafeYAML
+    WHITELISTED_CLASSES = %w(
+      Symbol
+      Time
+      Date
+      Gem::Dependency
+      Gem::Platform
+      Gem::Requirement
+      Gem::Specification
+      Gem::Version
+      Gem::Version::Requirement
+      YAML::Syck::DefaultKey
+      Syck::DefaultKey
+    )
+
+    WHITELISTED_SYMBOLS = %w(
+      development
+      runtime
+    )
+
+    if ::YAML.respond_to? :safe_load
+      def self.safe_load input
+        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
+      end
+
+      def self.load input
+        ::YAML.safe_load(input, [::Symbol])
+      end
+    else
+      warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+      def self.safe_load input, *args
+        ::YAML.load input
+      end
+
+      def self.load input
+        ::YAML.load input
+      end
+    end
+  end
+end

data/lib/rubygems/specification.rb

@@ -1101,7 +1101,7 @@ class Gem::Specification < Gem::BasicSpecification
     Gem.load_yaml
 
     input = normalize_yaml_input input
-    spec = YAML.load input
+    spec = Gem::SafeYAML.safe_load input
 
     if spec && spec.class == FalseClass then
       raise Gem::EndOfYAMLException

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.6.13
+  version: 2.6.14
 platform: ruby
 authors:
 - Jim Weirich
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-28 00:00:00.000000000 Z
+date: 2017-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: builder
@@ -553,6 +553,7 @@ files:
 - lib/rubygems/resolver/stats.rb
 - lib/rubygems/resolver/vendor_set.rb
 - lib/rubygems/resolver/vendor_specification.rb
+- lib/rubygems/safe_yaml.rb
 - lib/rubygems/security.rb
 - lib/rubygems/security/policies.rb
 - lib/rubygems/security/policy.rb
@@ -800,7 +801,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.12
+rubygems_version: 2.6.13
 signing_key: 
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby