rubygems-update 2.7.8 → 2.7.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dbf7de0c963b5bf9055a784b43d108a717fdd65fce7a3d97068e1c774b50b3d2
-  data.tar.gz: 21713c44bed6a5050127ce97e6398d905677384772c4703a035bd27b22df48dd
+  metadata.gz: 6736c355ae1a7a8a8818d475210864d02a45fa719d077fa0fbdb3364f66516a8
+  data.tar.gz: d1e05cf09f69a1138e938415d01efe56899cbd01566d7ec00e012d91435aa21e
 SHA512:
-  metadata.gz: daa83b745513df1295b194d70fc0a1e1e3aed8619b1ad7c4542342dc1f4b8a4d3deb1c1ffa660aaea10ff1bda3045bc421101d58f2b5b78257ddad6877e8b2e4
-  data.tar.gz: 547b225a05641f1fb5456813945c14fc05a8e67fab01b2d07cd96335d77574b4c5618e96b7b94b1829e4fdcefee85f151fd82b382aa8e8183af611d8fd895d02
+  metadata.gz: baefafb2d473d18a0261483e5210052a01a89be4332fd2329530d0f0340f6e9bf7c1c902d6e519d9212a33d3f942f6c905a685c61480cb06833df0773b4cfef5
+  data.tar.gz: 9f3c018f865fbe4cf5f11efba601c40cd5b6bc470f1e782cfa7b9fdfa2a2f3b9e2df3bf563a0f857906f9757691cd335224358fb67e2b037097f711f3da5023e

data/History.txt

@@ -1,11 +1,21 @@
 # coding: UTF-8
 
+=== 2.7.9 / 2019-03-05
+
+Security fixes:
+
+* Fixed following vulnerabilities:
+  * CVE-2019-8320: Delete directory using symlink when decompressing tar
+  * CVE-2019-8321: Escape sequence injection vulnerability in `verbose`
+  * CVE-2019-8322: Escape sequence injection vulnerability in `gem owner`
+  * CVE-2019-8323: Escape sequence injection vulnerability in API response handling
+  * CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
+  * CVE-2019-8325: Escape sequence injection vulnerability in errors
+
 === 2.7.8 / 2018-11-02
 
 Minor enhancements:
 
-* Improve invalid proxy error message. Pull request #2217 by Luis
-  Sagastume.
 * [Requirement] Treat requirements with == versions as equal. Pull
   request #2230 by Samuel Giddins.
 * Fix exec_name documentation. Pull request #2239 by Luis Sagastume.
@@ -13,16 +23,9 @@ Minor enhancements:
   by Samuel Giddins.
 * Simplify the code that lets us call the original, non-monkeypatched
   Kernel#require. Pull request #2267 by Leon Miller-Out.
-* Support IO.copy_stream. Pull request #2303 by okkez.
-* Add error message when trying to open a default gem. Pull request #2307
-  by Luis Sagastume.
 * Add install alias documentation. Pull request #2320 by ota42y.
-* Removed explicitly declaration of thread library. Pull request #2324 by
-  SHIBATA Hiroshi.
 * [Rakefile] Set bundler build metadata when doing a release. Pull request
   #2335 by Samuel Giddins.
-* Speed up globbing relative to given directories. Pull request #2336 by
-  Samuel Giddins.
 * Backport commits from ruby core . Pull request #2347 by SHIBATA Hiroshi.
 * Sign in to the correct host before push. Pull request #2366 by Luis
   Sagastume.
@@ -32,24 +35,16 @@ Minor enhancements:
 
 Bug fixes:
 
-* Frozen string fix - lib/rubygems/bundler_version_finder.rb. Pull request
-  #2115 by MSP-Greg.
-* Fixed no assignment variables about default gems installation. Pull
-  request #2181 by SHIBATA Hiroshi.
 * Fix #1470: generate documentation when --install-dir is present. Pull
   request #2229 by Elias Hernandis.
+* Fix no proxy checking. Pull request #2249 by Luis Sagastume.
 * Validate SPDX license exceptions. Pull request #2257 by Mikit.
-* Keep feature names loaded in the block. Pull request #2261 by Nobuyoshi
-  Nakada.
 * Retry api specification spec with original platform. Pull request #2275
   by Luis Sagastume.
 * Fix approximate recommendation with prereleases. Pull request #2345 by
   David Rodríguez.
-* Expand symlinks in gem path. Pull request #2352 by Benoit Daloze.
 * Gem::Version should handle nil like it used to before. Pull request
   #2363 by Luis Sagastume.
-* Fix auto resign expired certificate. Pull request #2380 by Luis
-  Sagastume.
 
 === 2.7.7 / 2018-05-08
 

data/bundler/lib/bundler/build_metadata.rb

@@ -4,7 +4,7 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2018-11-02".freeze
+    @built_at = "2019-03-04".freeze
     @git_commit_sha = "8a789f00b".freeze
     @release = false
     # end ivars

data/lib/rubygems.rb

@@ -10,7 +10,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = "2.7.8"
+  VERSION = "2.7.9"
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/command_manager.rb

@@ -7,6 +7,7 @@
 
 require 'rubygems/command'
 require 'rubygems/user_interaction'
+require 'rubygems/text'
 
 ##
 # The command manager registers and installs all the individual sub-commands
@@ -32,6 +33,7 @@ require 'rubygems/user_interaction'
 
 class Gem::CommandManager
 
+  include Gem::Text
   include Gem::UserInteraction
 
   BUILTIN_COMMANDS = [ # :nodoc:
@@ -140,12 +142,12 @@ class Gem::CommandManager
   def run(args, build_args=nil)
     process_args(args, build_args)
   rescue StandardError, Timeout::Error => ex
-    alert_error "While executing gem ... (#{ex.class})\n    #{ex}"
+    alert_error clean_text("While executing gem ... (#{ex.class})\n    #{ex}")
     ui.backtrace ex
 
     terminate_interaction(1)
   rescue Interrupt
-    alert_error "Interrupted"
+    alert_error clean_text("Interrupted")
     terminate_interaction(1)
   end
 
@@ -163,7 +165,7 @@ class Gem::CommandManager
       say Gem::VERSION
       terminate_interaction 0
     when /^-/ then
-      alert_error "Invalid option: #{args.first}. See 'gem --help'."
+      alert_error clean_text("Invalid option: #{args.first}. See 'gem --help'.")
       terminate_interaction 1
     else
       cmd_name = args.shift.downcase
@@ -212,7 +214,7 @@ class Gem::CommandManager
     rescue Exception => e
       e = load_error if load_error
 
-      alert_error "Loading command: #{command_name} (#{e.class})\n\t#{e}"
+      alert_error clean_text("Loading command: #{command_name} (#{e.class})\n\t#{e}")
       ui.backtrace e
     end
   end

data/lib/rubygems/commands/owner_command.rb

@@ -2,8 +2,11 @@
 require 'rubygems/command'
 require 'rubygems/local_remote_options'
 require 'rubygems/gemcutter_utilities'
+require 'rubygems/text'
 
 class Gem::Commands::OwnerCommand < Gem::Command
+
+  include Gem::Text
   include Gem::LocalRemoteOptions
   include Gem::GemcutterUtilities
 
@@ -64,7 +67,7 @@ permission to.
     end
 
     with_response response do |resp|
-      owners = Gem::SafeYAML.load resp.body
+      owners = Gem::SafeYAML.load clean_text(resp.body)
 
       say "Owners for gem: #{name}"
       owners.each do |owner|

data/lib/rubygems/gemcutter_utilities.rb

@@ -1,11 +1,14 @@
 # frozen_string_literal: true
 require 'rubygems/remote_fetcher'
+require 'rubygems/text'
 
 ##
 # Utility methods for using the RubyGems API.
 
 module Gem::GemcutterUtilities
 
+  include Gem::Text
+
   # TODO: move to Gem::Command
   OptionParser.accept Symbol do |value|
     value.to_sym
@@ -145,13 +148,13 @@ module Gem::GemcutterUtilities
       if block_given? then
         yield response
       else
-        say response.body
+        say clean_text(response.body)
       end
     else
       message = response.body
       message = "#{error_prefix}: #{message}" if error_prefix
 
-      say message
+      say clean_text(message)
       terminate_interaction 1 # TODO: question this
     end
   end

data/lib/rubygems/installer.rb

@@ -710,9 +710,26 @@ class Gem::Installer
       unpack or File.writable?(gem_home)
   end
 
-  def verify_spec_name
-    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
-    raise Gem::InstallError, "#{spec} has an invalid name"
+  def verify_spec
+    unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+      raise Gem::InstallError, "#{spec} has an invalid name"
+    end
+
+    if spec.raw_require_paths.any?{|path| path =~ /\r\n|\r|\n/ }
+      raise Gem::InstallError, "#{spec} has an invalid require_paths"
+    end
+
+    if spec.extensions.any?{|ext| ext =~ /\r\n|\r|\n/ }
+      raise Gem::InstallError, "#{spec} has an invalid extensions"
+    end
+
+    unless spec.specification_version.to_s =~ /\A\d+\z/
+      raise Gem::InstallError, "#{spec} has an invalid specification_version"
+    end
+
+    if spec.dependencies.any? {|dep| dep.type =~ /\r\n|\r|\n/ || dep.name =~ /\r\n|\r|\n/ }
+      raise Gem::InstallError, "#{spec} has an invalid dependencies"
+    end
   end
 
   ##
@@ -840,9 +857,11 @@ TEXT
   def pre_install_checks
     verify_gem_home options[:unpack]
 
-    ensure_loadable_spec
+    # The name and require_paths must be verified first, since it could contain
+    # ruby code that would be eval'ed in #ensure_loadable_spec
+    verify_spec
 
-    verify_spec_name
+    ensure_loadable_spec
 
     if options[:install_as_default]
       Gem.ensure_default_gem_subdirectories gem_home

data/lib/rubygems/package.rb

@@ -425,6 +425,16 @@ EOM
     raise Gem::Package::PathError.new(destination, destination_dir) unless
       destination.start_with? destination_dir + '/'
 
+    begin
+      real_destination = File.expand_path(File.realpath(destination))
+    rescue
+      # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
+      nil
+    else
+      raise Gem::Package::PathError.new(real_destination, destination_dir) unless
+        real_destination.start_with? destination_dir + '/'
+    end
+
     destination.untaint
     destination
   end

data/lib/rubygems/user_interaction.rb

@@ -7,6 +7,7 @@
 
 require 'rubygems/util'
 require 'rubygems/deprecate'
+require 'rubygems/text'
 
 ##
 # Module that defines the default UserInteraction.  Any class including this
@@ -14,6 +15,8 @@ require 'rubygems/deprecate'
 
 module Gem::DefaultUserInteraction
 
+  include Gem::Text
+
   ##
   # The default UI is a class variable of the singleton class for this
   # module.
@@ -161,8 +164,8 @@ module Gem::UserInteraction
   # Calls +say+ with +msg+ or the results of the block if really_verbose
   # is true.
 
-  def verbose msg = nil
-    say(msg || yield) if Gem.configuration.really_verbose
+  def verbose(msg = nil)
+    say(clean_text(msg || yield)) if Gem.configuration.really_verbose
   end
 end
 

data/test/rubygems/test_gem_installer.rb

@@ -1474,6 +1474,112 @@ gem 'other', version
     end
   end
 
+  def test_pre_install_checks_malicious_name_before_eval
+    spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message
+    end
+    refute defined?(::Object::FROM_EVAL)
+  end
+
+  def test_pre_install_checks_malicious_require_paths_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.require_paths = ["malicious\n``"]
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_extensions_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.extensions = ["malicious\n``"]
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_specification_version_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.specification_version = "malicious\n``"
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_dependencies_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.add_dependency "b\nfoo", '> 5'
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      @installer.ignore_dependencies = true
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message
+    end
+  end
+
   def test_shebang
     util_make_exec @spec, "#!/usr/bin/ruby"
 

data/test/rubygems/test_gem_package.rb

@@ -480,6 +480,42 @@ class TestGemPackage < Gem::Package::TarTestCase
                  "#{destination_subdir} is not allowed", e.message)
   end
 
+  def test_extract_symlink_parent_doesnt_delete_user_dir
+    skip if RUBY_VERSION <= "1.8.7"
+
+    package = Gem::Package.new @gem
+
+    # Extract into a subdirectory of @destination; if this test fails it writes
+    # a file outside destination_subdir, but we want the file to remain inside
+    # @destination so it will be cleaned up.
+    destination_subdir = File.join @destination, 'subdir'
+    FileUtils.mkdir_p destination_subdir
+
+    destination_user_dir = File.join @destination, 'user'
+    destination_user_subdir = File.join destination_user_dir, 'dir'
+    FileUtils.mkdir_p destination_user_subdir
+
+    tgz_io = util_tar_gz do |tar|
+      tar.add_symlink 'link', destination_user_dir, 16877
+      tar.add_symlink 'link/dir', '.', 16877
+    end
+
+    e = assert_raises(Gem::Package::PathError, Errno::EACCES) do
+      package.extract_tar_gz tgz_io, destination_subdir
+    end
+
+    assert_path_exists destination_user_subdir
+
+    if Gem::Package::PathError === e
+      assert_equal("installing into parent path #{destination_user_subdir} of " +
+                  "#{destination_subdir} is not allowed", e.message)
+    elsif win_platform?
+      skip "symlink - must be admin with no UAC on Windows"
+    else
+      raise e
+    end
+  end
+
   def test_extract_tar_gz_directory
     package = Gem::Package.new @gem
 

data/test/rubygems/test_gem_text.rb

@@ -85,4 +85,9 @@ Without the wrapping, the text might not look good in the RSS feed.
     s = "ab" * 500_001
     assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
   end
+
+  def test_clean_text
+    assert_equal ".]2;nyan.", clean_text("\e]2;nyan\a")
+  end
+
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.7.8
+  version: 2.7.9
 platform: ruby
 authors:
 - Jim Weirich
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-02 00:00:00.000000000 Z
+date: 2019-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: builder