RubyGems - rubygems-update - Versions diffs - 3.6.1 → 3.6.2 - Mend

rubygems-update 3.6.1 → 3.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +24 -0
data/bundler/CHANGELOG.md +10 -0
data/bundler/lib/bundler/build_metadata.rb +2 -2
data/bundler/lib/bundler/man/bundle-lock.1 +1 -1
data/bundler/lib/bundler/man/bundle-lock.1.ronn +1 -1
data/bundler/lib/bundler/self_manager.rb +3 -2
data/bundler/lib/bundler/version.rb +1 -1
data/lib/rubygems/rdoc.rb +10 -1
data/lib/rubygems/requirement.rb +4 -3
data/lib/rubygems/safe_marshal/reader.rb +31 -14
data/lib/rubygems/safe_marshal/visitors/to_ruby.rb +29 -16
data/lib/rubygems/specification.rb +2 -10
data/lib/rubygems/uninstaller.rb +0 -1
data/lib/rubygems/version.rb +4 -1
data/lib/rubygems.rb +1 -1
data/rubygems-update.gemspec +1 -1
metadata +3 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15a753eb9565973c8c26c2ec2c51f01d59d3dcc6c052ec3d1e6e1d0652048c5e
-  data.tar.gz: e12b9ee68d9eff9c9f1924dcaf707754f01ee77e488af13b8a97b80111d97c55
+  metadata.gz: c7fc38a36a930a52e9fb812ac5bc206c9f58540bff63db2bee276d514d08ce5f
+  data.tar.gz: 8056fefbaf65da55c57da58c72c9f7bb6e59e5813e9963c3cbcb8239c7387206
 SHA512:
-  metadata.gz: 1d53ef84edb5ea754ece9390c544b81446fe69153310dbaa489bc4334ebe26a2867384bee7cb366b8bdee302f6087901ed796eeff99644da31138b5e6a4e97d7
-  data.tar.gz: 9013c49f596fb5f6dea1e8a5ed0b330f6b84c0b8136ba034522b70df974a73ba9c2492e5e51c1f92edde0c2027394ef54dba5771ac698ae8618b06f110af1f54
+  metadata.gz: 3c929cdfcbf4282ac045f1906f57d4d289de04834ce74eaec64664148aa2c2ef1813c9ce225432d88e31989c1d1e1d0456a4485babc9608dd2446b44c97eb837
+  data.tar.gz: 6945a43c3cda7831f926755d25ae0711a5cbe709b7de819f41b30ce6db3f4dca667106bb7b627a02146a2460d62359b5ba7d876e31e9213fad5440b3dcebb2fd

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,27 @@
+# 3.6.2 / 2024-12-23
+## Security:
+* Fix Gem::SafeMarshal buffer overrun when given lengths larger than fit
+  into a byte. Pull request
+  [#8305](https://github.com/rubygems/rubygems/pull/8305) by segiddins
+* Improve type checking in marshal_load methods. Pull request
+  [#8306](https://github.com/rubygems/rubygems/pull/8306) by segiddins
+## Enhancements:
+* Skip rdoc hooks and their tests on newer rdoc versions. Pull request
+  [#8340](https://github.com/rubygems/rubygems/pull/8340) by
+  deivid-rodriguez
+* Installs bundler 2.6.2 as a default gem.
+## Bug fixes:
+* Fix serialized metadata including an empty `@original_platform`
+  attribute. Pull request
+  [#8355](https://github.com/rubygems/rubygems/pull/8355) by
+  deivid-rodriguez
 # 3.6.1 / 2024-12-17
 ## Enhancements:

data/bundler/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,13 @@
+# 2.6.2 (December 23, 2024)
+## Bug fixes:
+  - Restart using `Process.argv0` only if `$PROGRAM_NAME` is not a script [#8343](https://github.com/rubygems/rubygems/pull/8343)
+## Documentation:
+  - Fix typo in `bundle lock` man page synopsis (`--add-checkums` → `--add-checksums`) [#8350](https://github.com/rubygems/rubygems/pull/8350)
 # 2.6.1 (December 17, 2024)
 ## Bug fixes:

data/bundler/lib/bundler/build_metadata.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2024-12-17".freeze
-    @git_commit_sha = "00a344e02c8".freeze
+    @built_at = "2024-12-23".freeze
+    @git_commit_sha = "90ebd47c740".freeze
     @release = true
     # end ivars

data/bundler/lib/bundler/man/bundle-lock.1 CHANGED Viewed

@@ -4,7 +4,7 @@
 .SH "NAME"
 \fBbundle\-lock\fR \- Creates / Updates a lockfile without installing
 .SH "SYNOPSIS"
-\fBbundle lock\fR [\-\-update] [\-\-bundler[=BUNDLER]] [\-\-local] [\-\-print] [\-\-lockfile=PATH] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-add\-checkums] [\-\-add\-platform] [\-\-remove\-platform] [\-\-normalize\-platforms] [\-\-patch] [\-\-minor] [\-\-major] [\-\-pre] [\-\-strict] [\-\-conservative]
+\fBbundle lock\fR [\-\-update] [\-\-bundler[=BUNDLER]] [\-\-local] [\-\-print] [\-\-lockfile=PATH] [\-\-full\-index] [\-\-gemfile=GEMFILE] [\-\-add\-checksums] [\-\-add\-platform] [\-\-remove\-platform] [\-\-normalize\-platforms] [\-\-patch] [\-\-minor] [\-\-major] [\-\-pre] [\-\-strict] [\-\-conservative]
 .SH "DESCRIPTION"
 Lock the gems specified in Gemfile\.
 .SH "OPTIONS"

data/bundler/lib/bundler/man/bundle-lock.1.ronn CHANGED Viewed

@@ -10,7 +10,7 @@ bundle-lock(1) -- Creates / Updates a lockfile without installing
               [--lockfile=PATH]
               [--full-index]
               [--gemfile=GEMFILE]
-              [--add-checkums]
+              [--add-checksums]
               [--add-platform]
               [--remove-platform]
               [--normalize-platforms]

data/bundler/lib/bundler/self_manager.rb CHANGED Viewed

@@ -84,8 +84,9 @@ module Bundler
         require "shellwords"
         cmd = [*Shellwords.shellsplit(bundler_spec_original_cmd), *ARGV]
       else
-        cmd = [Process.argv0, *ARGV]
-        cmd.unshift(Gem.ruby) unless File.executable?(Process.argv0)
+        argv0 = File.exist?($PROGRAM_NAME) ? $PROGRAM_NAME : Process.argv0
+        cmd = [argv0, *ARGV]
+        cmd.unshift(Gem.ruby) unless File.executable?(argv0)
       end
       Bundler.with_original_env do

data/bundler/lib/bundler/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 module Bundler
-  VERSION = "2.6.1".freeze
+  VERSION = "2.6.2".freeze
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/lib/rubygems/rdoc.rb CHANGED Viewed

@@ -6,8 +6,17 @@ begin
   require "rdoc/rubygems_hook"
   module Gem
     RDoc = ::RDoc::RubygemsHook
+    ##
+    # Returns whether RDoc defines its own install hooks through a RubyGems
+    # plugin. This and whatever is guarded by it can be removed once no
+    # supported Ruby ships with RDoc older than 6.9.0.
+    def self.rdoc_hooks_defined_via_plugin?
+      Gem::Version.new(::RDoc::VERSION) >= Gem::Version.new("6.9.0")
+    end
   end
-  Gem.done_installing(&Gem::RDoc.method(:generation_hook))
+  Gem.done_installing(&Gem::RDoc.method(:generation_hook)) unless Gem.rdoc_hooks_defined_via_plugin?
 rescue LoadError
 end

data/lib/rubygems/requirement.rb CHANGED Viewed

@@ -22,7 +22,7 @@ class Gem::Requirement
   SOURCE_SET_REQUIREMENT = Struct.new(:for_lockfile).new "!" # :nodoc:
-  quoted = OPS.keys.map {|k| Regexp.quote k }.join "|"
+  quoted = Regexp.union(OPS.keys)
   PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{Gem::Version::VERSION_PATTERN})\\s*".freeze # :nodoc:
   ##
@@ -201,7 +201,8 @@ class Gem::Requirement
   def marshal_load(array) # :nodoc:
     @requirements = array[0]
-    raise TypeError, "wrong @requirements" unless Array === @requirements
+    raise TypeError, "wrong @requirements" unless Array === @requirements &&
+                                                  @requirements.all? {|r| r.size == 2 && (r.first.is_a?(String) || r[0] = "=") && r.last.is_a?(Gem::Version) }
   end
   def yaml_initialize(tag, vals) # :nodoc:
@@ -238,7 +239,7 @@ class Gem::Requirement
   def satisfied_by?(version)
     raise ArgumentError, "Need a Gem::Version: #{version.inspect}" unless
       Gem::Version === version
-    requirements.all? {|op, rv| OPS[op].call version, rv }
+    requirements.all? {|op, rv| OPS.fetch(op).call version, rv }
   end
   alias_method :===, :satisfied_by?

data/lib/rubygems/safe_marshal/reader.rb CHANGED Viewed

@@ -20,6 +20,12 @@ module Gem
       class EOFError < Error
       end
+      class DataTooShortError < Error
+      end
+      class NegativeLengthError < Error
+      end
       def initialize(io)
         @io = io
       end
@@ -27,7 +33,7 @@ module Gem
       def read!
         read_header
         root = read_element
-        raise UnconsumedBytesError unless @io.eof?
+        raise UnconsumedBytesError, "expected EOF, got #{@io.read(10).inspect}... after top-level element #{root.class}" unless @io.eof?
         root
       end
@@ -41,8 +47,16 @@ module Gem
         raise UnsupportedVersionError, "Unsupported marshal version #{v.bytes.map(&:ord).join(".")}, expected #{Marshal::MAJOR_VERSION}.#{Marshal::MINOR_VERSION}" unless v == MARSHAL_VERSION
       end
+      def read_bytes(n)
+        raise NegativeLengthError if n < 0
+        str = @io.read(n)
+        raise EOFError, "expected #{n} bytes, got EOF" if str.nil?
+        raise DataTooShortError, "expected #{n} bytes, got #{str.inspect}" unless str.bytesize == n
+        str
+      end
       def read_byte
-        @io.getbyte
+        @io.getbyte || raise(EOFError, "Unexpected EOF")
       end
       def read_integer
@@ -67,8 +81,6 @@ module Gem
           read_byte | (read_byte << 8) | -0x10000
         when 0xFF
           read_byte | -0x100
-        when nil
-          raise EOFError, "Unexpected EOF"
         else
           signed = (b ^ 128) - 128
           if b >= 128
@@ -107,8 +119,6 @@ module Gem
         when 47 then read_regexp # ?/
         when 83 then read_struct # ?S
         when 67 then read_user_class # ?C
-        when nil
-          raise EOFError, "Unexpected EOF"
         else
           raise Error, "Unknown marshal type discriminator #{type.chr.inspect} (#{type})"
         end
@@ -127,7 +137,7 @@ module Gem
             Elements::Symbol.new(byte.chr)
           end
         else
-          name = -@io.read(len)
+          name = read_bytes(len)
           Elements::Symbol.new(name)
         end
       end
@@ -138,7 +148,7 @@ module Gem
       def read_string
         length = read_integer
         return EMPTY_STRING if length == 0
-        str = @io.read(length)
+        str = read_bytes(length)
         Elements::String.new(str)
       end
@@ -152,7 +162,7 @@ module Gem
       def read_user_defined
         name = read_element
-        binary_string = @io.read(read_integer)
+        binary_string = read_bytes(read_integer)
         Elements::UserDefined.new(name, binary_string)
       end
@@ -162,6 +172,7 @@ module Gem
       def read_array
         length = read_integer
         return EMPTY_ARRAY if length == 0
+        raise NegativeLengthError if length < 0
         elements = Array.new(length) do
           read_element
         end
@@ -170,7 +181,9 @@ module Gem
       def read_object_with_ivars
         object = read_element
-        ivars = Array.new(read_integer) do
+        length = read_integer
+        raise NegativeLengthError if length < 0
+        ivars = Array.new(length) do
           [read_element, read_element]
         end
         Elements::WithIvars.new(object, ivars)
@@ -239,7 +252,9 @@ module Gem
       end
       def read_hash_with_default_value
-        pairs = Array.new(read_integer) do
+        length = read_integer
+        raise NegativeLengthError if length < 0
+        pairs = Array.new(length) do
           [read_element, read_element]
         end
         default = read_element
@@ -249,7 +264,9 @@ module Gem
       def read_object
         name = read_element
         object = Elements::Object.new(name)
-        ivars = Array.new(read_integer) do
+        length = read_integer
+        raise NegativeLengthError if length < 0
+        ivars = Array.new(length) do
           [read_element, read_element]
         end
         Elements::WithIvars.new(object, ivars)
@@ -260,13 +277,13 @@ module Gem
       end
       def read_float
-        string = @io.read(read_integer)
+        string = read_bytes(read_integer)
         Elements::Float.new(string)
       end
       def read_bignum
         sign = read_byte
-        data = @io.read(read_integer * 2)
+        data = read_bytes(read_integer * 2)
         Elements::Bignum.new(sign, data)
       end

data/lib/rubygems/safe_marshal/visitors/to_ruby.rb CHANGED Viewed

@@ -45,7 +45,7 @@ module Gem::SafeMarshal
         idx = 0
         # not idiomatic, but there's a huge number of IMEMOs allocated here, so we avoid the block
         # because this is such a hot path when doing a bundle install with the full index
-        until idx == size
+        while idx < size
           push_stack idx
           array << visit(elements[idx])
           idx += 1
@@ -98,16 +98,21 @@ module Gem::SafeMarshal
             end
             s = e.object.binary_string
+            # 122 is the largest integer that can be represented in marshal in a single byte
+            raise TimeTooLargeError.new("binary string too large", stack: formatted_stack) if s.bytesize > 122
             marshal_string = "\x04\bIu:\tTime".b
-            marshal_string.concat(s.size + 5)
+            marshal_string.concat(s.bytesize + 5)
             marshal_string << s
+            # internal is limited to 5, so no overflow is possible
             marshal_string.concat(internal.size + 5)
             internal.each do |k, v|
+              k = k.name
+              # ivar name can't be too large because only known ivars are in the internal ivars list
               marshal_string.concat(":")
-              marshal_string.concat(k.size + 5)
-              marshal_string.concat(k.to_s)
+              marshal_string.concat(k.bytesize + 5)
+              marshal_string.concat(k)
               dumped = Marshal.dump(v)
               dumped[0, 2] = ""
               marshal_string.concat(dumped)
@@ -171,11 +176,11 @@ module Gem::SafeMarshal
       end
       def visit_Gem_SafeMarshal_Elements_ObjectLink(o)
-        @objects[o.offset]
+        @objects.fetch(o.offset)
       end
       def visit_Gem_SafeMarshal_Elements_SymbolLink(o)
-        @symbols[o.offset]
+        @symbols.fetch(o.offset)
       end
       def visit_Gem_SafeMarshal_Elements_UserDefined(o)
@@ -219,16 +224,18 @@ module Gem::SafeMarshal
       end
       def visit_Gem_SafeMarshal_Elements_Float(f)
-        case f.string
-        when "inf"
-          ::Float::INFINITY
-        when "-inf"
-          -::Float::INFINITY
-        when "nan"
-          ::Float::NAN
-        else
-          f.string.to_f
-        end
+        register_object(
+          case f.string
+          when "inf"
+            ::Float::INFINITY
+          when "-inf"
+            -::Float::INFINITY
+          when "nan"
+            ::Float::NAN
+          else
+            f.string.to_f
+          end
+        )
       end
       def visit_Gem_SafeMarshal_Elements_Bignum(b)
@@ -374,6 +381,12 @@ module Gem::SafeMarshal
       class Error < StandardError
       end
+      class TimeTooLargeError < Error
+        def initialize(message, stack:)
+          super "#{message} @ #{stack.join "."}"
+        end
+      end
       class UnpermittedSymbolError < Error
         def initialize(symbol:, stack:)
           @symbol = symbol

data/lib/rubygems/specification.rb CHANGED Viewed

@@ -1817,16 +1817,8 @@ class Gem::Specification < Gem::BasicSpecification
   def encode_with(coder) # :nodoc:
     coder.add "name", @name
     coder.add "version", @version
-    platform = case @new_platform
-               when nil, "" then
-                 "ruby"
-               when String then
-                 @new_platform
-               else
-                 @new_platform.to_s
-    end
-    coder.add "platform", platform
-    coder.add "original_platform", @original_platform.to_s if platform != @original_platform.to_s
+    coder.add "platform", platform.to_s
+    coder.add "original_platform", original_platform.to_s if platform.to_s != original_platform.to_s
     attributes = @@attributes.map(&:to_s) - %w[name version platform]
     attributes.each do |name|

data/lib/rubygems/uninstaller.rb CHANGED Viewed

@@ -10,7 +10,6 @@ require "fileutils"
 require_relative "../rubygems"
 require_relative "installer_uninstaller_utils"
 require_relative "dependency_list"
-require_relative "rdoc"
 require_relative "user_interaction"
 ##

data/lib/rubygems/version.rb CHANGED Viewed

@@ -288,7 +288,10 @@ class Gem::Version
   # 1.3.5 and earlier) compatibility.
   def marshal_load(array)
-    initialize array[0]
+    string = array[0]
+    raise TypeError, "wrong version string" unless string.is_a?(String)
+    initialize string
   end
   def yaml_initialize(tag, map) # :nodoc:

data/lib/rubygems.rb CHANGED Viewed

@@ -9,7 +9,7 @@
 require "rbconfig"
 module Gem
-  VERSION = "3.6.1"
+  VERSION = "3.6.2"
 end
 # Must be first since it unloads the prelude from 1.9.2

data/rubygems-update.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   s.name = "rubygems-update"
-  s.version = "3.6.1"
+  s.version = "3.6.2"
   s.authors = ["Jim Weirich", "Chad Fowler", "Eric Hodel", "Luis Lavena", "Aaron Patterson", "Samuel Giddins", "André Arko", "Evan Phoenix", "Hiroshi SHIBATA"]
   s.email = ["", "", "drbrain@segment7.net", "luislavena@gmail.com", "aaron@tenderlovemaking.com", "segiddins@segiddins.me", "andre@arko.net", "evan@phx.io", "hsbt@ruby-lang.org"]

metadata CHANGED Viewed

@@ -1,9 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 3.6.1
+  version: 3.6.2
 platform: ruby
-original_platform: ''
 authors:
 - Jim Weirich
 - Chad Fowler
@@ -16,7 +15,7 @@ authors:
 - Hiroshi SHIBATA
 bindir: exe
 cert_chain: []
-date: 2024-12-17 00:00:00.000000000 Z
+date: 2024-12-23 00:00:00.000000000 Z
 dependencies: []
 description: |-
   A package (also known as a library) contains a set of functionality
@@ -747,7 +746,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.1
+rubygems_version: 3.6.2
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby. This gem is downloaded
   and installed by `gem update --system`, so that the `gem` CLI can update itself.