82a19c4144
Fix HTTP response splitting in CGI. Fix ReDos vulnerability in URI. Fix ReDos vulnerability in Time. Make RDoc soft dependency in IRB. Rebased from latest Ruby 3.1 present in Fedora 37, commit: 4048f893da1d56ed65667e7f15405224653c83e2 Resolves: RHEL-5584 Resolves: CVE-2021-33621 Resolves: CVE-2023-28755 Resolves: CVE-2023-36617 Resolves: CVE-2023-28756 Resolves: RHEL-5615
55 lines
2.4 KiB
Diff
55 lines
2.4 KiB
Diff
From 891246c3865ed0af7e277ca50c079f466d035f7c Mon Sep 17 00:00:00 2001
|
|
From: Jarek Prokop <jprokop@redhat.com>
|
|
Date: Thu, 1 Jun 2023 13:22:24 +0200
|
|
Subject: [PATCH] Backport "Fix another issue of Bundler not falling back to an
|
|
installable candidate"
|
|
|
|
In this case, when materializing a legacy lockfile using only "ruby"
|
|
platform, and in frozen mode.
|
|
|
|
=====
|
|
|
|
Commit adapted from: https://github.com/rubygems/rubygems/pull/6261
|
|
---
|
|
bundler/lib/bundler/lazy_specification.rb | 11 +++--
|
|
.../install/gemfile/specific_platform_spec.rb | 41 ++++++++++++-------
|
|
2 files changed, 35 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/bundler/lib/bundler/lazy_specification.rb b/bundler/lib/bundler/lazy_specification.rb
|
|
index e8bee25ab..a65020e6c 100644
|
|
--- a/bundler/lib/bundler/lazy_specification.rb
|
|
+++ b/bundler/lib/bundler/lazy_specification.rb
|
|
@@ -85,7 +85,7 @@ def materialize_for_installation
|
|
|
|
installable_candidates = GemHelpers.select_best_platform_match(matching_specs, target_platform)
|
|
|
|
- specification = __materialize__(installable_candidates)
|
|
+ specification = __materialize__(installable_candidates, :fallback_to_non_installable => false)
|
|
return specification unless specification.nil?
|
|
|
|
if target_platform != platform
|
|
@@ -98,13 +98,18 @@ def materialize_for_installation
|
|
__materialize__(candidates)
|
|
end
|
|
|
|
- def __materialize__(candidates)
|
|
+ # If in frozen mode, we fallback to a non-installable candidate because by
|
|
+ # doing this we avoid re-resolving and potentially end up changing the
|
|
+ # lock file, which is not allowed. In that case, we will give a proper error
|
|
+ # about the mismatch higher up the stack, right before trying to install the
|
|
+ # bad gem.
|
|
+ def __materialize__(candidates, fallback_to_non_installable: Bundler.frozen_bundle?)
|
|
search = candidates.reverse.find do |spec|
|
|
spec.is_a?(StubSpecification) ||
|
|
(spec.matches_current_ruby? &&
|
|
spec.matches_current_rubygems?)
|
|
end
|
|
- if search.nil? && Bundler.frozen_bundle?
|
|
+ if search.nil? && fallback_to_non_installable
|
|
search = candidates.last
|
|
else
|
|
search.dependencies = dependencies if search && search.full_name == full_name && (search.is_a?(RemoteSpecification) || search.is_a?(EndpointSpecification))
|
|
--
|
|
2.41.0.rc1
|
|
|