rpms/rubygem-bundler
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8s-stream-2.5
Branches Tags
rpms:c8s-stream-2.5
rpms:c8-stream-2.5
rpms:stream-ruby-2.5-rhel-8.10.0
rpms:stream-ruby-2.5-rhel-8.9.0
rpms:c8-beta-stream-2.5
rpms:c9s
rpms:c10s
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-5.module+el8.10.0+23088+750dc6ca
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.6.0+14229+2452087f
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.10.0+22021+135c76a8
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.6.0+14229+2452087f
rpms:imports/c8s-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.6.0+14229+2452087f
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.5.0+13840+ec418553
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.5.0+13840+ec418553
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3656+f80bfa1d
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3251+19457219
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-3.module+el8+2671+ebcc7ee0
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3656+f80bfa1d
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.0.0+3250+4b7d6d43
rpms:imports/c8s-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3656+f80bfa1d
...
pull from: rpms:c8-stream-2.5
Branches Tags
rpms:c8-stream-2.5
rpms:stream-ruby-2.5-rhel-8.10.0
rpms:stream-ruby-2.5-rhel-8.9.0
rpms:c8-beta-stream-2.5
rpms:c8s-stream-2.5
rpms:c9s
rpms:c10s
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-5.module+el8.10.0+23088+750dc6ca
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.6.0+14229+2452087f
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.10.0+22021+135c76a8
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.6.0+14229+2452087f
rpms:imports/c8s-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.6.0+14229+2452087f
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.5.0+13840+ec418553
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-4.module+el8.5.0+13840+ec418553
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3656+f80bfa1d
rpms:imports/c8-beta-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3251+19457219
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-3.module+el8+2671+ebcc7ee0
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3656+f80bfa1d
rpms:imports/c8-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.0.0+3250+4b7d6d43
rpms:imports/c8s-stream-2.5/rubygem-bundler-1.16.1-3.module+el8.1.0+3656+f80bfa1d

No commits in common. "c8s-stream-2.5" and "c8-stream-2.5" have entirely different histories.
c8s-stream ... c8-stream-

3 changed files with 83 additions and 1 deletions
Show Stats Expand all files Collapse all files

41
SOURCES/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch Normal file
View File

@ -0,0 +1,41 @@
From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Sat, 13 Nov 2021 11:18:54 +0100
Subject: [PATCH] Pass "--" to git commands to separate positional and optional
args
To make sure git uri's specified in Gemfile are never misinterpreted as
optional arguments, potentially allowing for local code execution.
---
spec/bundler/source/git/git_proxy_spec.rb | 20 ++++++++++++++++++++
1 files changed, 20 insertions(+)
diff --git a/spec/bundler/source/git/git_proxy_spec.rb b/spec/bundler/source/git/git_proxy_spec.rb
index d282a449a5..fbe7ef8792 100644
--- a/spec/bundler/source/git/git_proxy_spec.rb
+++ b/spec/bundler/source/git/git_proxy_spec.rb
@@ -113,4 +113,24 @@ RSpec.describe Bundler::Source::Git::GitProxy do
end
end
end
+
+ it "doesn't allow arbitrary code execution through Gemfile uris with a leading dash" do
+ gemfile <<~G
+ gem "poc", git: "-u./pay:load.sh"
+ G
+
+ file = bundled_app("pay:load.sh")
+
+ create_file file, <<~RUBY
+ #!/bin/sh
+
+ touch #{bundled_app("canary")}
+ RUBY
+
+ FileUtils.chmod("+x", file)
+
+ bundle :lock, :raise_on_error => false
+
+ expect(Pathname.new(bundled_app("canary"))).not_to exist
+ end
end

31
SOURCES/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch Normal file
View File

@ -0,0 +1,31 @@
From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Sat, 13 Nov 2021 11:18:54 +0100
Subject: [PATCH] Pass "--" to git commands to separate positional and optional
args
To make sure git uri's specified in Gemfile are never misinterpreted as
optional arguments, potentially allowing for local code execution.
---
lib/bundler/source/git/git_proxy.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb
index c56dda66ea..a9f9b50e0b 100644
--- a/lib/bundler/source/git/git_proxy.rb
+++ b/lib/bundler/source/git/git_proxy.rb
@@ -100,12 +100,12 @@ module Bundler
SharedHelpers.filesystem_access(path.dirname) do |p|
FileUtils.mkdir_p(p)
end
- git_retry %(clone #{uri_escaped_with_configured_credentials} "#{path}" --bare --no-hardlinks --quiet)
+ git_retry %(clone --bare --no-hardlinks --quiet -- #{uri_escaped_with_configured_credentials} "#{path}")
return unless extra_ref
end
in_path do
- git_retry %(fetch --force --quiet --tags #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
+ git_retry %(fetch --force --quiet --tags -- #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
end
end

12
SPECS/rubygem-bundler.spec
View File

@ -12,7 +12,7 @@
Name: rubygem-%{gem_name}
Version: 1.16.1
Release: 4%{?dist}
Release: 5%{?dist}
Summary: Library and utilities to manage a Ruby application's gem dependencies
Group: Development/Languages
License: MIT
@ -25,6 +25,10 @@ Source1: %{gem_name}-%{version}-specs.tgz
# https://github.com/rubygems/rubygems/pull/5029
Patch0: ruby-bundler-raise-error-in-dependency-confusion.patch
Patch1: ruby-bundler-raise-error-in-dependency-confusion-tests.patch
# Fix CVE-2021-43809: unexpected code execution in Gemfiles
# https://github.com/rubygems/rubygems/pull/5142
Patch2: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch
Patch3: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch
# ruby package has just soft dependency on rubygem(io-console), while
# Bundler always requires it.
Requires: rubygem(io-console)
@ -65,6 +69,7 @@ Documentation for %{name}.
pushd .%{gem_instdir}
%patch0 -p1
%patch2 -p1
popd
%build
@ -125,6 +130,7 @@ ruby -e '
tar xzvf %{SOURCE1}
cat %{PATCH1} | patch -p1
cat %{PATCH3} | patch -p1
# Re-create bundler.gemspec used in spec/spec_helper.rb to avoid unnecessary
# git dependency.
@ -199,6 +205,10 @@ popd
%doc %{gem_instdir}/README.md
%changelog
* Fri Apr 25 2025 Vít Ondruch <vondruch@redhat.com> - 1.16.1-5
- Fix unexpected code execution in Gemfiles (CVE-2021-43809)
Resolves: RHEL-87017
* Mon Dec 13 2021 Jun Aruga <jaruga@redhat.com> - 1.16.1-4
- Fix Bundler dependency confusion.
Resolves: CVE-2020-36327