.gitignore

@@ -1,2 +1,7 @@
-SOURCES/bundler-1.16.1-specs.tgz
-SOURCES/bundler-1.16.1.gem
+*~
+*.swp
+*.rpm
+*.xz
+*.tgz
+*.gem
+/*/

.rubygem-bundler.metadata

@@ -1,2 +0,0 @@
-d4e20b5d15ca4bba1338eddc7b9e8b858fa10dc1 SOURCES/bundler-1.16.1-specs.tgz
-bca8cd6a0d44524c55a04256307da33e6fe37d5f SOURCES/bundler-1.16.1.gem

rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch

@@ -0,0 +1,41 @@
+From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
+Date: Sat, 13 Nov 2021 11:18:54 +0100
+Subject: [PATCH] Pass "--" to git commands to separate positional and optional
+ args
+
+To make sure git uri's specified in Gemfile are never misinterpreted as
+optional arguments, potentially allowing for local code execution.
+---
+ spec/bundler/source/git/git_proxy_spec.rb | 20 ++++++++++++++++++++
+ 1 files changed, 20 insertions(+)
+
+diff --git a/spec/bundler/source/git/git_proxy_spec.rb b/spec/bundler/source/git/git_proxy_spec.rb
+index d282a449a5..fbe7ef8792 100644
+--- a/spec/bundler/source/git/git_proxy_spec.rb
++++ b/spec/bundler/source/git/git_proxy_spec.rb
+@@ -113,4 +113,24 @@ RSpec.describe Bundler::Source::Git::GitProxy do
+       end
+     end
+   end
++
++  it "doesn't allow arbitrary code execution through Gemfile uris with a leading dash" do
++    gemfile <<~G
++      gem "poc", git: "-u./pay:load.sh"
++    G
++
++    file = bundled_app("pay:load.sh")
++
++    create_file file, <<~RUBY
++      #!/bin/sh
++
++      touch #{bundled_app("canary")}
++    RUBY
++
++    FileUtils.chmod("+x", file)
++
++    bundle :lock, :raise_on_error => false
++
++    expect(Pathname.new(bundled_app("canary"))).not_to exist
++  end
+ end

rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch

@@ -0,0 +1,31 @@
+From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
+Date: Sat, 13 Nov 2021 11:18:54 +0100
+Subject: [PATCH] Pass "--" to git commands to separate positional and optional
+ args
+
+To make sure git uri's specified in Gemfile are never misinterpreted as
+optional arguments, potentially allowing for local code execution.
+---
+ lib/bundler/source/git/git_proxy.rb       |  4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb
+index c56dda66ea..a9f9b50e0b 100644
+--- a/lib/bundler/source/git/git_proxy.rb
++++ b/lib/bundler/source/git/git_proxy.rb
+@@ -100,12 +100,12 @@ module Bundler
+             SharedHelpers.filesystem_access(path.dirname) do |p|
+               FileUtils.mkdir_p(p)
+             end
+-            git_retry %(clone #{uri_escaped_with_configured_credentials} "#{path}" --bare --no-hardlinks --quiet)
++            git_retry %(clone --bare --no-hardlinks --quiet -- #{uri_escaped_with_configured_credentials} "#{path}")
+             return unless extra_ref
+           end
+ 
+           in_path do
+-            git_retry %(fetch --force --quiet --tags #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
++            git_retry %(fetch --force --quiet --tags -- #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
+           end
+         end
+ 

rubygem-bundler.spec

@@ -12,7 +12,7 @@
 
 Name: rubygem-%{gem_name}
 Version: 1.16.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Library and utilities to manage a Ruby application's gem dependencies
 Group: Development/Languages
 License: MIT
@@ -25,6 +25,10 @@ Source1: %{gem_name}-%{version}-specs.tgz
 # https://github.com/rubygems/rubygems/pull/5029
 Patch0: ruby-bundler-raise-error-in-dependency-confusion.patch
 Patch1: ruby-bundler-raise-error-in-dependency-confusion-tests.patch
+# Fix CVE-2021-43809: unexpected code execution in Gemfiles
+# https://github.com/rubygems/rubygems/pull/5142
+Patch2: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch
+Patch3: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch
 # ruby package has just soft dependency on rubygem(io-console), while
 # Bundler always requires it.
 Requires: rubygem(io-console)
@@ -65,6 +69,7 @@ Documentation for %{name}.
 
 pushd .%{gem_instdir}
 %patch0 -p1
+%patch2 -p1
 popd
 
 %build
@@ -125,6 +130,7 @@ ruby -e '
 
 tar xzvf %{SOURCE1}
 cat %{PATCH1} | patch -p1
+cat %{PATCH3} | patch -p1
 
 # Re-create bundler.gemspec used in spec/spec_helper.rb to avoid unnecessary
 # git dependency.
@@ -199,6 +205,10 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
+* Fri Apr 25 2025 Vít Ondruch <vondruch@redhat.com> - 1.16.1-5
+- Fix unexpected code execution in Gemfiles (CVE-2021-43809)
+  Resolves: RHEL-87017
+
 * Mon Dec 13 2021 Jun Aruga <jaruga@redhat.com> - 1.16.1-4
 - Fix Bundler dependency confusion.
   Resolves: CVE-2020-36327

sources

@@ -0,0 +1,2 @@
+SHA512 (bundler-1.16.1-specs.tgz) = 65872b9e4e5e55c9c2ee6aecbbd53198474c22e5fca5368601b31d094e238d03b48014a6211e11332ac1c37306aa26b6e95158c36b431a41367d052bf5e3882d
+SHA512 (bundler-1.16.1.gem) = 2cca87aa17b61df98ef98a648a7d7cfe0529015f1278e8cb2298bb12544157933d723bd666d945bcdbaceacbf97a092a3848e2a587bd01cffa73c662d37d4834