.gitignore

@@ -1,7 +1,2 @@
-*~
-*.swp
-*.rpm
-*.xz
-*.tgz
-*.gem
-/*/
+SOURCES/bundler-1.16.1-specs.tgz
+SOURCES/bundler-1.16.1.gem

.rubygem-bundler.metadata

@@ -0,0 +1,2 @@
+d4e20b5d15ca4bba1338eddc7b9e8b858fa10dc1 SOURCES/bundler-1.16.1-specs.tgz
+bca8cd6a0d44524c55a04256307da33e6fe37d5f SOURCES/bundler-1.16.1.gem

SPECS/rubygem-bundler.spec

@@ -12,7 +12,7 @@
 
 Name: rubygem-%{gem_name}
 Version: 1.16.1
-Release: 5%{?dist}
+Release: 4%{?dist}
 Summary: Library and utilities to manage a Ruby application's gem dependencies
 Group: Development/Languages
 License: MIT
@@ -25,10 +25,6 @@ Source1: %{gem_name}-%{version}-specs.tgz
 # https://github.com/rubygems/rubygems/pull/5029
 Patch0: ruby-bundler-raise-error-in-dependency-confusion.patch
 Patch1: ruby-bundler-raise-error-in-dependency-confusion-tests.patch
-# Fix CVE-2021-43809: unexpected code execution in Gemfiles
-# https://github.com/rubygems/rubygems/pull/5142
-Patch2: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch
-Patch3: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch
 # ruby package has just soft dependency on rubygem(io-console), while
 # Bundler always requires it.
 Requires: rubygem(io-console)
@@ -69,7 +65,6 @@ Documentation for %{name}.
 
 pushd .%{gem_instdir}
 %patch0 -p1
-%patch2 -p1
 popd
 
 %build
@@ -130,7 +125,6 @@ ruby -e '
 
 tar xzvf %{SOURCE1}
 cat %{PATCH1} | patch -p1
-cat %{PATCH3} | patch -p1
 
 # Re-create bundler.gemspec used in spec/spec_helper.rb to avoid unnecessary
 # git dependency.
@@ -205,10 +199,6 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
-* Fri Apr 25 2025 Vít Ondruch <vondruch@redhat.com> - 1.16.1-5
-- Fix unexpected code execution in Gemfiles (CVE-2021-43809)
-  Resolves: RHEL-87017
-
 * Mon Dec 13 2021 Jun Aruga <jaruga@redhat.com> - 1.16.1-4
 - Fix Bundler dependency confusion.
   Resolves: CVE-2020-36327

rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch

@@ -1,41 +0,0 @@
-From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
-Date: Sat, 13 Nov 2021 11:18:54 +0100
-Subject: [PATCH] Pass "--" to git commands to separate positional and optional
- args
-
-To make sure git uri's specified in Gemfile are never misinterpreted as
-optional arguments, potentially allowing for local code execution.
----
- spec/bundler/source/git/git_proxy_spec.rb | 20 ++++++++++++++++++++
- 1 files changed, 20 insertions(+)
-
-diff --git a/spec/bundler/source/git/git_proxy_spec.rb b/spec/bundler/source/git/git_proxy_spec.rb
-index d282a449a5..fbe7ef8792 100644
---- a/spec/bundler/source/git/git_proxy_spec.rb
-+++ b/spec/bundler/source/git/git_proxy_spec.rb
-@@ -113,4 +113,24 @@ RSpec.describe Bundler::Source::Git::GitProxy do
-       end
-     end
-   end
-+
-+  it "doesn't allow arbitrary code execution through Gemfile uris with a leading dash" do
-+    gemfile <<~G
-+      gem "poc", git: "-u./pay:load.sh"
-+    G
-+
-+    file = bundled_app("pay:load.sh")
-+
-+    create_file file, <<~RUBY
-+      #!/bin/sh
-+
-+      touch #{bundled_app("canary")}
-+    RUBY
-+
-+    FileUtils.chmod("+x", file)
-+
-+    bundle :lock, :raise_on_error => false
-+
-+    expect(Pathname.new(bundled_app("canary"))).not_to exist
-+  end
- end

rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch

@@ -1,31 +0,0 @@
-From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
-Date: Sat, 13 Nov 2021 11:18:54 +0100
-Subject: [PATCH] Pass "--" to git commands to separate positional and optional
- args
-
-To make sure git uri's specified in Gemfile are never misinterpreted as
-optional arguments, potentially allowing for local code execution.
----
- lib/bundler/source/git/git_proxy.rb       |  4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb
-index c56dda66ea..a9f9b50e0b 100644
---- a/lib/bundler/source/git/git_proxy.rb
-+++ b/lib/bundler/source/git/git_proxy.rb
-@@ -100,12 +100,12 @@ module Bundler
-             SharedHelpers.filesystem_access(path.dirname) do |p|
-               FileUtils.mkdir_p(p)
-             end
--            git_retry %(clone #{uri_escaped_with_configured_credentials} "#{path}" --bare --no-hardlinks --quiet)
-+            git_retry %(clone --bare --no-hardlinks --quiet -- #{uri_escaped_with_configured_credentials} "#{path}")
-             return unless extra_ref
-           end
- 
-           in_path do
--            git_retry %(fetch --force --quiet --tags #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
-+            git_retry %(fetch --force --quiet --tags -- #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
-           end
-         end
- 

sources

@@ -1,2 +0,0 @@
-SHA512 (bundler-1.16.1-specs.tgz) = 65872b9e4e5e55c9c2ee6aecbbd53198474c22e5fca5368601b31d094e238d03b48014a6211e11332ac1c37306aa26b6e95158c36b431a41367d052bf5e3882d
-SHA512 (bundler-1.16.1.gem) = 2cca87aa17b61df98ef98a648a7d7cfe0529015f1278e8cb2298bb12544157933d723bd666d945bcdbaceacbf97a092a3848e2a587bd01cffa73c662d37d4834