- Prevent path traversal when writing to a symlinked basedir outside of the root. - Fix possible Unsafe Object Deserialization Vulnerability in gem owner. - Strictly interpret octal fields in tar headers. - Raise a security error when there are duplicate files in a package. - Enforce URL validation on spec homepage attribute. - Mitigate XSS vulnerability in homepage attribute when displayed via gem server. - Prevent Path Traversal issue during gem installation.
Fixed version is in the repo, but I'd like to see a few days of testing before starting the stable process.
I'm currently getting errors installing rubygems-2.7.6, but this was also removing the ruby23 use flag: * Package: dev-ruby/rubygems-2.7.6 * Repository: gentoo * Maintainer: ruby@gentoo.org * USE: abi_x86_64 amd64 elibc_glibc kernel_linux ruby_targets_ruby24 userland_GNU * FEATURES: preserve-libs sandbox userpriv usersandbox >>> Unpacking source... >>> Unpacking rubygems-2.7.6.tgz to /var/tmp/portage/dev-ruby/rubygems-2.7.6/work/all >>> Source unpacked in /var/tmp/portage/dev-ruby/rubygems-2.7.6/work >>> Preparing source in /var/tmp/portage/dev-ruby/rubygems-2.7.6/work ... * Running prepare phase for all ... * Running prepare phase for all ... * Adjusting to prefix / * operating_system.rb ... [ ok ] * Running source copy phase for ruby24 ... cp: cannot create hard link 'ruby24/rubygems-2.7.6/test/rubygems/test_gem_installer.rb' to 'all/rubygems-2.7.6/test/rubygems/test_gem_installer.rb': File exists * ERROR: dev-ruby/rubygems-2.7.6::gentoo failed (prepare phase): * Unable to copy ruby24 environment * * Call stack: * ebuild.sh, line 124: Called src_prepare * environment, line 4254: Called ruby-ng_src_prepare * environment, line 4073: Called _ruby_each_implementation '_ruby_source_copy' * environment, line 404: Called _ruby_invoke_environment 'ruby24' '_ruby_source_copy' * environment, line 529: Called _ruby_source_copy * environment, line 535: Called die * The specific snippet of code: * cp -prlP all ${_ruby_implementation} || die "Unable to copy ${_ruby_implementation} environment" * 2.6.14 has just now installed fine. Maybe this is a red herring, but given the security vulnerabilities I thought this might be worth sharing with you quickly. Once ruby23 is gone from my system I can see if I can install 2.7.6 normally or if the problem persists.
Created attachment 520110 [details] rubygems-2.7.6 build log
Created attachment 520112 [details] emerge --infor =rubygems-2.7.6 output
Created attachment 520114 [details] emerge rubygems output
This problem still persists in my system, after running updates etc. Should I create a separate bugreport for this, or is it ok for this to live here?
(In reply to Niels Hamaker from comment #6) > This problem still persists in my system, after running updates etc. Should > I create a separate bugreport for this, or is it ok for this to live here? This should have been a separate bugreport from the start, so please do.
(In reply to Hans de Graaff from comment #1) > Fixed version is in the repo, but I'd like to see a few days of testing > before starting the stable process. Hi Hans, please call for stabilization when appropriate. Btw, is there a list of CVEs assigned to those vulnerabilities? I may help to diagnose the severity level. Thank you
The reported issues turned out to be btrfs regressions in linux 4.15. Upstream does not list any CVE indentifiers.
Please test and mark stable.
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d6aaf8632c0d3f655982a5f0ad989d55e8d0935 commit 0d6aaf8632c0d3f655982a5f0ad989d55e8d0935 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-30 00:30:00 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-30 00:30:00 +0000 dev-ruby/rubygems: amd64 stable Bug: https://bugs.gentoo.org/647922 Package-Manager: Portage-2.3.26, Repoman-2.3.7 dev-ruby/rubygems/rubygems-2.7.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
ia64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a93392ee917d49e3fe9812628cc8e2a0bc5e1ca7 commit a93392ee917d49e3fe9812628cc8e2a0bc5e1ca7 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-03-31 08:30:34 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-03-31 10:04:42 +0000 dev-ruby/rubygems: stable 2.7.6 for sparc Bug: https://bugs.gentoo.org/647922 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-ruby/rubygems/rubygems-2.7.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Stable on alpha.
ppc64 stable
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3c9ae1b6a56c21c37e55d2ab94dfaa1d17d399f commit e3c9ae1b6a56c21c37e55d2ab94dfaa1d17d399f Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-04-20 06:57:13 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-20 06:57:13 +0000 dev-ruby/rubygems: stable 2.7.6 for ppc, bug #647922 Bug: https://bugs.gentoo.org/647922 Package-Manager: Portage-2.3.28, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" dev-ruby/rubygems/rubygems-2.7.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
hppa stable
Vulnerable version have been removed.
(In reply to Hans de Graaff from comment #21) > Vulnerable version have been removed. GLSA Vote: No Thanks, Hans!
