rtime.felk.cvut.cz Git - coffee/buildroot.git/commit

author	Peter Korsgaard <peter@korsgaard.com>
	Thu, 7 Sep 2017 09:17:55 +0000 (11:17 +0200)
committer	Peter Korsgaard <peter@korsgaard.com>
	Thu, 21 Sep 2017 11:17:17 +0000 (13:17 +0200)
commit	a8676e86fe92dd5eace74a7bc87050d0b24ea949
tree	8810c581f091c692bb0676e13e67ca1cbcd7add1	tree \| snapshot
parent	38b5b4968925dddccd8173dd0b6f6a9a5c7c7eaa	commit \| diff

ruby: add upstream security patches bumping rubygems to 2.6.13

We unfortunately cannot use the upstream patches directly as they are not in
'patch -p1' format, so convert them and include instead.

Fixes:

CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications that include terminal escape
characters. Printing the gem specification would execute terminal escape
sequences.

CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications to cause a denial of service attack
against RubyGems clients who have issued a `query` command.

CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
specification names, allowing a maliciously crafted gem to potentially
overwrite any file on the filesystem.

CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
hijacking vulnerability that allows a MITM attacker to force the RubyGems
client to download and install gems from a server that the attacker
controls.

For more details, see
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0e5448af5091ee208fdd38a4e221f444085dd0c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/ruby/0001-rubygems-2612-ruby24.patch	[new file with mode: 0644]	blob
package/ruby/0002-rubygems-2613-ruby24.patch	[new file with mode: 0644]	blob