rtime.felk.cvut.cz Git - coffee/buildroot.git/commit

author	Peter Korsgaard <peter@korsgaard.com>
	Thu, 7 Sep 2017 09:17:55 +0000 (11:17 +0200)
committer	Peter Korsgaard <peter@korsgaard.com>
	Mon, 16 Oct 2017 21:12:33 +0000 (23:12 +0200)
commit	a9cd436711d386ddc7ed02071a9444737567ad4a
tree	0993888e1b83ce0d09869591ebae31782def1816	tree \| snapshot
parent	eebfc0f3241acf432ea3249b10da982436a30a89	commit \| diff

ruby: add upstream security patches bumping rubygems to 2.6.13

We unfortunately cannot use the upstream patches directly as they are not in
'patch -p1' format, so convert them and include instead.

Fixes:

CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications that include terminal escape
characters. Printing the gem specification would execute terminal escape
sequences.

CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications to cause a denial of service attack
against RubyGems clients who have issued a `query` command.

CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
specification names, allowing a maliciously crafted gem to potentially
overwrite any file on the filesystem.

CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
hijacking vulnerability that allows a MITM attacker to force the RubyGems
client to download and install gems from a server that the attacker
controls.

For more details, see
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0e5448af5091ee208fdd38a4e221f444085dd0c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/ruby/0001-rubygems-2612-ruby24.patch	[new file with mode: 0644]	blob
package/ruby/0002-rubygems-2613-ruby24.patch	[new file with mode: 0644]	blob