rtime.felk.cvut.cz Git - coffee/buildroot.git/commit

ruby: add upstream security patches bumping rubygems to 2.6.13

We unfortunately cannot use the upstream patches directly as they are not in
'patch -p1' format, so convert them and include instead.

Fixes:

CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications that include terminal escape
characters. Printing the gem specification would execute terminal escape
sequences.

CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications to cause a denial of service attack
against RubyGems clients who have issued a `query` command.

CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
specification names, allowing a maliciously crafted gem to potentially
overwrite any file on the filesystem.

CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
hijacking vulnerability that allows a MITM attacker to force the RubyGems
client to download and install gems from a server that the attacker
controls.

For more details, see
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

author	Peter Korsgaard <peter@korsgaard.com>
	Thu, 7 Sep 2017 09:17:55 +0000 (11:17 +0200)
committer	Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
	Sat, 9 Sep 2017 20:44:00 +0000 (22:44 +0200)
commit	0e5448af5091ee208fdd38a4e221f444085dd0c8
tree	26c8626a12effefb9a9efff90bdac20e3774e3f3	tree \| snapshot
parent	a834b86ee0a9396ec2698aaf69547ff8db500b00	commit \| diff

package/ruby/0001-rubygems-2612-ruby24.patch	[new file with mode: 0644]	blob
package/ruby/0002-rubygems-2613-ruby24.patch	[new file with mode: 0644]	blob