[Buildroot] [PATCH] ruby: add upstream security patches bumping rubygems to 2.6.13
Thomas Petazzoni
thomas.petazzoni at free-electrons.com
Sat Sep 9 20:48:56 UTC 2017
Hello,
On Thu, 7 Sep 2017 11:17:55 +0200, Peter Korsgaard wrote:
> We unfortunately cannot use the upstream patches directly as they are not in
> 'patch -p1' format, so convert them and include instead.
>
> Fixes:
>
> CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
> maliciously crafted gem specifications that include terminal escape
> characters. Printing the gem specification would execute terminal escape
> sequences.
>
> CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
> maliciously crafted gem specifications to cause a denial of service attack
> against RubyGems clients who have issued a `query` command.
>
> CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
> specification names, allowing a maliciously crafted gem to potentially
> overwrite any file on the filesystem.
>
> CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
> hijacking vulnerability that allows a MITM attacker to force the RubyGems
> client to download and install gems from a server that the attacker
> controls.
>
> For more details, see
> https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
> package/ruby/0001-rubygems-2612-ruby24.patch | 445 +++++++++++++++++++++++++++
> package/ruby/0002-rubygems-2613-ruby24.patch | 364 ++++++++++++++++++++++
> 2 files changed, 809 insertions(+)
> create mode 100644 package/ruby/0001-rubygems-2612-ruby24.patch
> create mode 100644 package/ruby/0002-rubygems-2613-ruby24.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
More information about the buildroot
mailing list