From 535e11672df869d77430c290011de015c162656b Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Jul 09 2021 14:16:05 +0000 Subject: Upgrade to Bundler 2.2.22. Resolves: CVE-2020-36327 --- diff --git a/.gitignore b/.gitignore index 3523d77..e71875f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /ruby-2.*.tar.bz2 /ruby-2.*.tar.xz /*.rpm +/ruby-rubygems-bundler-*.txz diff --git a/ruby.spec b/ruby.spec index d3e9dde..7065c6a 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 127 +%global release 128 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -32,11 +32,14 @@ %global rubygems_version 3.0.3 %global rubygems_molinillo_version 0.5.7 -%global bundler_version 1.17.2 -%global bundler_fileutils_version 1.1.0 -%global bundler_molinillo_version 0.6.6 -%global bundler_net_http_persistent_version 2.9.4 -%global bundler_thor_version 0.20.0 +%global bundler_version 2.2.22 +%global bundler_connection_pool_version 2.2.2 +%global bundler_fileutils_version 1.4.1 +%global bundler_molinillo_version 0.7.0 +%global bundler_net_http_persistent_version 4.0.0 +%global bundler_thor_version 1.1.0 +%global bundler_tmpdir_version 0.1.0 +%global bundler_uri_version 0.10.0 %global bigdecimal_version 1.4.1 %global did_you_mean_version 1.3.0 @@ -106,6 +109,9 @@ Source11: rubygems.con Source13: test_abrt.rb # SystemTap tests. Source14: test_systemtap.rb +# git clone --no-checkout git@github.com:rubygems/rubygems.git +# git -C rubygems archive --prefix=rubygems/ -v -o ruby-rubygems-bundler-v2.2.22.txz bundler-v2.2.22 +Source15: ruby-rubygems-bundler-v%{bundler_version}.txz # The load directive is supported since RPM 4.12, i.e. F21+. The build process # fails on older Fedoras. @@ -165,6 +171,9 @@ Patch22: ruby-2.6.0-config-support-include-directive.patch Patch41: ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch # https://github.com/ruby/ruby/commit/72c02aa4b79731c7f25c9267f74b347f1946c704 Patch42: ruby-2.8.0-Moved-not-implemented-method-tests.patch +# Update `bundler.gemspec` from RubyGems, required to pass `make test-bundler`. +# Compare RubyGems `bundler/bundler.gemspec` with Ruby `lib/bundler/bundler.gemspec`. +Patch50: rubygems-bundler-gemspec-for-make-test-bundler.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -539,12 +548,21 @@ many machines, systematically and repeatably. %prep -%setup -q -n %{ruby_archive} +%setup -q -n %{ruby_archive} -b15 # Remove bundled libraries to be sure they are not used. rm -rf ext/psych/yaml rm -rf ext/fiddle/libffi* +# Update Bundler to fix CVE-2020-36327. +# https://bugzilla.redhat.com/show_bug.cgi?id=1958999 +rm -rf lib/bundler{.rb,} +rm -rf {spec,tool}/bundler +cp -a %{_builddir}/rubygems/bundler/lib/bundler{.rb,} lib/ +cp -a %{_builddir}/rubygems/bundler/bundler.gemspec lib/bundler/ +cp -a %{_builddir}/rubygems/bundler/spec spec/bundler +cp -a %{_builddir}/rubygems/bundler/tool/bundler tool/bundler + %patch0 -p1 %patch1 -p1 %patch2 -p1 @@ -562,6 +580,7 @@ rm -rf ext/fiddle/libffi* %patch22 -p1 %patch41 -p1 %patch42 -p1 +%patch50 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -625,13 +644,9 @@ for cert in \ do rm %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/$cert rm -r $(dirname %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/$cert) - rm %{buildroot}%{ruby_libdir}/bundler/ssl_certs/$cert - rm -r $(dirname %{buildroot}%{ruby_libdir}/bundler/ssl_certs/$cert) done # Ensure there is not forgotten any certificate. test ! "$(ls -A %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/ 2>/dev/null)" -test "$(ls -A %{buildroot}%{ruby_libdir}/bundler/ssl_certs/ 2>/dev/null)" \ - = "certificate_manager.rb" # Move macros file into proper place and replace the %%{name} macro, since it # would be wrongly evaluated during build of other packages. @@ -798,8 +813,11 @@ checksec --file=libruby.so.%{ruby_version} | \ # Check Bundler bundled dependencies versions. # FileUtils. -# TODO: There is no version in bundled FileUtils yet. -#%%{global bundler_fileutils_version} +[ "`make runruby TESTRUN_SCRIPT=\"-e \\\" \ + module Bundler; end; \ + require 'bundler/vendor/fileutils/lib/fileutils'; \ + puts Bundler::FileUtils::VERSION\\\"\" | tail -1`" \ + == '%{bundler_fileutils_version}' ] # Molinillo. [ "`make runruby TESTRUN_SCRIPT=\"-e \\\" \ @@ -823,6 +841,17 @@ checksec --file=libruby.so.%{ruby_version} | \ puts Bundler::Thor::VERSION\\\"\" | tail -1`" \ == '%{bundler_thor_version}' ] +# tmpdir. +# TODO: There is no version in bundled tmpdir yet. +#%%{global bundler_tmpdir_version} + +# URI. +[ "`make runruby TESTRUN_SCRIPT=\"-e \\\" \ + module Bundler; end; \ + require 'bundler/vendor/uri/lib/uri/version'; \ + puts Bundler::URI::VERSION\\\"\" | tail -1`" \ + == '%{bundler_uri_version}' ] + # test_debug(TestRubyOptions) fails due to LoadError reported in debug mode, # when abrt.rb cannot be required (seems to be easier way then customizing @@ -1214,6 +1243,10 @@ MSPECOPTS="$MSPECOPTS -P 'File.lchmod raises a NotImplementedError when called'" %{_mandir}/man5/gemfile.5* %changelog +* Thu Jul 08 2021 Jun Aruga - 2.6.6-128 +- Upgrade to Bundler 2.2.22. + Resolves: CVE-2020-36327 + * Wed Jul 07 2021 Jun Aruga - 2.6.6-127 - Fix FTBFS due to incompatible load directive. - Properly support DWARF5 debug information. diff --git a/rubygems-bundler-gemspec-for-make-test-bundler.patch b/rubygems-bundler-gemspec-for-make-test-bundler.patch new file mode 100644 index 0000000..ca39d66 --- /dev/null +++ b/rubygems-bundler-gemspec-for-make-test-bundler.patch @@ -0,0 +1,15 @@ +--- a/lib/bundler/bundler.gemspec ++++ b/lib/bundler/bundler.gemspec +@@ -37,10 +37,9 @@ + s.files = Dir.glob("lib/bundler{.rb,/**/*}", File::FNM_DOTMATCH).reject {|f| File.directory?(f) } + + # include the gemspec itself because warbler breaks w/o it +- s.files += %w[bundler.gemspec] ++ s.files += %w[lib/bundler/bundler.gemspec] + +- s.files += %w[CHANGELOG.md LICENSE.md README.md] +- s.bindir = "exe" ++ s.bindir = "libexec" + s.executables = %w[bundle bundler] + s.require_paths = ["lib"] + end diff --git a/sources b/sources index e2d3668..2470e5e 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (ruby-2.6.6.tar.xz) = 86caf93dbf61d03781767ab5375a7edf4761f13ba08ccfefe16c0a7550499237e7390c2f72a95d42670d4fe76b2401b4218936187c62ec1572799e9e04c50d62 +SHA512 (ruby-rubygems-bundler-v2.2.22.txz) = f511473f3624ab0ae594577dbf6da5725bf0ab20beda8a3955d31b730aa4f245e6c1fa706c9925b3d936050870575fd730ca2718ccb450d31210bc8439da6d6a