#88 [Don't merge] Upgrade to Bundler 2.2.22.
Closed 3 months ago by jaruga. Opened 4 months ago by jaruga.
rpms/ jaruga/ruby wip/rebase-bundler  into  rawhide

file modified
+1
@@ -1,3 +1,4 @@ 

  /*/

  /ruby-*.tar.xz

  /*.rpm

+ /ruby-rubygems-bundler-*.txz

file modified
+23 -3
@@ -22,7 +22,7 @@ 

  %endif

  

  

- %global release 149

+ %global release 150

  %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

  

  # The RubyGems library has to stay out of Ruby directory tree, since the
@@ -34,7 +34,7 @@ 

  %global rubygems_molinillo_version 0.7.0

  

  # Default gems.

- %global bundler_version 2.2.15

+ %global bundler_version 2.2.22

  %global bundler_connection_pool_version 2.2.2

  %global bundler_fileutils_version 1.4.1

  %global bundler_molinillo_version 0.7.0
@@ -110,6 +110,9 @@ 

  Source13: test_abrt.rb

  # SystemTap tests.

  Source14: test_systemtap.rb

+ # git clone --no-checkout git@github.com:rubygems/rubygems.git

+ # git -C rubygems archive --prefix=rubygems/ -v -o ruby-rubygems-bundler-v2.2.22.txz bundler-v2.2.22

+ Source15: ruby-rubygems-bundler-v%{bundler_version}.txz

  

  # The load directive is supported since RPM 4.12, i.e. F21+. The build process

  # fails on older Fedoras.
@@ -153,6 +156,9 @@ 

  # Avoid possible timeout errors in TestBugReporter#test_bug_reporter_add.

  # https://bugs.ruby-lang.org/issues/16492

  Patch19: ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch

+ # Update `bundler.gemspec` from RubyGems, required to pass `make test-bundler`.

+ # Compare RubyGems `bundler/bundler.gemspec` with Ruby `lib/bundler/bundler.gemspec`.

+ Patch20: rubygems-bundler-gemspec-for-make-test-bundler.patch

  

  Requires: %{name}-libs%{?_isa} = %{version}-%{release}

  Suggests: rubypick
@@ -583,12 +589,21 @@ 

  

  

  %prep

- %setup -q -n %{ruby_archive}

+ %setup -q -n %{ruby_archive} -b15

  

  # Remove bundled libraries to be sure they are not used.

  rm -rf ext/psych/yaml

  rm -rf ext/fiddle/libffi*

  

+ # Update Bundler to fix CVE-2020-36327.

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1958999

+ rm -rf lib/bundler{.rb,}

+ rm -rf {spec,tool}/bundler

+ cp -a %{_builddir}/rubygems/bundler/lib/bundler{.rb,} lib/

+ cp -a %{_builddir}/rubygems/bundler/bundler.gemspec lib/bundler/

+ cp -a %{_builddir}/rubygems/bundler/spec spec/bundler

+ cp -a %{_builddir}/rubygems/bundler/tool/bundler tool/bundler

+ 

  %patch0 -p1

  %patch1 -p1

  %patch2 -p1
@@ -599,6 +614,7 @@ 

  %patch9 -p1

  %patch15 -p1

  %patch19 -p1

+ %patch20 -p1

  

  # Provide an example of usage of the tapset:

  cp -a %{SOURCE3} .
@@ -1355,6 +1371,10 @@ 

  

  

  %changelog

+ * Thu Jul 08 2021 Jun Aruga <jaruga@redhat.com> - 3.0.1-150

+ - Upgrade to Bundler 2.2.22.

+   Resolves: CVE-2020-36327

+ 

  * Mon May 17 2021 Timm B├Ąder <tbaeder@redhat.com> - 3.0.1-149

  - Pass ldflags to gem install via CONFIGURE_ARGS

  

@@ -0,0 +1,15 @@ 

+ --- a/lib/bundler/bundler.gemspec

+ +++ b/lib/bundler/bundler.gemspec

+ @@ -37,10 +37,9 @@

+    s.files = Dir.glob("lib/bundler{.rb,/**/*}", File::FNM_DOTMATCH).reject {|f| File.directory?(f) }

+  

+    # include the gemspec itself because warbler breaks w/o it

+ -  s.files += %w[bundler.gemspec]

+ +  s.files += %w[lib/bundler/bundler.gemspec]

+  

+ -  s.files += %w[CHANGELOG.md LICENSE.md README.md]

+ -  s.bindir        = "exe"

+ +  s.bindir        = "libexec"

+    s.executables   = %w[bundle bundler]

+    s.require_paths = ["lib"]

+  end

file modified
+1
@@ -1,1 +1,2 @@ 

  SHA512 (ruby-3.0.1.tar.xz) = 97d2e883656060846b304368d9d836e2f3ef39859c36171c9398a0573818e4ed75bfd7460f901a9553f7f53518c505327a66e74f83704a881469f5ac61fe13d7

+ SHA512 (ruby-rubygems-bundler-v2.2.22.txz) = f511473f3624ab0ae594577dbf6da5725bf0ab20beda8a3955d31b730aa4f245e6c1fa706c9925b3d936050870575fd730ca2718ccb450d31210bc8439da6d6a

Resolves: CVE-2020-36327

This PR is just to show an possibility to upgrade rubygem-bundler sub package in rpms/ruby to fix CVE-2020-36327.
https://bugzilla.redhat.com/show_bug.cgi?id=1958999

I do not intent to merge this PR for now, because there is an opinion that we should not merge this PR for Fedora rpms/ruby. So my intent is just to show the PR content for the downstream ruby packages.

rpmlint

I could not check the result by rpmlint 1.11 due to the following issuse.
https://github.com/rpm-software-management/rpmlint/issues/632

ruby.spec: E: specfile-error error: ruby.spec: line 119: failed to load macro file /tmp/rpmlint.ruby.spec.4z9neo1q/macros.ruby
ruby.spec: E: specfile-error error: query of specfile ruby.spec failed, can't parse

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

rebased onto 5d7e5b842ecb801ea1b4d200652924563db5560c

3 months ago

I rebased the Bundler from 2.2.20 to the latest version 2.2.22.
I also fixed the issue in the bundler.gemspec detected by https://src.fedoraproject.org/rpms/ruby/pull-request/90#comment-80275 adding the rubygems-bundler-gemspec-for-make-test-bundler.patch, required to pass the make test-bundler.

Here is the log for the make test-bundler. Note we need to run it to pass the test on the environment where ruby RPM is not installed.

<mock-chroot> sh-5.1$ make test-bundler
...
Finished in 27 minutes 13 seconds (files took 1.04 seconds to load)
2898 examples, 0 failures, 25 pending

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

rebased onto d2c1702

3 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

I would close this PR. As the Ruby 3.0 latest version 3.0.2 fixes the CVE. We don't need to refer this PR.

Pull-Request has been closed by jaruga

3 months ago