From 535e11672df869d77430c290011de015c162656b Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Jul 09 2021 14:16:05 +0000 Subject: [PATCH 1/3] Upgrade to Bundler 2.2.22. Resolves: CVE-2020-36327 --- diff --git a/.gitignore b/.gitignore index 3523d77..e71875f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /ruby-2.*.tar.bz2 /ruby-2.*.tar.xz /*.rpm +/ruby-rubygems-bundler-*.txz diff --git a/ruby.spec b/ruby.spec index d3e9dde..7065c6a 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 127 +%global release 128 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -32,11 +32,14 @@ %global rubygems_version 3.0.3 %global rubygems_molinillo_version 0.5.7 -%global bundler_version 1.17.2 -%global bundler_fileutils_version 1.1.0 -%global bundler_molinillo_version 0.6.6 -%global bundler_net_http_persistent_version 2.9.4 -%global bundler_thor_version 0.20.0 +%global bundler_version 2.2.22 +%global bundler_connection_pool_version 2.2.2 +%global bundler_fileutils_version 1.4.1 +%global bundler_molinillo_version 0.7.0 +%global bundler_net_http_persistent_version 4.0.0 +%global bundler_thor_version 1.1.0 +%global bundler_tmpdir_version 0.1.0 +%global bundler_uri_version 0.10.0 %global bigdecimal_version 1.4.1 %global did_you_mean_version 1.3.0 @@ -106,6 +109,9 @@ Source11: rubygems.con Source13: test_abrt.rb # SystemTap tests. Source14: test_systemtap.rb +# git clone --no-checkout git@github.com:rubygems/rubygems.git +# git -C rubygems archive --prefix=rubygems/ -v -o ruby-rubygems-bundler-v2.2.22.txz bundler-v2.2.22 +Source15: ruby-rubygems-bundler-v%{bundler_version}.txz # The load directive is supported since RPM 4.12, i.e. F21+. The build process # fails on older Fedoras. @@ -165,6 +171,9 @@ Patch22: ruby-2.6.0-config-support-include-directive.patch Patch41: ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch # https://github.com/ruby/ruby/commit/72c02aa4b79731c7f25c9267f74b347f1946c704 Patch42: ruby-2.8.0-Moved-not-implemented-method-tests.patch +# Update `bundler.gemspec` from RubyGems, required to pass `make test-bundler`. +# Compare RubyGems `bundler/bundler.gemspec` with Ruby `lib/bundler/bundler.gemspec`. +Patch50: rubygems-bundler-gemspec-for-make-test-bundler.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -539,12 +548,21 @@ many machines, systematically and repeatably. %prep -%setup -q -n %{ruby_archive} +%setup -q -n %{ruby_archive} -b15 # Remove bundled libraries to be sure they are not used. rm -rf ext/psych/yaml rm -rf ext/fiddle/libffi* +# Update Bundler to fix CVE-2020-36327. +# https://bugzilla.redhat.com/show_bug.cgi?id=1958999 +rm -rf lib/bundler{.rb,} +rm -rf {spec,tool}/bundler +cp -a %{_builddir}/rubygems/bundler/lib/bundler{.rb,} lib/ +cp -a %{_builddir}/rubygems/bundler/bundler.gemspec lib/bundler/ +cp -a %{_builddir}/rubygems/bundler/spec spec/bundler +cp -a %{_builddir}/rubygems/bundler/tool/bundler tool/bundler + %patch0 -p1 %patch1 -p1 %patch2 -p1 @@ -562,6 +580,7 @@ rm -rf ext/fiddle/libffi* %patch22 -p1 %patch41 -p1 %patch42 -p1 +%patch50 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -625,13 +644,9 @@ for cert in \ do rm %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/$cert rm -r $(dirname %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/$cert) - rm %{buildroot}%{ruby_libdir}/bundler/ssl_certs/$cert - rm -r $(dirname %{buildroot}%{ruby_libdir}/bundler/ssl_certs/$cert) done # Ensure there is not forgotten any certificate. test ! "$(ls -A %{buildroot}%{rubygems_dir}/rubygems/ssl_certs/ 2>/dev/null)" -test "$(ls -A %{buildroot}%{ruby_libdir}/bundler/ssl_certs/ 2>/dev/null)" \ - = "certificate_manager.rb" # Move macros file into proper place and replace the %%{name} macro, since it # would be wrongly evaluated during build of other packages. @@ -798,8 +813,11 @@ checksec --file=libruby.so.%{ruby_version} | \ # Check Bundler bundled dependencies versions. # FileUtils. -# TODO: There is no version in bundled FileUtils yet. -#%%{global bundler_fileutils_version} +[ "`make runruby TESTRUN_SCRIPT=\"-e \\\" \ + module Bundler; end; \ + require 'bundler/vendor/fileutils/lib/fileutils'; \ + puts Bundler::FileUtils::VERSION\\\"\" | tail -1`" \ + == '%{bundler_fileutils_version}' ] # Molinillo. [ "`make runruby TESTRUN_SCRIPT=\"-e \\\" \ @@ -823,6 +841,17 @@ checksec --file=libruby.so.%{ruby_version} | \ puts Bundler::Thor::VERSION\\\"\" | tail -1`" \ == '%{bundler_thor_version}' ] +# tmpdir. +# TODO: There is no version in bundled tmpdir yet. +#%%{global bundler_tmpdir_version} + +# URI. +[ "`make runruby TESTRUN_SCRIPT=\"-e \\\" \ + module Bundler; end; \ + require 'bundler/vendor/uri/lib/uri/version'; \ + puts Bundler::URI::VERSION\\\"\" | tail -1`" \ + == '%{bundler_uri_version}' ] + # test_debug(TestRubyOptions) fails due to LoadError reported in debug mode, # when abrt.rb cannot be required (seems to be easier way then customizing @@ -1214,6 +1243,10 @@ MSPECOPTS="$MSPECOPTS -P 'File.lchmod raises a NotImplementedError when called'" %{_mandir}/man5/gemfile.5* %changelog +* Thu Jul 08 2021 Jun Aruga - 2.6.6-128 +- Upgrade to Bundler 2.2.22. + Resolves: CVE-2020-36327 + * Wed Jul 07 2021 Jun Aruga - 2.6.6-127 - Fix FTBFS due to incompatible load directive. - Properly support DWARF5 debug information. diff --git a/rubygems-bundler-gemspec-for-make-test-bundler.patch b/rubygems-bundler-gemspec-for-make-test-bundler.patch new file mode 100644 index 0000000..ca39d66 --- /dev/null +++ b/rubygems-bundler-gemspec-for-make-test-bundler.patch @@ -0,0 +1,15 @@ +--- a/lib/bundler/bundler.gemspec ++++ b/lib/bundler/bundler.gemspec +@@ -37,10 +37,9 @@ + s.files = Dir.glob("lib/bundler{.rb,/**/*}", File::FNM_DOTMATCH).reject {|f| File.directory?(f) } + + # include the gemspec itself because warbler breaks w/o it +- s.files += %w[bundler.gemspec] ++ s.files += %w[lib/bundler/bundler.gemspec] + +- s.files += %w[CHANGELOG.md LICENSE.md README.md] +- s.bindir = "exe" ++ s.bindir = "libexec" + s.executables = %w[bundle bundler] + s.require_paths = ["lib"] + end diff --git a/sources b/sources index e2d3668..2470e5e 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (ruby-2.6.6.tar.xz) = 86caf93dbf61d03781767ab5375a7edf4761f13ba08ccfefe16c0a7550499237e7390c2f72a95d42670d4fe76b2401b4218936187c62ec1572799e9e04c50d62 +SHA512 (ruby-rubygems-bundler-v2.2.22.txz) = f511473f3624ab0ae594577dbf6da5725bf0ab20beda8a3955d31b730aa4f245e6c1fa706c9925b3d936050870575fd730ca2718ccb450d31210bc8439da6d6a From 1688de6cb373b7aa0c1a3b3a3ca021ae7413b4eb Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Jul 09 2021 16:33:44 +0000 Subject: [PATCH 2/3] Fix the following test. ``` 1) Failure: TestGem#test_use_gemdeps_missing_gem [/builddir/build/BUILD/ruby-2.6.6/test/rubygems/test_gem.rb:1845]: In stderr. --- expected +++ actual @@ -1,4 +1,6 @@ -"Could not find gem 'a' in any of the gem sources listed in your Gemfile. +"Could not find gem 'a' in locally installed gems. +" + +"The source does not contain any versions of 'a' " + "You may need to `gem install -g` to install missing gems " + ``` Related: CVE-2020-36327 --- diff --git a/ruby.spec b/ruby.spec index 7065c6a..fcea904 100644 --- a/ruby.spec +++ b/ruby.spec @@ -174,6 +174,9 @@ Patch42: ruby-2.8.0-Moved-not-implemented-method-tests.patch # Update `bundler.gemspec` from RubyGems, required to pass `make test-bundler`. # Compare RubyGems `bundler/bundler.gemspec` with Ruby `lib/bundler/bundler.gemspec`. Patch50: rubygems-bundler-gemspec-for-make-test-bundler.patch +# A missing gem error message is changed on RubyGems 3.2.13. +# https://github.com/ruby/ruby/commit/7efc7afcae6720e1af7ab49986d789b6f9d6fe0a +Patch51: rubygems-3.2.13-test-gem-message.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -581,6 +584,7 @@ cp -a %{_builddir}/rubygems/bundler/tool/bundler tool/bundler %patch41 -p1 %patch42 -p1 %patch50 -p1 +%patch51 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . diff --git a/rubygems-3.2.13-test-gem-message.patch b/rubygems-3.2.13-test-gem-message.patch new file mode 100644 index 0000000..7034093 --- /dev/null +++ b/rubygems-3.2.13-test-gem-message.patch @@ -0,0 +1,21 @@ +--- a/test/rubygems/test_gem.rb ++++ b/test/rubygems/test_gem.rb +@@ -1821,16 +1821,11 @@ + io.write 'gem "a"' + end + +- platform = Bundler::GemHelpers.generic_local_platform +- if platform == Gem::Platform::RUBY +- platform = '' +- else +- platform = " #{platform}" +- end + expected = + if Gem::USE_BUNDLER_FOR_GEMDEPS + <<-EXPECTED +-Could not find gem 'a#{platform}' in any of the gem sources listed in your Gemfile. ++Could not find gem 'a' in locally installed gems. ++The source does not contain any versions of 'a' + You may need to `gem install -g` to install missing gems + + EXPECTED From aea3ec28c90277a69921f1d80469ff60c22a29e5 Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Jul 13 2021 15:52:39 +0000 Subject: [PATCH 3/3] Fix errors in `make test-bundler`. Fix the following errors in `make test-bundler`. The ruby-2.7.0-test-bundler-add-rake.patch fixes the following error. ``` sh-5.1$ make test-bundler ... LoadError: cannot load such file -- rake # ./spec/bundler/bundler/gem_helper_spec.rb:3:in `' ... ``` The ruby-2.7.0-test-bundler-add-env-gem-command.patch fixes the following errors. ``` An error occurred in a `before(:suite)` hook. Failure/Error: @shipped_files ||= loaded_gemspec.files NoMethodError: undefined method `files' for nil:NilClass # ./spec/bundler/support/path.rb:83:in `shipped_files' # ./spec/bundler/support/helpers.rb:326:in `with_built_bundler' # ./spec/bundler/support/helpers.rb:298:in `block (2 levels) in system_gems' # ./spec/bundler/support/helpers.rb:294:in `each' # ./spec/bundler/support/helpers.rb:294:in `block in system_gems' # ./spec/bundler/support/helpers.rb:350:in `block in with_gem_path_as' # ./spec/bundler/support/helpers.rb:364:in `without_env_side_effects' # ./spec/bundler/support/helpers.rb:346:in `with_gem_path_as' # ./spec/bundler/support/helpers.rb:292:in `system_gems' # ./spec/bundler/spec_helper.rb:83:in `block (2 levels) in ' ``` ``` An error occurred in an `after(:suite)` hook. Failure/Error: File.unlink path Errno::ENOENT: No such file or directory @ apply2files - /builddir/build/BUILD/ruby-2.6.6/spec/tmp/1/gems/base_system # ./lib/fileutils.rb:1438:in `unlink' # ./lib/fileutils.rb:1438:in `block in remove_file' # ./lib/fileutils.rb:1443:in `platform_support' # ./lib/fileutils.rb:1437:in `remove_file' # ./lib/fileutils.rb:1426:in `remove' # ./lib/fileutils.rb:760:in `block in remove_entry' # ./lib/fileutils.rb:1481:in `postorder_traverse' # ./lib/fileutils.rb:758:in `remove_entry' # ./lib/fileutils.rb:610:in `block in rm_r' # ./lib/fileutils.rb:606:in `each' # ./lib/fileutils.rb:606:in `rm_r' # ./spec/bundler/spec_helper.rb:115:in `block (2 levels) in ' ``` --- diff --git a/ruby-2.7.0-test-bundler-add-env-gem-command.patch b/ruby-2.7.0-test-bundler-add-env-gem-command.patch new file mode 100644 index 0000000..0976c94 --- /dev/null +++ b/ruby-2.7.0-test-bundler-add-env-gem-command.patch @@ -0,0 +1,116 @@ +From 5a384e2c08704dc7af9d8d3bdfc475eb8c0723aa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?David=20Rodr=C3=ADguez?= +Date: Tue, 20 Aug 2019 02:46:31 +0200 +Subject: [PATCH] Fix some bundler specs (#2380) + +* These seem to consistenly pass already + +* Show actual command when running `make test-bundler` + +Current the setup command that installs the necessary gems for testing +bundler was printed, but not the actual command that runs the tests. +That was a bit confusing. + +* Borrow trick from setproctitle specs + +* A title that long doesn't get set sometimes + +No idea why, but the test doesn't need that the title is that long. + +* Fix most gem helper spec ruby-core failures + +* Fix the rest of the gem helper failures + +* Fix version spec by improving the assertion + +* Remove unnecessary `BUNDLE_RUBY` environment var + +We can use `RUBY` when necessary, and `BUNDLE_RUBY` is not a good name +because bundler considers `BUNDLE_*` variables as settings. + +* Rename `BUNDLE_GEM` to `GEM_COMMAND` + +This is more descriptive I think, and also friendlier for bundler +because `BUNDLE_` env variables are interpreted by bundler as settings, +and this is not a bundler setting. + +This fixes one bundler spec failure in config specs against ruby-core. + +* Fix quality spec when run in core + +Use the proper path helper. + +* Fix dummy lib builder to never load default gems + +If a dummy library is named as a default gem, when requiring the library +from its executable, the default gem would be loaded when running from +core, because in core all default gems share path with bundler, and thus +they are always in the $LOAD_PATH. We fix the issue by loading lib +relatively inside dummy lib executables. + +* More exact assertions + +Sometimes I have the problem that I do some "print debugging" inside +specs, and suddently the spec passes. This happens when the assertion is +too relaxed, and the things I print make it match, specially when they +are simple strings like "1.0" than can be easily be part of gem paths +that I print for debugging. + +I fix this by making a more exact assertion. + +* Detect the correct shebang when ENV["RUBY"] is set + +* Relax assertion + +So that the spec passes even if another paths containing "ext" are in +the load path. This works to fix a ruby-core issue, but it's a better +assertion in general. We just want to know that the extension path was +added. + +* Use folder structure independent path helper + +It should fix this spec for ruby-core. + +* Fix the last failing spec on ruby-core + +* Skip `bundle open ` spec when no default gems +--- + common.mk | 1 - + lib/bundler/bundler.gemspec | 9 +++------ + lib/bundler/gem_helper.rb | 12 ++++++------ + lib/bundler/shared_helpers.rb | 2 +- + spec/bundler/bundler/cli_spec.rb | 2 +- + spec/bundler/bundler/env_spec.rb | 4 ++-- + spec/bundler/bundler/gem_helper_spec.rb | 2 +- + spec/bundler/bundler/mirror_spec.rb | 2 +- + spec/bundler/commands/config_spec.rb | 2 +- + spec/bundler/commands/exec_spec.rb | 18 +++++++++--------- + spec/bundler/commands/info_spec.rb | 2 +- + spec/bundler/commands/newgem_spec.rb | 2 +- + spec/bundler/commands/open_spec.rb | 12 +++++++++++- + spec/bundler/commands/show_spec.rb | 2 +- + spec/bundler/install/gemfile/git_spec.rb | 10 +++++----- + spec/bundler/install/gems/resolving_spec.rb | 6 +++--- + spec/bundler/quality_es_spec.rb | 4 ++-- + spec/bundler/quality_spec.rb | 5 ++--- + spec/bundler/runtime/setup_spec.rb | 4 ++-- + .../bundler/runtime/with_unbundled_env_spec.rb | 2 +- + spec/bundler/spec_helper.rb | 12 ++++++------ + spec/bundler/support/builders.rb | 2 +- + spec/bundler/support/hax.rb | 8 ++++++++ + spec/bundler/support/path.rb | 10 +++++++--- + tool/runruby.rb | 3 +-- + 25 files changed, 77 insertions(+), 61 deletions(-) + +diff --git a/tool/runruby.rb b/tool/runruby.rb +index d9fc1ac09db7..4715ff4d5cdf 100755 +--- a/tool/runruby.rb ++++ b/tool/runruby.rb +@@ -107,6 +107,7 @@ + env["GEM_PATH"] = env["GEM_HOME"] = File.expand_path(".bundle", srcdir) + env["BUNDLE_RUBY"] = abs_ruby + env["BUNDLE_GEM"] = "#{abs_ruby} -rrubygems #{srcdir}/bin/gem --backtrace" ++env["GEM_COMMAND"] = "#{abs_ruby} -rrubygems #{srcdir}/bin/gem --backtrace" + env["PATH"] = [File.dirname(abs_ruby), abs_archdir, ENV["PATH"]].compact.join(File::PATH_SEPARATOR) + + if e = ENV["RUBYLIB"] diff --git a/ruby-2.7.0-test-bundler-add-rake.patch b/ruby-2.7.0-test-bundler-add-rake.patch new file mode 100644 index 0000000..663caf3 --- /dev/null +++ b/ruby-2.7.0-test-bundler-add-rake.patch @@ -0,0 +1,22 @@ +From 614154bbb6adeb06cce755be7b8540e1594703c5 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Sun, 9 Jun 2019 10:49:51 +0900 +Subject: [PATCH] Added missing dependency for rake examples. + +--- + common.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common.mk b/common.mk +index de36ccfdb221..d6e4d6acd7c5 100755 +--- a/common.mk ++++ b/common.mk +@@ -1275,7 +1275,7 @@ test-bundler-precheck: $(arch)-fake.rb programs + + yes-test-bundler-prepare: test-bundler-precheck + $(XRUBY) -C "$(srcdir)" bin/gem install --no-document \ +- --install-dir .bundle --conservative "rspec:~> 3.5" ++ --install-dir .bundle --conservative "rspec:~> 3.5" "rake:~> 12.0" + + RSPECOPTS = --format progress + BUNDLER_SPECS = diff --git a/ruby.spec b/ruby.spec index fcea904..7985100 100644 --- a/ruby.spec +++ b/ruby.spec @@ -177,6 +177,12 @@ Patch50: rubygems-bundler-gemspec-for-make-test-bundler.patch # A missing gem error message is changed on RubyGems 3.2.13. # https://github.com/ruby/ruby/commit/7efc7afcae6720e1af7ab49986d789b6f9d6fe0a Patch51: rubygems-3.2.13-test-gem-message.patch +# Add rake dependnecy to run `make test-bundler`. +# https://github.com/ruby/ruby/commit/614154bbb6adeb06cce755be7b8540e1594703c5 +Patch52: ruby-2.7.0-test-bundler-add-rake.patch +# Make spec/bundler/support/path.rb#ruby_core? return true. +# https://github.com/ruby/ruby/commit/5a384e2c08704dc7af9d8d3bdfc475eb8c0723aa +Patch53: ruby-2.7.0-test-bundler-add-env-gem-command.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -585,6 +591,8 @@ cp -a %{_builddir}/rubygems/bundler/tool/bundler tool/bundler %patch42 -p1 %patch50 -p1 %patch51 -p1 +%patch52 -p1 +%patch53 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} .