Patches to RubyGems from upstream
to fix CVE-2015-3900:
and CVE-2015-4020:
--- ruby-2.1.6-orig/lib/rubygems/remote_fetcher.rb 2014-02-05 18:59:36.000000000 -0800
+++ ruby-2.1.6/lib/rubygems/remote_fetcher.rb 2015-07-06 14:51:51.198154766 -0700
@@ -90,7 +90,13 @@ class Gem::RemoteFetcher
rescue Resolv::ResolvError
uri
else
+ target = res.target.to_s.strip
+
+ if /\.#{Regexp.quote(host)}\z/ =~ target
+ end
+
+ uri
end
end
--- ruby-2.1.6-orig/test/rubygems/test_gem_remote_fetcher.rb 2014-02-05 18:59:36.000000000 -0800
+++ ruby-2.1.6/test/rubygems/test_gem_remote_fetcher.rb 2015-07-06 14:56:09.027603528 -0700
@@ -163,6 +163,21 @@ gems:
end
def test_api_endpoint
+ uri = URI.parse "http://example.com/foo"
+ target = MiniTest::Mock.new
+ target.expect :target, "gems.example.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+
+ end
+
+ def test_api_endpoint_ignores_trans_domain_values
uri = URI.parse "http://gems.example.com/foo"
target = MiniTest::Mock.new
target.expect :target, "blah.com"
@@ -171,7 +186,37 @@ gems:
dns.expect :getresource, target, [String, Object]
fetch = Gem::RemoteFetcher.new nil, dns
+
+ end
+
+ def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+ uri = URI.parse "http://example.com/foo"
+ target = MiniTest::Mock.new
+ target.expect :target, "example.combadguy.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+
+ end
+
+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+ uri = URI.parse "http://example.com/foo"
+ target = MiniTest::Mock.new
+ target.expect :target, "badexample.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns