Bug 15609

Summary: ruby-bundler new security issue CVE-2013-0334
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Pascal Terjan <pterjan>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cooker, ennael1, fundawang, tmb
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: ruby-bundler-1.3.5-10.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-01 19:12:51 CEST 
OpenSuSE has issued an advisory on March 30:
http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html

The issue is fixed upstream in 1.7.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-01 19:13:00 CEST

CC: (none) => fundawang
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-30 18:01:17 CEST 
ruby-bundler is required by pcs as a BuildRequires.

ruby-bundler is required by ruby-jeweler which is required by stompserver as a BuildRequires.

If we can't maintain this package, we should remove it as well as ruby-jeweler, pcs, and stompserver.

I've CC'd ennael (pcs maintainer) and solbu (stompserver maintainer) so they can help with this package if they would like to.

CC: (none) => cooker, ennael1

Comment 2 Pascal Terjan 2015-04-30 18:10:48 CEST 
Things using bundler as a BuildRequires worry me...
Comment 3 Pascal Terjan 2015-04-30 18:14:40 CEST 
As I was worried:

http://pkgsubmit.mageia.org/autobuild/cauldron/x86_64/core/2015-04-28/pcs-0.9.123-4.mga5.src.rpm/build.0.20150428213808.log

+ make -O -j8 get_gems
bundle package
Fetching gem metadata from https://rubygems.org/..........
Resolving dependencies...
Installing backports (3.4.0) 
Installing monkey-lib (0.5.4) 
Installing multi_json (1.8.4) 
Using rack (1.5.2) 
Installing rack-protection (1.5.2) 
Using rack-test (0.6.2) 
Installing rpam-ruby19 (1.2.1) 
Using tilt (1.4.1) 
Installing sinatra (1.4.4) 
Installing sinatra-contrib (1.4.2) 
Installing sinatra-sugar (0.5.1) 
Using bundler (1.3.5) 
Your bundle is complete!
Use `bundle show [gemname]` to see where a bundled gem is installed.
Updating files in vendor/cache
  * backports-3.4.0.gem
  * monkey-lib-0.5.4.gem
  * multi_json-1.8.4.gem
  * rack-1.5.2.gem
  * rack-protection-1.5.2.gem
  * rack-test-0.6.2.gem
  * rpam-ruby19-1.2.1.gem
  * tilt-1.4.1.gem
  * sinatra-1.4.4.gem
  * sinatra-contrib-1.4.2.gem
  * sinatra-sugar-0.5.1.gem
Comment 4 Pascal Terjan 2015-04-30 18:19:06 CEST 
OK at least they don't end up in the built package.
Comment 5 David Walser 2015-04-30 18:22:42 CEST 
Yes it would be very bad if this was being used to bundle things during builds.

I don't know if Anne and Johnny still want to keep pcs and stompserver, but if they don't, are ruby-bundler and ruby-jeweler needed for any reason?
Comment 6 David Walser 2015-05-06 14:33:45 CEST 
Dropped from Cauldron for now.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 7 David Walser 2015-09-02 17:37:52 CEST 
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 8 David Walser 2015-10-25 21:47:28 CET 
Thomas, if you are building this for infra_5, this issue still needs to be addressed.

CC: (none) => tmb