15609 – ruby-bundler new security issue CVE-2013-0334

Bug 15609 - ruby-bundler new security issue CVE-2013-0334

Summary: ruby-bundler new security issue CVE-2013-0334

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Pascal Terjan
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-04-01 19:12 CEST by David Walser
Modified:	2015-10-25 21:47 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	ruby-bundler-1.3.5-10.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-04-01 19:12:51 CEST

OpenSuSE has issued an advisory on March 30:
http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html

The issue is fixed upstream in 1.7.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:

David Walser 2015-04-01 19:13:00 CEST

CC: (none) => fundawang
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-30 18:01:17 CEST

ruby-bundler is required by pcs as a BuildRequires.

ruby-bundler is required by ruby-jeweler which is required by stompserver as a BuildRequires.

If we can't maintain this package, we should remove it as well as ruby-jeweler, pcs, and stompserver.

I've CC'd ennael (pcs maintainer) and solbu (stompserver maintainer) so they can help with this package if they would like to.

CC: (none) => cooker, ennael1

Comment 2 Pascal Terjan 2015-04-30 18:10:48 CEST

Things using bundler as a BuildRequires worry me...

Comment 3 Pascal Terjan 2015-04-30 18:14:40 CEST

As I was worried:

http://pkgsubmit.mageia.org/autobuild/cauldron/x86_64/core/2015-04-28/pcs-0.9.123-4.mga5.src.rpm/build.0.20150428213808.log

+ make -O -j8 get_gems
bundle package
Fetching gem metadata from https://rubygems.org/..........
Resolving dependencies...
Installing backports (3.4.0) 
Installing monkey-lib (0.5.4) 
Installing multi_json (1.8.4) 
Using rack (1.5.2) 
Installing rack-protection (1.5.2) 
Using rack-test (0.6.2) 
Installing rpam-ruby19 (1.2.1) 
Using tilt (1.4.1) 
Installing sinatra (1.4.4) 
Installing sinatra-contrib (1.4.2) 
Installing sinatra-sugar (0.5.1) 
Using bundler (1.3.5) 
Your bundle is complete!
Use `bundle show [gemname]` to see where a bundled gem is installed.
Updating files in vendor/cache
  * backports-3.4.0.gem
  * monkey-lib-0.5.4.gem
  * multi_json-1.8.4.gem
  * rack-1.5.2.gem
  * rack-protection-1.5.2.gem
  * rack-test-0.6.2.gem
  * rpam-ruby19-1.2.1.gem
  * tilt-1.4.1.gem
  * sinatra-1.4.4.gem
  * sinatra-contrib-1.4.2.gem
  * sinatra-sugar-0.5.1.gem

Comment 4 Pascal Terjan 2015-04-30 18:19:06 CEST

OK at least they don't end up in the built package.

Comment 5 David Walser 2015-04-30 18:22:42 CEST

Yes it would be very bad if this was being used to bundle things during builds.

I don't know if Anne and Johnny still want to keep pcs and stompserver, but if they don't, are ruby-bundler and ruby-jeweler needed for any reason?

Comment 6 David Walser 2015-05-06 14:33:45 CEST

Dropped from Cauldron for now.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 7 David Walser 2015-09-02 17:37:52 CEST

With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 8 David Walser 2015-10-25 21:47:28 CET

Thomas, if you are building this for infra_5, this issue still needs to be addressed.

CC: (none) => tmb

Note You need to log in before you can comment on or make changes to this bug.