Automatic import for version 1.3.7-4.el6_4

2025-02-24 18:42:54 +00:00 · 2013-10-17 22:34:53 +04:00 · 2013-10-17 22:34:53 +04:00 · 01229cd8da
commit 01229cd8da
parent 8e2af70224
4 changed files with 672 additions and 4 deletions
--- a/rubygems-1.8.23.1-CVE-2013-4287-algorithmic-complexity-vulnerability.patch
+++ b/rubygems-1.8.23.1-CVE-2013-4287-algorithmic-complexity-vulnerability.patch
@ -0,0 +1,25 @@
+From 7bcb461a362431c9706a0175c0be0d91e927f067 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
+Date: Mon, 2 Sep 2013 10:13:47 +0200
+Subject: [PATCH] Fix algorithmic complexity vulnerability.
+
+---
+ lib/rubygems/version.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rubygems/version.rb b/lib/rubygems/version.rb
+index 50d8204..7660a20 100644
+--- a/lib/rubygems/version.rb
+++ b/lib/rubygems/version.rb
+@@ -140,7 +140,7 @@
+ class Gem::Version
+   include Comparable
+ 
+-  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+   ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+ 
+   ##
+-- 
+1.8.3.1
+
--- a/rubygems-1.8.23.1-CVE-2013-4363-remove-regexp-backtracing.patch
+++ b/rubygems-1.8.23.1-CVE-2013-4363-remove-regexp-backtracing.patch
@ -0,0 +1,145 @@
+From 56d1f8c17bc81f0eb354d5099021c498a0be9b51 Mon Sep 17 00:00:00 2001
+From: Eric Hodel <drbrain@segment7.net>
+Date: Tue, 24 Sep 2013 16:31:22 -0700
+Subject: [PATCH] Fix CVE-2013-4363, remove regexp backtracking
+
+The Gem::Version regexp used backtracking to validate gem versions, but
+in a different way than CVE-2013-4287. This could cause excessive CPU
+usage when creating Gem::Version objects including when packaging gems.
+See CVE-2013-4363.txt (in this commit) for details.
+
+See #626
+---
+ CVE-2013-4363.txt                     | 45 +++++++++++++++++++++++++++++++++++
+ lib/rubygems/version.rb               |  2 +-
+ test/rubygems/test_gem_requirement.rb | 20 +++++++++-------
+ test/rubygems/test_gem_version.rb     | 12 +++++++---
+ 4 files changed, 66 insertions(+), 13 deletions(-)
+ create mode 100644 CVE-2013-4363.txt
+
+diff --git a/CVE-2013-4363.txt b/CVE-2013-4363.txt
+new file mode 100644
+index 0000000..4500d58
+--- /dev/null
+++ b/CVE-2013-4363.txt
+@@ -0,0 +1,45 @@
+= Algorithmic complexity vulnerability in RubyGems 2.1.4 and older
+
+The patch for CVE-2013-4287 was insufficiently verified so the combined
+regular expression for verifying gem version remains vulnerable following
+CVE-2013-4287.
+
+RubyGems validates versions with a regular expression that is vulnerable to
+denial of service due to backtracking.  For specially crafted RubyGems
+versions attackers can cause denial of service through CPU consumption.
+
+RubyGems versions 2.1.4 and older are vulnerable.
+
+Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
+versions of RubyGems.
+
+It does not appear to be possible to exploit this vulnerability by installing a
+gem for RubyGems 1.8.x or newer.  Vulnerable uses of RubyGems API include
+packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
+sending user input to Gem::Version.new, Gem::Version.correct? or use of the
+Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
+constants.
+
+Notably, users of bundler that install gems from git are vulnerable if a
+malicious author changes the gemspec to an invalid version.
+
+The vulnerability can be fixed by changing the "*" repetition to a "?"
+repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
+lib/rubygems/version.rb.  For RubyGems 2.1.x:
+
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+For RubyGems 2.0.x:
+
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+For RubyGems 1.8.x:
+
+  -  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  +  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+
+This vulnerability was discovered by Alexander Cherepanov <cherepan@mccme.ru>
+
+diff --git a/lib/rubygems/version.rb b/lib/rubygems/version.rb
+index 2fd0ab4..86821a9 100644
+--- a/lib/rubygems/version.rb
+++ b/lib/rubygems/version.rb
+@@ -141,7 +141,7 @@ class Gem::Version
+   include Comparable
+ 
+   VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+-  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
+  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+ 
+   ##
+   # A string representation of this Version.
+diff --git a/test/test_gem_requirement.rb b/test/rubygems/test_gem_requirement.rb
+index 0bc6ad7..d79cc8e 100644
+--- a/test/test_gem_requirement.rb
+++ b/test/test_gem_requirement.rb
+@@ -37,17 +37,19 @@ def test_parse
+   end
+ 
+   def test_parse_bad
+-    e = assert_raises ArgumentError do
+-      Gem::Requirement.parse nil
+-    end
+-
+-    assert_equal 'Illformed requirement [nil]', e.message
+    [
+      nil,
+      '',
+      '! 1',
+      '= junk',
+      '1..2',
+    ].each do |bad|
+      e = assert_raises ArgumentError do
+        Gem::Requirement.parse bad
+      end
+ 
+-    e = assert_raises ArgumentError do
+-      Gem::Requirement.parse ""
+      assert_equal "Illformed requirement [#{bad.inspect}]", e.message
+     end
+-
+-    assert_equal 'Illformed requirement [""]', e.message
+   end
+ 
+   def test_prerelease_eh
+diff --git a/test/test_gem_version.rb b/test/rubygems/test_gem_version.rb
+index f578063..e543ef8 100644
+--- a/test/test_gem_version.rb
+++ b/test/test_gem_version.rb
+@@ -58,12 +58,18 @@ def test_initialize
+   end
+ 
+   def test_initialize_bad
+-    ["junk", "1.0\n2.0"].each do |bad|
+-      e = assert_raises ArgumentError do
+    %W[
+      junk
+      1.0\n2.0
+      1..2
+      1.2\ 3.4
+      1-2-3
+    ].each do |bad|
+      e = assert_raises ArgumentError, bad do
+         Gem::Version.new bad
+       end
+ 
+-      assert_equal "Malformed version number string #{bad}", e.message
+      assert_equal "Malformed version number string #{bad}", e.message, bad
+     end
+   end
+ 
+-- 
+1.8.4
+
--- a/rubygems-1.8.24-CVE-2012-2125-CVE-2012-2126-Insecure-connection-to-SSL-repository.patch
+++ b/rubygems-1.8.24-CVE-2012-2125-CVE-2012-2126-Insecure-connection-to-SSL-repository.patch
@ -0,0 +1,468 @@
+From c22a3b705ead93f4cb8282e6dcb2f8f330d74edd Mon Sep 17 00:00:00 2001
+From: Hiroshi Nakamura <nahi@ruby-lang.org>
+Date: Tue, 13 Mar 2012 17:16:16 +0900
+Subject: [PATCH] Insecure connection to SSL repository
+
+Fixes 2 SSL usage problems of RemoteFetcher.
+- No verification
+- Follows HTTPS -> HTTP redirection
+
+For the first problem, RemoteFetcher must use OpenSSL::SSL::VERIFY_PEER
+instead of VERIFY_NONE.  And to enable SSL verification of
+RemoteFetcher, we need to make trusted CA configurable.  This commit
+adds :ssl_verify_mode and :ssl_ca_cert to Gem::ConfigFile (normally
+.gemrc).  Both configurations are treated as same options in open-uri.
+
+When :ssl_ca_cert is set, only the given path is treated as the trusted
+CA certificate(s).  If it's not set, OpenSSL's default store (sometimes
+configured as /etc/ssl/certs by system) *AND*
+lib/rubygems/ssl_certs/*.pem are trusted.  lib/rubygems/ssl_certs/*.pem
+are shipped to make sure all RubyGems clients can successfully access to
+https://rubygems.org/.
+
+At this moment, RubyGems.org uses 3 SSL servers (https://rubygems.org/,
+https://s3.amazon.com/, and https://d2chzxaqi4y7f8.cloudfront.net/) and
+each SSL certificate needs different root CA certificate.  So
+lib/rubygems/ssl_certs/ directory has 3 CA certificates in it.
+
+For the second problem, this patch let RemoteFetcher raises
+RemoteFetcher::FetchError if a server returns HTTPS -> HTTP redirection.
+Other type of redirection, HTTP -> HTTP, HTTPS -> HTTPS and HTTP ->
+HTTPS are allowed as before like open-uri.rb
+
+The second issue is rather harmless because RemoteFetcher does not send
+Cookie nor Referer to the server (Those resources for HTTPS site must
+not be sent to HTTP site.)  However, by following HTTPS -> HTTP
+redirection, an attacker can inject malicious gem contents into the
+user's environment who expected secure content download from HTTPS site
+by using HTTPS repository.
+
+Conflicts:
+
+	lib/rubygems/config_file.rb
+	lib/rubygems/remote_fetcher.rb
+	test/test_gem_config_file.rb
+---
+ Rakefile                                           |    4 +-
+ lib/rubygems/config_file.rb                        |   12 +
+ lib/rubygems/remote_fetcher.rb                     |   41 +-
+ test/rubygems/ca_cert.pem                          |   45 +
+ test/rubygems/ssl_cert.pem                         |   19 +
+ test/rubygems/ssl_key.pem                          |   15 +
+ test/test_gem_config_file.rb                       |   20 +
+ test/test_gem_remote_fetcher.rb                    |  101 +
+ 8 files changed, 252 insertions(+), 5 deletions(-)
+ create mode 100644 test/rubygems/ca_cert.pem
+ create mode 100644 test/rubygems/ssl_cert.pem
+ create mode 100644 test/rubygems/ssl_key.pem
+
+diff --git a/Rakefile b/Rakefile
+index 51a7e4e..f27de0f 100644
+--- a/Rakefile
+++ b/Rakefile
+@@ -5,6 +5,8 @@ $:.unshift 'lib'
+ require 'rubygems'
+ require 'rubygems/package_task'
+ 
+require 'rubygems/user_interaction'
+
+ require 'hoe'
+ 
+ Hoe.plugin :minitest
+@@ -68,7 +70,7 @@ task :prerelease => [:clobber, :sanity_check, :test, :test_functional]
+ 
+ task :postrelease => [:tag, :publish_docs]
+ 
+-Rake::Task[:release_to_rubyforge].clear_actions
+# Rake::Task[:release_to_rubyforge].clear_actions
+ 
+ task :release_to_rubyforge do
+   files = Dir["pkg/rubygems-update*.gem"]
+diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
+index 7eb755a..de64b1e 100644
+--- a/lib/rubygems/config_file.rb
+++ b/lib/rubygems/config_file.rb
+@@ -118,6 +118,16 @@ class Gem::ConfigFile
+   attr_reader :rubygems_api_key
+ 
+   ##
+  # openssl verify mode value, used for remote https connection
+
+  attr_reader :ssl_verify_mode
+
+  ##
+  # Path name of directory or file of openssl CA certificate, used for remote https connection
+
+  attr_reader :ssl_ca_cert
+
+  ##
+   # Create the config file object.  +args+ is the list of arguments
+   # from the command line.
+   #
+@@ -179,6 +189,8 @@ def initialize(arg_list)
+     @path             = @hash[:gempath]          if @hash.key? :gempath
+     @update_sources   = @hash[:update_sources]   if @hash.key? :update_sources
+     @verbose          = @hash[:verbose]          if @hash.key? :verbose
+    @ssl_verify_mode  = @hash[:ssl_verify_mode]  if @hash.key? :ssl_verify_mode
+    @ssl_ca_cert      = @hash[:ssl_ca_cert]      if @hash.key? :ssl_ca_cert
+ 
+     load_rubygems_api_key
+ 
+diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
+index 07cd55b..8cd1f96 100644
+--- a/lib/rubygems/remote_fetcher.rb
+++ b/lib/rubygems/remote_fetcher.rb
+@@ -246,18 +246,42 @@ def connection_for(uri)
+     connection = @connections[connection_id]
+ 
+     if uri.scheme == 'https' and not connection.started? then
+-      require 'net/https'
+-      connection.use_ssl = true
+-      connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      configure_connection_for_https(connection)
+     end
+ 
+     connection.start unless connection.started?
+ 
+     connection
+-  rescue Errno::EHOSTDOWN => e
+  rescue OpenSSL::SSL::SSLError, Errno::EHOSTDOWN => e
+     raise FetchError.new(e.message, uri)
+   end
+ 
+  def configure_connection_for_https(connection)
+    require 'net/https'
+    connection.use_ssl = true
+    connection.verify_mode =
+      Gem.configuration.ssl_verify_mode || OpenSSL::SSL::VERIFY_PEER
+    store = OpenSSL::X509::Store.new
+    if Gem.configuration.ssl_ca_cert
+      if File.directory? Gem.configuration.ssl_ca_cert
+        store.add_path Gem.configuration.ssl_ca_cert
+      else
+        store.add_file Gem.configuration.ssl_ca_cert
+      end
+    else
+      store.set_default_paths
+      add_rubygems_trusted_certs(store)
+    end
+    connection.cert_store = store
+  end
+
+  def add_rubygems_trusted_certs(store)
+    pattern = File.expand_path("./ssl_certs/*.pem", File.dirname(__FILE__))
+    Dir.glob(pattern).each do |ssl_cert_file|
+      store.add_file ssl_cert_file
+    end
+  end
+
+   ##
+   # Read the data from the (source based) URI, but if it is a file:// URI,
+   # read from the filesystem instead.
+@@ -295,6 +319,12 @@ def open_uri_or_path(uri, last_modified = nil, head = false, depth = 0)
+          Net::HTTPTemporaryRedirect then
+       raise FetchError.new('too many redirects', uri) if depth > 10
+ 
+      location = URI.parse response['Location']
+
+      if https?(uri) && !https?(location)
+        raise FetchError.new("redirecting to non-https resource: #{location}", uri)
+      end
+
+       open_uri_or_path(response['Location'], last_modified, head, depth + 1)
+     else
+       raise FetchError.new("bad response #{response.message} #{response.code}", uri)
+@@ -383,5 +413,8 @@ def reset(connection)
+     connection.start
+   end
+ 
+  def https?(uri)
+    uri.scheme.downcase == 'https'
+  end
+ end
+ 
+diff --git a/test/rubygems/ca_cert.pem b/test/rubygems/ca_cert.pem
+new file mode 100644
+index 0000000..5acdcf8
+--- /dev/null
+++ b/test/rubygems/ca_cert.pem
+@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIID0DCCArigAwIBAgIBADANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
+DTA0MDEzMDAwNDIzMloXDTM2MDEyMjAwNDIzMlowPDELMAkGA1UEBgwCSlAxEjAQ
+BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQswCQYDVQQDDAJDQTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANbv0x42BTKFEQOE+KJ2XmiSdZpR
+wjzQLAkPLRnLB98tlzs4xo+y4RyY/rd5TT9UzBJTIhP8CJi5GbS1oXEerQXB3P0d
+L5oSSMwGGyuIzgZe5+vZ1kgzQxMEKMMKlzA73rbMd4Jx3u5+jdbP0EDrPYfXSvLY
+bS04n2aX7zrN3x5KdDrNBfwBio2/qeaaj4+9OxnwRvYP3WOvqdW0h329eMfHw0pi
+JI0drIVdsEqClUV4pebT/F+CPUPkEh/weySgo9wANockkYu5ujw2GbLFcO5LXxxm
+dEfcVr3r6t6zOA4bJwL0W/e6LBcrwiG/qPDFErhwtgTLYf6Er67SzLyA66UCAwEA
+AaOB3DCB2TAPBgNVHRMBAf8EBTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09w
+ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJ7Xd380KzBV7f
+USKIQ+O/vKbhDzAOBgNVHQ8BAf8EBAMCAQYwZAYDVR0jBF0wW4AUSe13d/NCswVe
+31EiiEPjv7ym4Q+hQKQ+MDwxCzAJBgNVBAYMAkpQMRIwEAYDVQQKDAlKSU4uR1Iu
+SlAxDDAKBgNVBAsMA1JSUjELMAkGA1UEAwwCQ0GCAQAwDQYJKoZIhvcNAQEFBQAD
+ggEBAIu/mfiez5XN5tn2jScgShPgHEFJBR0BTJBZF6xCk0jyqNx/g9HMj2ELCuK+
+r/Y7KFW5c5M3AQ+xWW0ZSc4kvzyTcV7yTVIwj2jZ9ddYMN3nupZFgBK1GB4Y05GY
+MJJFRkSu6d/Ph5ypzBVw2YMT/nsOo5VwMUGLgS7YVjU+u/HNWz80J3oO17mNZllj
+PvORJcnjwlroDnS58KoJ7GDgejv3ESWADvX1OHLE4cRkiQGeLoEU4pxdCxXRqX0U
+PbwIkZN9mXVcrmPHq8MWi4eC/V7hnbZETMHuWhUoiNdOEfsAXr3iP4KjyyRdwc7a
+d/xgcK06UVQRL/HbEYGiQL056mc=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
+DTA0MDEzMDAwNDMyN1oXDTM1MDEyMjAwNDMyN1owPzELMAkGA1UEBgwCSlAxEjAQ
+BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQ4wDAYDVQQDDAVTdWJDQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0Ou7AyRcRXnB/kVHv/6kwe
+ANzgg/DyJfsAUqW90m7Lu1nqyug8gK0RBd77yU0w5HOAMHTVSdpjZK0g2sgx4Mb1
+d/213eL9TTl5MRVEChTvQr8q5DVG/8fxPPE7fMI8eOAzd98/NOAChk+80r4Sx7fC
+kGVEE1bKwY1MrUsUNjOY2d6t3M4HHV3HX1V8ShuKfsHxgCmLzdI8U+5CnQedFgkm
+3e+8tr8IX5RR1wA1Ifw9VadF7OdI/bGMzog/Q8XCLf+WPFjnK7Gcx6JFtzF6Gi4x
+4dp1Xl45JYiVvi9zQ132wu8A1pDHhiNgQviyzbP+UjcB/tsOpzBQF8abYzgEkWEC
+AwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAxBglghkgBhvhCAQ0EJBYiUnVieS9P
+cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUlCjXWLsReYzH
+LzsxwVnCXmKoB/owCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCJ/OyN
+rT8Cq2Y+G2yA/L1EMRvvxwFBqxavqaqHl/6rwsIBFlB3zbqGA/0oec6MAVnYynq4
+c4AcHTjx3bQ/S4r2sNTZq0DH4SYbQzIobx/YW8PjQUJt8KQdKMcwwi7arHP7A/Ha
+LKu8eIC2nsUBnP4NhkYSGhbmpJK+PFD0FVtD0ZIRlY/wsnaZNjWWcnWF1/FNuQ4H
+ySjIblqVQkPuzebv3Ror6ZnVDukn96Mg7kP4u6zgxOeqlJGRe1M949SS9Vudjl8X
+SF4aZUUB9pQGhsqQJVqaz2OlhGOp9D0q54xko/rekjAIcuDjl1mdX4F2WRrzpUmZ
+uY/bPeOBYiVsOYVe
+-----END CERTIFICATE-----
+diff --git a/test/rubygems/ssl_cert.pem b/test/rubygems/ssl_cert.pem
+new file mode 100644
+index 0000000..998ccc5
+--- /dev/null
+++ b/test/rubygems/ssl_cert.pem
+@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGDAJKUDES
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxDjAMBgNVBAMMBVN1YkNB
+MB4XDTA0MDEzMTAzMTMxNloXDTMzMDEyMzAzMTMxNlowQzELMAkGA1UEBgwCSlAx
+EjAQBgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMRIwEAYDVQQDDAlsb2Nh
+bGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFJTxWqup3nV9dsJAku
+p+WaXnPNIzcpAA3qMGZDJTJsfa8Du7ZxTP0XJK5mETttBrn711cJxAuP3KjqnW9S
+vtZ9lY2sXJ6Zj62sN5LwG3VVe25dI28yR1EsbHjJ5Zjf9tmggMC6am52dxuHbt5/
+vHo4ngJuKE/U+eeGRivMn6gFAgMBAAGjgYUwgYIwDAYDVR0TAQH/BAIwADAxBglg
+hkgBhvhCAQ0EJBYiUnVieS9PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
+BgNVHQ4EFgQUpZIyygD9JxFYHHOTEuWOLbCKfckwCwYDVR0PBAQDAgWgMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBwAIj5SaBHaA5X31IP
+CFCJiep96awfp7RANO0cuUj+ZpGoFn9d6FXY0g+Eg5wAkCNIzZU5NHN9xsdOpnUo
+zIBbyTfQEPrge1CMWMvL6uGaoEXytq84VTitF/xBTky4KtTn6+es4/e7jrrzeUXQ
+RC46gkHObmDT91RkOEGjHLyld2328jo3DIN/VTHIryDeVHDWjY5dENwpwdkhhm60
+DR9IrNBbXWEe9emtguNXeN0iu1ux0lG1Hc6pWGQxMlRKNvGh0yZB9u5EVe38tOV0
+jQaoNyL7qzcQoXD3Dmbi1p0iRmg/+HngISsz8K7k7MBNVsSclztwgCzTZOBiVtkM
+rRlQ
+-----END CERTIFICATE-----
+diff --git a/test/rubygems/ssl_key.pem b/test/rubygems/ssl_key.pem
+new file mode 100644
+index 0000000..9ba2218
+--- /dev/null
+++ b/test/rubygems/ssl_key.pem
+@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDRSU8Vqrqd51fXbCQJLqflml5zzSM3KQAN6jBmQyUybH2vA7u2
+cUz9FySuZhE7bQa5+9dXCcQLj9yo6p1vUr7WfZWNrFyemY+trDeS8Bt1VXtuXSNv
+MkdRLGx4yeWY3/bZoIDAumpudncbh27ef7x6OJ4CbihP1PnnhkYrzJ+oBQIDAQAB
+AoGBAIf4CstW2ltQO7+XYGoex7Hh8s9lTSW/G2vu5Hbr1LTHy3fzAvdq8MvVR12O
+rk9fa+lU9vhzPc0NMB0GIDZ9GcHuhW5hD1Wg9OSCbTOkZDoH3CAFqonjh4Qfwv5W
+IPAFn9KHukdqGXkwEMdErsUaPTy9A1V/aROVEaAY+HJgq/eZAkEA/BP1QMV04WEZ
+Oynzz7/lLizJGGxp2AOvEVtqMoycA/Qk+zdKP8ufE0wbmCE3Qd6GoynavsHb6aGK
+gQobb8zDZwJBANSK6MrXlrZTtEaeZuyOB4mAmRzGzOUVkUyULUjEx2GDT93ujAma
+qm/2d3E+wXAkNSeRpjUmlQXy/2oSqnGvYbMCQQDRM+cYyEcGPUVpWpnj0shrF/QU
+9vSot/X1G775EMTyaw6+BtbyNxVgOIu2J+rqGbn3c+b85XqTXOPL0A2RLYkFAkAm
+syhSDtE9X55aoWsCNZY/vi+i4rvaFoQ/WleogVQAeGVpdo7/DK9t9YWoFBIqth0L
+mGSYFu9ZhvZkvQNV8eYrAkBJ+rOIaLDsmbrgkeDruH+B/9yrm4McDtQ/rgnOGYnH
+LjLpLLOrgUxqpzLWe++EwSLwK2//dHO+SPsQJ4xsyQJy
+-----END RSA PRIVATE KEY-----
+diff --git a/test/test_gem_config_file.rb b/test/test_gem_config_file.rb
+index 4981c18..1f70e26 100644
+--- a/test/test_gem_config_file.rb
+++ b/test/test_gem_config_file.rb
+@@ -53,6 +53,8 @@ def test_initialize
+       fp.puts ":gempath:"
+       fp.puts "- /usr/ruby/1.8/lib/ruby/gems/1.8"
+       fp.puts "- /var/ruby/1.8/gem_home"
+      fp.puts ":ssl_verify_mode: 0"
+      fp.puts ":ssl_ca_cert: /etc/ssl/certs"
+     end
+ 
+     util_config_file
+@@ -67,6 +69,8 @@ def test_initialize
+     assert_equal '--wrappers', @cfg[:install]
+     assert_equal(['/usr/ruby/1.8/lib/ruby/gems/1.8', '/var/ruby/1.8/gem_home'],
+                  @cfg.path)
+    assert_equal 0, @cfg.ssl_verify_mode
+    assert_equal '/etc/ssl/certs', @cfg.ssl_ca_cert
+   end
+ 
+   def test_initialize_handle_arguments_config_file
+@@ -279,6 +283,22 @@ def test_load_rubygems_api_key_from_credentials
+     assert_equal "701229f217cdf23b1344c7b4b54ca97", @cfg.rubygems_api_key
+   end
+ 
+  def test_load_ssl_verify_mode_from_config
+    File.open @temp_conf, 'w' do |fp|
+      fp.puts ":ssl_verify_mode: 1"
+    end
+    util_config_file
+    assert_equal(1, @cfg.ssl_verify_mode)
+  end
+
+  def test_load_ssl_ca_cert_from_config
+    File.open @temp_conf, 'w' do |fp|
+      fp.puts ":ssl_ca_cert: /home/me/certs"
+    end
+    util_config_file
+    assert_equal('/home/me/certs', @cfg.ssl_ca_cert)
+  end
+
+   def util_config_file(args = @cfg_args)
+     @cfg = Gem::ConfigFile.new args
+   end
+diff --git a/test/test_gem_remote_fetcher.rb b/test/test_gem_remote_fetcher.rb
+index 570d2b4..f730536 100644
+--- a/test/test_gem_remote_fetcher.rb
+++ b/test/test_gem_remote_fetcher.rb
+@@ -1,6 +1,7 @@
+ require File.expand_path('../gemutilities', __FILE__)
+ require 'ostruct'
+ require 'webrick'
+require 'webrick/https'
+ require 'rubygems/remote_fetcher'
+ require 'rubygems/format'
+ 
+@@ -73,6 +74,8 @@ class TestGemRemoteFetcher < RubyGemTestCase
+   PROXY_PORT = process_based_port + 100 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
+   SERVER_PORT = process_based_port + 200 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
+ 
+  DIR = File.join File.expand_path(File.dirname(__FILE__)), "rubygems"
+
+   def setup
+     super
+     self.class.start_servers
+@@ -632,6 +635,53 @@ def test_yaml_error_on_size
+     end
+   end
+ 
+  def test_ssl_connection
+    ssl_server = self.class.start_ssl_server
+    temp_ca_cert = File.join(DIR, 'ca_cert.pem')
+    with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
+      fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
+    end
+  end
+
+  def test_do_not_allow_insecure_ssl_connection_by_default
+    ssl_server = self.class.start_ssl_server
+    with_configured_fetcher do |fetcher|
+      assert_raises Gem::RemoteFetcher::FetchError do
+        fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
+      end
+    end
+  end
+
+  def test_ssl_connection_allow_verify_none
+    ssl_server = self.class.start_ssl_server
+    with_configured_fetcher(":ssl_verify_mode: 0") do |fetcher|
+      fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
+    end
+  end
+
+  def test_do_not_follow_insecure_redirect
+    ssl_server = self.class.start_ssl_server
+    temp_ca_cert = File.join(DIR, 'ca_cert.pem'),
+    with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
+      assert_raises Gem::RemoteFetcher::FetchError do
+        fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/insecure_redirect?to=#{@server_uri}")
+      end
+    end
+  end
+
+  def with_configured_fetcher(config_str = nil, &block)
+    if config_str
+      temp_conf = File.join @tempdir, '.gemrc'
+      File.open temp_conf, 'w' do |fp|
+        fp.puts config_str
+      end
+      Gem.configuration = Gem::ConfigFile.new %W[--config-file #{temp_conf}]
+    end
+    yield Gem::RemoteFetcher.new
+  ensure
+    Gem.configuration = nil
+  end
+
+   def util_stub_connection_for hash
+     def @fetcher.connection= conn
+       @conn = conn
+@@ -692,6 +742,49 @@ def start_servers
+       @enable_zip = false
+     end
+ 
+    DIR = File.join File.expand_path(File.dirname(__FILE__)), "rubygems"
+    DH_PARAM = OpenSSL::PKey::DH.new(128)
+
+    def start_ssl_server(config = {})
+      null_logger = NilLog.new
+      server = WEBrick::HTTPServer.new({
+        :Port => 0,
+        :Logger => null_logger,
+        :AccessLog => [],
+        :SSLEnable => true,
+        :SSLCACertificateFile => File.join(DIR, 'ca_cert.pem'),
+        :SSLCertificate => cert('ssl_cert.pem'),
+        :SSLPrivateKey => key('ssl_key.pem'),
+        :SSLVerifyClient => nil,
+        :SSLCertName => nil
+      }.merge(config))
+      server.mount_proc("/yaml") { |req, res|
+        res.body = "--- true\n"
+      }
+      server.mount_proc("/insecure_redirect") { |req, res|
+        res.set_redirect(WEBrick::HTTPStatus::MovedPermanently, req.query['to'])
+      }
+      server.ssl_context.tmp_dh_callback = proc { DH_PARAM }
+      t = Thread.new do
+        begin
+          server.start
+        rescue Exception => ex
+          abort ex.message
+          puts "ERROR during server thread: #{ex.message}"
+        end
+      end
+      while server.status != :Running
+        sleep 0.1
+        unless t.alive?
+          t.join
+          raise
+        end
+      end
+      server
+    end
+
+
+
+     private
+ 
+     def start_server(port, data)
+@@ -734,6 +827,14 @@ def start_server(port, data)
+       end
+       sleep 0.2                 # Give the servers time to startup
+     end
+
+    def cert(filename)
+      OpenSSL::X509::Certificate.new(File.read(File.join(DIR, filename)))
+    end
+
+    def key(filename)
+      OpenSSL::PKey::RSA.new(File.read(File.join(DIR, filename)))
+    end
+   end
+ 
+ end
+-- 
+1.8.4
+
--- a/rubygems.spec
+++ b/rubygems.spec
@ -1,20 +1,35 @@
-%define gem_dir %(ruby -rrbconfig -e 'puts File::expand_path(File::join(Config::CONFIG["sitedir"],"..","gems"))')
-%define rb_ver %(ruby -rrbconfig -e 'puts Config::CONFIG["ruby_version"]')
+%define gem_dir %(ruby -rrbconfig -e 'puts File::expand_path(File::join(RbConfig::CONFIG["sitedir"],"..","gems"))')
+%define rb_ver %(ruby -rrbconfig -e 'puts RbConfig::CONFIG["ruby_version"]')
 %define gem_home %{gem_dir}/%{rb_ver}
-%define ruby_sitelib %(ruby -rrbconfig -e 'puts Config::CONFIG["sitelibdir"]')
+%define ruby_sitelib %(ruby -rrbconfig -e 'puts RbConfig::CONFIG["sitelibdir"]')

 %define repoid 70696

 Summary: The Ruby standard for packaging ruby libraries
 Name: rubygems
 Version: 1.3.7
-Release: 1%{?dist}
+Release: 4%{?dist}
 Group: Development/Libraries
 # No GPL version is specified.
 License: Ruby or GPL+
 URL: http://rubyforge.org/projects/rubygems/
 Source0: http://rubyforge.org/frs/download.php/%{repoid}/rubygems-%{version}.tgz
 Patch0: rubygems-1.3.7-noarch-gemdir.patch
+
+# Fix algorithmic complexity vulnerability (CVE-2013-4287).
+# https://github.com/rubygems/rubygems/issues/626
+Patch1: rubygems-1.8.23.1-CVE-2013-4287-algorithmic-complexity-vulnerability.patch
+# Fix insecure connection to SSL repository (CVE-2012-2125, CVE-2012-2126).
+# https://github.com/rubygems/rubygems/commit/c22a3b705ead93f4cb8282e6dcb2f8f330d74edd
+# NOTE 1: Certificates are omitted from patch due to:
+# https://github.com/rubygems/rubygems/commit/e9388de72ee5953ff061203ad387c98b2154db87
+# Upstream clarification: https://github.com/rubygems/rubygems/issues/654
+# NOTE 2: The ca-bundle.pem is automatically discovered on system path by OpenSLL.
+Patch2: rubygems-1.8.24-CVE-2012-2125-CVE-2012-2126-Insecure-connection-to-SSL-repository.patch
+# Remove regexp backtracing (CVE-2013-4363).
+# https://github.com/rubygems/rubygems/commit/56d1f8c17bc81f0eb354d5099021c498a0be9b51
+Patch3: rubygems-1.8.23.1-CVE-2013-4363-remove-regexp-backtracing.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 Requires: ruby(abi) = 1.8 ruby-rdoc
 BuildRequires:  ruby ruby-rdoc
@ -28,6 +43,9 @@ libraries.
 %prep
 %setup -q
 %patch0 -p1 -b .noarch
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1

 # Some of the library files start with #! which rpmlint doesn't like
 # and doesn't make much sense
@ -72,6 +90,18 @@ rm -rf $RPM_BUILD_ROOT
 %{ruby_sitelib}/*

 %changelog
+* Wed Sep 25 2013 Vít Ondruch <vondruch@redhat.com> - 1.3.7-4
+- Remove regexp backtracing (CVE-2013-4363).
+  - Related: rhbz#1002838.
+
+* Wed Sep 18 2013 Vít Ondruch <vondruch@redhat.com> - 1.3.7-3
+- Fix insecure connection to SSL repository (CVE-2012-2125, CVE-2012-2126).
+  - Related: rhbz#1002838.
+
+* Mon Sep 02 2013 Vít Ondruch <vondruch@redhat.com> - 1.3.7-2
+- Fix algorithmic complexity vulnerability (CVE-2013-4287).
+  - Resolves: rhbz#1002838.
+
 * Mon May 17 2010 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 1.3.7-1
 - Update to 1.3.7, dropping upstreamed patch