meta/recipes-devtools/ruby/ruby/CVE-2018-1000073.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

From 1b931fc03b819b9a0214be3eaca844ef534175e2 Mon Sep 17 00:00:00 2001
From: Jonathan Claudius <jclaudius@mozilla.com>
Date: Wed, 7 Feb 2018 23:54:52 -0500
Subject: [PATCH] Non-working patch for deducing symlinked base-dirs

---
CVE: CVE-2018-1000073

Fixed in ruby 2.7.6.

Upstream-Status: Backport [github.com/rubygems/rubygems/commit/1b931fc...]

Signed-off-by: Joe Slater <joe.slater@windriver.com>

---
 lib/rubygems/package.rb |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
index dede959..cb9c74a 100644
--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
@@ -421,6 +421,8 @@ EOM
     destination_dir = File.expand_path destination_dir
 
     destination = File.join destination_dir, filename
+    destination = File.realpath destination if
+      File.respond_to? :realpath
     destination = File.expand_path destination
 
     raise Gem::Package::PathError.new(destination, destination_dir) unless
-- 
1.7.9.5