ruby-changes:74137
From: nagachika <ko1@a...>
Date: Thu, 20 Oct 2022 20:30:56 +0900 (JST)
Subject: [ruby-changes:74137] 72e9097d37 (ruby_3_1): merge revision(s) 4f1e0bfacd93c28bff549e2f3603c3b4942429a3:
https://git.ruby-lang.org/ruby.git/commit/?id=72e9097d37 From 72e9097d37f6bab42eeeb6c14b5c0b1f564254cf Mon Sep 17 00:00:00 2001 From: nagachika <nagachika@r...> Date: Thu, 20 Oct 2022 20:30:28 +0900 Subject: merge revision(s) 4f1e0bfacd93c28bff549e2f3603c3b4942429a3: Followed up CVE-2022-39253 for bundler examples --- spec/bundler/cache/git_spec.rb | 3 +++ spec/bundler/install/gemfile/git_spec.rb | 9 +++++++++ spec/bundler/update/git_spec.rb | 3 +++ 3 files changed, 15 insertions(+) --- spec/bundler/cache/git_spec.rb | 3 +++ spec/bundler/install/gemfile/git_spec.rb | 9 +++++++++ spec/bundler/update/git_spec.rb | 3 +++ version.h | 2 +- 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/spec/bundler/cache/git_spec.rb b/spec/bundler/cache/git_spec.rb index 7ea23cd312..fed8ba43f4 100644 --- a/spec/bundler/cache/git_spec.rb +++ b/spec/bundler/cache/git_spec.rb @@ -156,6 +156,9 @@ RSpec.describe "bundle cache with git" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/cache/git_spec.rb#L156 end it "copies repository to vendor cache, including submodules" do + # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../ + system(*%W[git config --global protocol.file.allow always]) + build_git "submodule", "1.0" git = build_git "has_submodule", "1.0" do |s| diff --git a/spec/bundler/install/gemfile/git_spec.rb b/spec/bundler/install/gemfile/git_spec.rb index 2058674105..fb99c99b2d 100644 --- a/spec/bundler/install/gemfile/git_spec.rb +++ b/spec/bundler/install/gemfile/git_spec.rb @@ -865,6 +865,9 @@ RSpec.describe "bundle install with git sources" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/install/gemfile/git_spec.rb#L865 end it "ignores submodules if :submodule is not passed" do + # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../ + system(*%W[git config --global protocol.file.allow always]) + build_git "submodule", "1.0" build_git "has_submodule", "1.0" do |s| s.add_dependency "submodule" @@ -884,6 +887,9 @@ RSpec.describe "bundle install with git sources" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/install/gemfile/git_spec.rb#L887 end it "handles repos with submodules" do + # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../ + system(*%W[git config --global protocol.file.allow always]) + build_git "submodule", "1.0" build_git "has_submodule", "1.0" do |s| s.add_dependency "submodule" @@ -902,6 +908,9 @@ RSpec.describe "bundle install with git sources" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/install/gemfile/git_spec.rb#L908 end it "does not warn when deiniting submodules" do + # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../ + system(*%W[git config --global protocol.file.allow always]) + build_git "submodule", "1.0" build_git "has_submodule", "1.0" diff --git a/spec/bundler/update/git_spec.rb b/spec/bundler/update/git_spec.rb index da92cab1cc..427a0bb713 100644 --- a/spec/bundler/update/git_spec.rb +++ b/spec/bundler/update/git_spec.rb @@ -124,6 +124,9 @@ RSpec.describe "bundle update" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/update/git_spec.rb#L124 describe "with submodules" do before :each do + # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../ + system(*%W[git config --global protocol.file.allow always]) + build_repo4 do build_gem "submodule" do |s| s.write "lib/submodule.rb", "puts 'GEM'" diff --git a/version.h b/version.h index f7b5898d33..d350d611d6 100644 --- a/version.h +++ b/version.h @@ -11,7 +11,7 @@ https://github.com/ruby/ruby/blob/trunk/version.h#L11 # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR #define RUBY_VERSION_TEENY 3 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 114 +#define RUBY_PATCHLEVEL 115 #define RUBY_RELEASE_YEAR 2022 #define RUBY_RELEASE_MONTH 10 -- cgit v1.2.3 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/