Sun Sep 13 14:57:05 2020 UTC ()
misc/ruby-bundler1: apply security fix
Apply patch for CVE-2019-3881.
Bump PKGREVISION.
(taca)
diff -r1.2 -r1.3 pkgsrc/misc/ruby-bundler1/Makefile
diff -r1.1 -r1.2 pkgsrc/misc/ruby-bundler1/distinfo
diff -r0 -r1.1 pkgsrc/misc/ruby-bundler1/patches/patch-lib_bundler.rb
--- pkgsrc/misc/ruby-bundler1/Attic/Makefile 2019/09/18 14:27:45 1.2
+++ pkgsrc/misc/ruby-bundler1/Attic/Makefile 2020/09/13 14:57:04 1.3
| @@ -1,18 +1,18 @@ | | | @@ -1,18 +1,18 @@ |
1 | # $NetBSD: Makefile,v 1.2 2019/09/18 14:27:45 taca Exp $ | | 1 | # $NetBSD: Makefile,v 1.3 2020/09/13 14:57:04 taca Exp $ |
2 | | | 2 | |
3 | DISTNAME= bundler-1.17.3 | | 3 | DISTNAME= bundler-1.17.3 |
4 | PKGNAME= ${RUBY_PKGPREFIX}-${DISTNAME:S/bundler/bundler1/} | | 4 | PKGNAME= ${RUBY_PKGPREFIX}-${DISTNAME:S/bundler/bundler1/} |
5 | PKGREVISION= 1 | | 5 | PKGREVISION= 2 |
6 | CATEGORIES= misc | | 6 | CATEGORIES= misc |
7 | | | 7 | |
8 | MAINTAINER= pkgsrc-users@NetBSD.org | | 8 | MAINTAINER= pkgsrc-users@NetBSD.org |
9 | HOMEPAGE= https://bundler.io/ | | 9 | HOMEPAGE= https://bundler.io/ |
10 | COMMENT= Manage your application's dependencies | | 10 | COMMENT= Manage your application's dependencies |
11 | LICENSE= mit | | 11 | LICENSE= mit |
12 | | | 12 | |
13 | RUBYGEM_OPTIONS+= --format-executable | | 13 | RUBYGEM_OPTIONS+= --format-executable |
14 | COMMANDS= bundle bundler | | 14 | COMMANDS= bundle bundler |
15 | | | 15 | |
16 | post-install: | | 16 | post-install: |
17 | cd ${DESTDIR}${PREFIX}/bin && \ | | 17 | cd ${DESTDIR}${PREFIX}/bin && \ |
18 | for f in ${COMMANDS}; do \ | | 18 | for f in ${COMMANDS}; do \ |
--- pkgsrc/misc/ruby-bundler1/Attic/distinfo 2019/03/05 07:46:47 1.1
+++ pkgsrc/misc/ruby-bundler1/Attic/distinfo 2020/09/13 14:57:04 1.2
| @@ -1,6 +1,7 @@ | | | @@ -1,6 +1,7 @@ |
1 | $NetBSD: distinfo,v 1.1 2019/03/05 07:46:47 taca Exp $ | | 1 | $NetBSD: distinfo,v 1.2 2020/09/13 14:57:04 taca Exp $ |
2 | | | 2 | |
3 | SHA1 (bundler-1.17.3.gem) = b5f0a9bffd4ff9b983b536704973fbe1cf49f015 | | 3 | SHA1 (bundler-1.17.3.gem) = b5f0a9bffd4ff9b983b536704973fbe1cf49f015 |
4 | RMD160 (bundler-1.17.3.gem) = dc0597bea59ff9f7f1feeec140898363e3747cac | | 4 | RMD160 (bundler-1.17.3.gem) = dc0597bea59ff9f7f1feeec140898363e3747cac |
5 | SHA512 (bundler-1.17.3.gem) = 658de4228bc12fa5ca6ce335f76fff773f64da9f3d12f5097b4fd28d4c4f4d2a5bf12dce761b3d95432c5ea6a5aafae895df87c26660a4567db8b682aff48c02 | | 5 | SHA512 (bundler-1.17.3.gem) = 658de4228bc12fa5ca6ce335f76fff773f64da9f3d12f5097b4fd28d4c4f4d2a5bf12dce761b3d95432c5ea6a5aafae895df87c26660a4567db8b682aff48c02 |
6 | Size (bundler-1.17.3.gem) = 364032 bytes | | 6 | Size (bundler-1.17.3.gem) = 364032 bytes |
| | | 7 | SHA1 (patch-lib_bundler.rb) = bcdd308d40a9cb2972d57d1820e2085ed1bb5331 |
$NetBSD: patch-lib_bundler.rb,v 1.1 2020/09/13 14:57:05 taca Exp $
Fix for CVE-2019-3881.
--- lib/bundler.rb.orig 2020-09-07 15:06:23.171036008 +0000
+++ lib/bundler.rb
@@ -170,8 +170,7 @@ module Bundler
end
if warning
- Kernel.send(:require, "etc")
- user_home = tmp_home_path(Etc.getlogin, warning)
+ user_home = tmp_home_path(warning)
Bundler.ui.warn "#{warning}\nBundler will use `#{user_home}' as your home directory temporarily.\n"
user_home
else
@@ -180,21 +179,6 @@ module Bundler
end
end
- def tmp_home_path(login, warning)
- login ||= "unknown"
- Kernel.send(:require, "tmpdir")
- path = Pathname.new(Dir.tmpdir).join("bundler", "home")
- SharedHelpers.filesystem_access(path) do |tmp_home_path|
- unless tmp_home_path.exist?
- tmp_home_path.mkpath
- tmp_home_path.chmod(0o777)
- end
- tmp_home_path.join(login).tap(&:mkpath)
- end
- rescue RuntimeError => e
- raise e.exception("#{warning}\nBundler also failed to create a temporary home directory at `#{path}':\n#{e}")
- end
-
def user_bundle_path(dir = "home")
env_var, fallback = case dir
when "home"
@@ -555,6 +539,17 @@ EOF
Bundler.rubygems.clear_paths
end
+ def tmp_home_path(warning)
+ Kernel.send(:require, "tmpdir")
+ SharedHelpers.filesystem_access(Dir.tmpdir) do
+ path = Bundler.tmp
+ at_exit { Bundler.rm_rf(path) }
+ path
+ end
+ rescue RuntimeError => e
+ raise e.exception("#{warning}\nBundler also failed to create a temporary home directory':\n#{e}")
+ end
+
# @param env [Hash]
def with_env(env)
backup = ENV.to_hash