Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-39253 break RubyGems/Bundler tests and behavior. #5996

Closed
hsbt opened this issue Oct 19, 2022 · 3 comments · Fixed by #5998
Closed

CVE-2022-39253 break RubyGems/Bundler tests and behavior. #5996

hsbt opened this issue Oct 19, 2022 · 3 comments · Fixed by #5998
Labels
RubyGems

Comments

@hsbt
Copy link
Member

hsbt commented Oct 19, 2022

Describe the problem as clearly as you can

In recent few days ago, rubygems tests were failed in my dev machine.

  1) Failure:
TestGemSourceGit#test_checkout_submodules [/Users/hsbt/Documents/github.com/ruby/ruby/test/rubygems/test_gem_source_git.rb:73]:
fatal: transport 'file' not allowed
fatal: clone of '/Users/hsbt/Documents/github.com/ruby/ruby/tmp/test_rubygems_20221019-16443-neo1ri/git/b' into submodule path '/Users/hsbt/Documents/github.com/ruby/ruby/tmp/test_rubygems_20221019-16443-neo1ri/git/a/b' failed

What actually happened?

https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253

Git 2.38.1 refuse to git submodule add with file protocol. We should handle cve-2022-39253 changes to RubyGems/Bundler for Git.
@hsbt hsbt added the RubyGems label Oct 19, 2022
@hsbt hsbt changed the title CVS-2022-39253 break RubyGems/Bundler tests and behavior. CVE-2022-39253 break RubyGems/Bundler tests and behavior. Oct 19, 2022
@nobu
Copy link
Contributor

nobu commented Oct 19, 2022

git submodule update too.

@hsbt
Copy link
Member Author

hsbt commented Oct 19, 2022

We can pass them with -c protocol.file.allow=always option. But it disables the security limitation of Git.

@hsbt
Copy link
Member Author

hsbt commented Oct 19, 2022

@deivid-rodriguez @simi I create the workaround for this.

ruby/ruby#6587

@hsbt hsbt mentioned this issue Oct 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
RubyGems
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bypass git submodule add/update with git config protocol.file.allow=always option rubygems/rubygems
2 participants
@hsbt @nobu