Patching gems for security vulnerabilities with gem-patch

gem-patch is a RubyGems plugin that helps you to patch gems. You can use it to apply security fixes or cherry-pick commits you want to apply to your .gem files. I use it to test whether the upstream commits containing vulnerability fixes apply cleanly on older gem releases so I can prepare fixed builds of those gems in Fedora. Here is how one can do that.

As an example let’s look on recent upstream patches for CVE-2015-3226 and CVE-2015-3227. The patches from upstream are commits for ActiveSupport version 4.2.1 (the latest release in a given supported branch). That make sense. But you might be on different version and you might be in a position when updating all related Rails gems is not a way to go. That’s also the case of Fedora 22 which features ActiveSupport 4.2.0.

The original purpose of gem-patch is to create (or apply) patches with ease. Let’s look how I test whether the released patches work with 4.2.0:

  • -c means copy-in. I need to include the ActiveSupport tests next to the unpacked gem sources, because the upstream gem files don’t contain those and I need to make sure that the tests are properly patched as well (they are run in our RPM builds).
  • -p2 is an patch utility argument which is used by gem-patch underneath. We specify -p2 because Rails team releases patches in form of commits for the whole Rails repository (including all associated gems), but we actually need patches just for ActiveSupport (starting with lib/ path).
  • –dry-run makes sure we don’t actually override the given .gem file. Perfect for testing. The nice thing about gem-patch’s --dry-run is that it applies the fixes on the .gem file copies rather than passing the option to the patch program (which has some limitations if you have two patches both changing the same file).
  • –verbose is used to see the output of the patch command. I need this since I don’t just care about the fix being applied, but also about it being applied cleanly (without offsets).

Here is a partial output:

Nice, it works. And we also see how to apply the patch cleanly (which is important if you want to make sure that any additional files are created by patch program). For that we just change the line 146 to 143:

We can run gem patch again and see that the patch applied cleanly.

But there was one more vulnerability reported in the announcement. To apply both at the same time we just add it as another argument:

That’s it. We can remove the --dry-run option now if we want to patch the given .gem file or include our fixed patches in the build process (specfiles in case of Fedora builds).

Leave a comment

Your email address will not be published. Required fields are marked *