Project

General

Profile

Actions

Bug #36405

closed

ruby-foreman-templates DEB package includes old versions of git and diffy GEMs

Added by Konstantin Orekhov over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Debian/Ubuntu
Target version:
-

Description

During my attempt to migrate our Foreman to 3.6.1 on Ubuntu 20.04, our security scanners reported the following GEM packages:

stop vulnerabilities package CRITICAL Vulnerability found in non-os package type (gem) - /usr/share/foreman/vendor/ruby/2.7.0/specifications/git-1.7.0.gemspec (fixed in: 1.11.0)(GHSA-69p6-wvmq-27gg - https://github.com/advisories/GHSA-69p6-wvmq-27gg)

stop vulnerabilities package CRITICAL Vulnerability found in non-os package type (gem) - /usr/share/foreman/vendor/ruby/2.7.0/specifications/diffy-3.3.0.gemspec (fixed in: 3.4.1)(GHSA-5ww9-9qp2-x524 - https://github.com/advisories/GHSA-5ww9-9qp2-x524)

Based on content of the DEB packages I'm installing, the above gems come from ruby-foreman-templates package:
$ dpkg x ./ruby-foreman-templates_9.3.0-2_all.deb ttt
$ ls -l ~/ttt/usr/share/foreman/vendor/cache
total 260
drwxr-xr-x 2 korekhov korekhov 4096 Jul 19 2022 ./
drwxr-xr-x 3 korekhov korekhov 4096 Jul 19 2022 ../
-rw-r--r-
1 korekhov korekhov 17920 Dec 29 2018 diffy-3.3.0.gem
rw-r--r- 1 korekhov korekhov 49152 May 16 2022 foreman_templates-9.3.0.gem
rw-r--r- 1 korekhov korekhov 31232 Apr 25 2020 git-1.7.0.gem
rw-r--r- 1 korekhov korekhov 153600 Jun 1 2018 rchardet-1.8.0.gem

I had a similar issue with 3.3.1 (which also had activerecord gem flagged). I know that 3.3 is not supported anymore, just pointing out here is that this appears to be pretty old issue to me.

Can this package be re-built with patched versions (git-1.11.0 and diff-3.4.1 gems), please?

Actions #1

Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Category set to Debian/Ubuntu

This is because we don't have automation to update our bundled gems, which are listed in gem.list. As you can see https://github.com/theforeman/foreman-packaging/blob/deb/develop/scripts/update_package.rb only updates the first entry (the gem itself) of the gem.list file. That ignores the dependencies

A partial structural fix would be to enhance update script. That only does it when a new plugin version is released, but it's a start. https://github.com/theforeman/foreman-packaging/blob/deb/develop/scripts/list_updatable_packages is the script that detects if a new update is available, so a really complete version would also detect outdated dependencies.

For this particular case it's https://github.com/theforeman/foreman-packaging/blob/e1d11c42c92c5422e221d8e747ebbc6f697c14f0/plugins/ruby-foreman-templates/debian/gem.list#L3-L4 so a PR would speed things up.

Actions #2

Updated by Konstantin Orekhov over 1 year ago

For this particular case it's https://github.com/theforeman/foreman-packaging/blob/e1d11c42c92c5422e221d8e747ebbc6f697c14f0/plugins/ruby-foreman-templates/debian/gem.list#L3-L4 so a PR would speed things up.

OK, thanks for suggestion, I'll definitely do that. But just one more question on that - do you want me to submit a PR to deb/develop or deb/3.6? Or both?

Actions #4

Updated by Ewoud Kohl van Wijngaarden over 1 year ago

We usually first make a PR to deb/develop and then cherry pick what's merged to any stable branches.

Actions #5

Updated by Konstantin Orekhov over 1 year ago

Feel free to reject my PR into deb/3.6 then and follow your established procedure - I was not entirely sure regarding the exact process and just followed instructions from https://github.com/theforeman/foreman-packaging/blob/deb/develop/README.md?plain=1#L10-L11.

Thanks!

Actions #7

Updated by Evgeni Golov over 1 year ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/9400 added
Actions #8

Updated by Anonymous over 1 year ago

  • Status changed from New to Closed
Actions #9

Updated by Konstantin Orekhov over 1 year ago

Hello, all!

So, I see that nightly repo has a new package already, but I was wondering how soon it'll appear in 3.6?

Thanks!

Actions #10

Updated by Ewoud Kohl van Wijngaarden over 1 year ago

We do cherry pick PRs. So that means you update your deb/develop and use git cherry-pick -x COMMIT to create a cherry pick commit in deb/3.6. Once we merge that, it'll be available once all pipelines run.

Side note: we've been looking at ways to automate cherry picks, but haven't gotten around to that yet.

Actions #11

Updated by The Foreman Bot over 1 year ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/9405 added
Actions #12

Updated by Konstantin Orekhov over 1 year ago

OK, cherry-picked.

Actions #13

Updated by Evgeni Golov over 1 year ago

  • Category deleted (Debian/Ubuntu)
  • Fixed in Releases 3.6.2, 3.7.0 added
Actions #14

Updated by Evgeni Golov over 1 year ago

  • Category set to Debian/Ubuntu
  • Assignee set to Konstantin Orekhov
Actions #15

Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Triaged changed from No to Yes
Actions

Also available in: Atom PDF