Bug #36405
closed
ruby-foreman-templates DEB package includes old versions of git and diffy GEMs
Description
During my attempt to migrate our Foreman to 3.6.1 on Ubuntu 20.04, our security scanners reported the following GEM packages:
stop vulnerabilities package CRITICAL Vulnerability found in non-os package type (gem) - /usr/share/foreman/vendor/ruby/2.7.0/specifications/git-1.7.0.gemspec (fixed in: 1.11.0)(GHSA-69p6-wvmq-27gg - https://github.com/advisories/GHSA-69p6-wvmq-27gg)
stop vulnerabilities package CRITICAL Vulnerability found in non-os package type (gem) - /usr/share/foreman/vendor/ruby/2.7.0/specifications/diffy-3.3.0.gemspec (fixed in: 3.4.1)(GHSA-5ww9-9qp2-x524 - https://github.com/advisories/GHSA-5ww9-9qp2-x524)
Based on content of the DEB packages I'm installing, the above gems come from ruby-foreman-templates package:
$ dpkg x ./ruby-foreman-templates_9.3.0-2_all.deb ttt 1 korekhov korekhov 17920 Dec 29 2018 diffy-3.3.0.gem
$ ls -l ~/ttt/usr/share/foreman/vendor/cache
total 260
drwxr-xr-x 2 korekhov korekhov 4096 Jul 19 2022 ./
drwxr-xr-x 3 korekhov korekhov 4096 Jul 19 2022 ../
-rw-r--r-rw-r--r- 1 korekhov korekhov 49152 May 16 2022 foreman_templates-9.3.0.gemrw-r--r- 1 korekhov korekhov 31232 Apr 25 2020 git-1.7.0.gemrw-r--r- 1 korekhov korekhov 153600 Jun 1 2018 rchardet-1.8.0.gem
I had a similar issue with 3.3.1 (which also had activerecord gem flagged). I know that 3.3 is not supported anymore, just pointing out here is that this appears to be pretty old issue to me.
Can this package be re-built with patched versions (git-1.11.0 and diff-3.4.1 gems), please?
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
- Category set to Debian/Ubuntu
This is because we don't have automation to update our bundled gems, which are listed in gem.list. As you can see https://github.com/theforeman/foreman-packaging/blob/deb/develop/scripts/update_package.rb only updates the first entry (the gem itself) of the gem.list file. That ignores the dependencies
A partial structural fix would be to enhance update script. That only does it when a new plugin version is released, but it's a start. https://github.com/theforeman/foreman-packaging/blob/deb/develop/scripts/list_updatable_packages is the script that detects if a new update is available, so a really complete version would also detect outdated dependencies.
For this particular case it's https://github.com/theforeman/foreman-packaging/blob/e1d11c42c92c5422e221d8e747ebbc6f697c14f0/plugins/ruby-foreman-templates/debian/gem.list#L3-L4 so a PR would speed things up.
Updated by Konstantin Orekhov over 1 year ago
For this particular case it's https://github.com/theforeman/foreman-packaging/blob/e1d11c42c92c5422e221d8e747ebbc6f697c14f0/plugins/ruby-foreman-templates/debian/gem.list#L3-L4 so a PR would speed things up.
OK, thanks for suggestion, I'll definitely do that. But just one more question on that - do you want me to submit a PR to deb/develop or deb/3.6? Or both?
Updated by Konstantin Orekhov over 1 year ago
Submitted https://github.com/theforeman/foreman-packaging/pull/9398 (for deb/3.6) and https://github.com/theforeman/foreman-packaging/pull/9397 (for deb/develop).
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
We usually first make a PR to deb/develop and then cherry pick what's merged to any stable branches.
Updated by Konstantin Orekhov over 1 year ago
Feel free to reject my PR into deb/3.6 then and follow your established procedure - I was not entirely sure regarding the exact process and just followed instructions from https://github.com/theforeman/foreman-packaging/blob/deb/develop/README.md?plain=1#L10-L11.
Thanks!
Updated by Konstantin Orekhov over 1 year ago
Clean single-commit PR submitted - https://github.com/theforeman/foreman-packaging/pull/9400
Updated by Evgeni Golov over 1 year ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/9400 added
Updated by Anonymous over 1 year ago
- Status changed from New to Closed
Applied in changeset foreman-packaging|eb53ec88064c286bf281d7b941c1bb409ccd805d.
Updated by Konstantin Orekhov over 1 year ago
Hello, all!
So, I see that nightly repo has a new package already, but I was wondering how soon it'll appear in 3.6?
Thanks!
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
We do cherry pick PRs. So that means you update your deb/develop and use git cherry-pick -x COMMIT to create a cherry pick commit in deb/3.6. Once we merge that, it'll be available once all pipelines run.
Side note: we've been looking at ways to automate cherry picks, but haven't gotten around to that yet.
Updated by The Foreman Bot over 1 year ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/9405 added
Updated by Evgeni Golov over 1 year ago
- Category deleted (
Debian/Ubuntu) - Fixed in Releases 3.6.2, 3.7.0 added
Updated by Evgeni Golov over 1 year ago
- Category set to Debian/Ubuntu
- Assignee set to Konstantin Orekhov
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
- Triaged changed from No to Yes