* lib/rubygems: Update to RubyGems 2.1.0. Fixes CVE-2013-4287.

  See http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html
  for CVE information.

  See http://rubygems.rubyforge.org/rubygems-update/History_txt.html#label-2.1.0+%2F+2013-09-09
  for release notes.

* test/rubygems:  Tests for the above.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42898 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 6 insertions, 2 deletions

diff --git a/lib/rubygems/dependency_resolver.rb b/lib/rubygems/dependency_resolver.rb
index e5c05972d8..721fd43c51 100644
--- a/lib/rubygems/dependency_resolver.rb
+++ b/lib/rubygems/dependency_resolver.rb
@@ -79,7 +79,9 @@ class Gem::DependencyResolver
     needed = nil
 
     @needed.reverse_each do |n|
-      needed = Gem::List.new(Gem::DependencyResolver::DependencyRequest.new(n, nil), needed)
+      request = Gem::DependencyResolver::DependencyRequest.new n, nil
+
+      needed = Gem::List.new request, needed
     end
 
     res = resolve_for needed, nil
@@ -162,7 +164,9 @@ class Gem::DependencyResolver
 
         # Sort them so that we try the highest versions
         # first.
-        possible = possible.sort_by { |s| [s.source, s.version] }
+        possible = possible.sort_by do |s|
+          [s.source, s.version, s.platform == Gem::Platform::RUBY ? -1 : 1]
+        end
 
         # We track the conflicts seen so that we can report them
         # to help the user figure out how to fix the situation.