Backport RubyGems 3.0.3: [Backport #15637]

	* Fixed following vulnerabilities:
	  * CVE-2019-8320: Delete directory using symlink when decompressing tar
	  * CVE-2019-8321: Escape sequence injection vulnerability in verbose
	  * CVE-2019-8322: Escape sequence injection vulnerability in gem owner
	  * CVE-2019-8323: Escape sequence injection vulnerability in API response handling
	  * CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
	  * CVE-2019-8325: Escape sequence injection vulnerability in errors

	* see also https://blog.rubygems.org/2019/03/05/3.0.3-released.html


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67182 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 4 insertions, 1 deletions

diff --git a/lib/rubygems/commands/owner_command.rb b/lib/rubygems/commands/owner_command.rb
index 799f31704a..22b7327683 100644
--- a/lib/rubygems/commands/owner_command.rb
+++ b/lib/rubygems/commands/owner_command.rb
@@ -2,8 +2,11 @@
 require 'rubygems/command'
 require 'rubygems/local_remote_options'
 require 'rubygems/gemcutter_utilities'
+require 'rubygems/text'
 
 class Gem::Commands::OwnerCommand < Gem::Command
+
+  include Gem::Text
   include Gem::LocalRemoteOptions
   include Gem::GemcutterUtilities
 
@@ -65,7 +68,7 @@ permission to.
     end
 
     with_response response do |resp|
-      owners = Gem::SafeYAML.load resp.body
+      owners = Gem::SafeYAML.load clean_text(resp.body)
 
       say "Owners for gem: #{name}"
       owners.each do |owner|