From ${URL} : Tasha Drew reports: Researchers investigating the Rails parameter parsing vulnerability discovered that the same or similar vulnerable code had made its way into multiple other libraries. If your application uses these libraries to process untrusted data, it may still be vulnerable even if you have upgraded Rails. Check your Gemfile and Gemfile.lock for vulnerable versions of the following libraries, and if you are using one, update it immediately. You can update each of these by using "bundle update <gem name>". crack Vulnerable: <= 0.3.1 Fixed: 0.3.2 External references: https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6 https://rubygems.org/gems/crack/
Crack 0.3.2 has already been in the tree for several months, so we can mark that stable. =dev-ruby/crack-0.3.2
amd64 stable
x86 stable
New GLSA request filed.
CVE-2013-1800 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1800): The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
This issue was resolved and addressed in GLSA 201404-04 at http://security.gentoo.org/glsa/glsa-201404-04.xml by GLSA coordinator Mikle Kolyada (Zlogene).
