Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 641090 (CVE-2017-17405) - <dev-lang/ruby-2.2.9: Command injection vulnerability in Net::FTP (CVE-2017-17405)
Summary: <dev-lang/ruby-2.2.9: Command injection vulnerability in Net::FTP (CVE-2017-1...
Status: RESOLVED FIXED
Alias: CVE-2017-17405
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/201...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-15 07:29 UTC by Hans de Graaff
Modified: 2018-02-20 01:00 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/ruby-2.2.9
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2017-12-15 07:29:07 UTC 
There is a command injection vulnerability in Net::FTP bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-17405.
Details

Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

All users running an affected release should upgrade immediately.

Affected Versions

    Ruby 2.2 series: 2.2.8 and earlier
    Ruby 2.3 series: 2.3.5 and earlier
    Ruby 2.4 series: 2.4.2 and earlier
Comment 1 Hans de Graaff gentoo-dev Security 2017-12-15 07:35:52 UTC 
Fixed versions are available:

dev-lang/ruby-2.2.9
dev-lang/ruby-2.3.6
dev-lang/ruby-2.4.3
Comment 2 Hans de Graaff gentoo-dev Security 2017-12-15 07:37:53 UTC 
Since 2.2.9 only contains the single fix to Net::FTP we can proceed with stabling right away.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-17 09:23:18 UTC 
hppa stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-19 22:21:03 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 5 Agostino Sarubbo gentoo-dev 2017-12-20 13:09:52 UTC 
amd64 stable
Comment 6 Markus Meier gentoo-dev 2017-12-21 19:28:28 UTC 
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-23 20:24:47 UTC 
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-24 13:44:53 UTC 
ppc/ppc64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-17 05:10:59 UTC 
x86 stable
Comment 10 Hans de Graaff gentoo-dev Security 2018-01-29 08:42:38 UTC 
alpha stable
Comment 11 Hans de Graaff gentoo-dev Security 2018-01-29 08:48:05 UTC 
vulnerable versions have been removed
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-01-29 21:07:59 UTC 
GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2018-02-20 01:00:42 UTC 
This issue was resolved and addressed in
 GLSA 201802-05 at https://security.gentoo.org/glsa/201802-05
by GLSA coordinator Thomas Deutschmann (whissi).