749363 – (CVE-2020-13802) <dev-util/rebar-bin-3.14.4: Command injection (CVE-2020-13802)

Bug 749363 (CVE-2020-13802) - <dev-util/rebar-bin-3.14.4: Command injection (CVE-2020-13802)

Summary: <dev-util/rebar-bin-3.14.4: Command injection (CVE-2020-13802)

Status:	RESOLVED FIXED

Alias:	CVE-2020-13802

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://vuln.be/post/rebar3-command-i...
Whiteboard:	B2 [glsa+]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2020-10-16 01:59 UTC by John Helmert III
Modified:	2024-05-12 05:11 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/19953
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-10-16 01:59:51 UTC

Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.

Patch: https://github.com/erlang/rebar3/commit/d18e1bea05aa21a92bdbb480643077c0c8b4a00d

Patched in 3.14.0 and beyond according to Github.

Comment 1 Larry the Git Cow gentoo-dev

2021-03-19 08:52:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3103eb0734f4183805a63684415e2ab1924ce864

commit 3103eb0734f4183805a63684415e2ab1924ce864
Author:     Matt Smith <matt@offtopica.uk>
AuthorDate: 2021-03-16 14:26:43 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-19 08:51:48 +0000

    dev-util/rebar-bin: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/749363
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Matt Smith <matt@offtopica.uk>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-util/rebar-bin/Manifest                |  2 --
 dev-util/rebar-bin/rebar-bin-3.13.2.ebuild | 31 ------------------------------
 dev-util/rebar-bin/rebar-bin-3.6.2.ebuild  | 31 ------------------------------
 3 files changed, 64 deletions(-)

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:25:43 UTC

Package list is empty or all packages have requested keywords.

Comment 3 Larry the Git Cow gentoo-dev

2022-07-31 18:38:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9f7c4de6f0ea6b162853b8e034a237110a18479

commit d9f7c4de6f0ea6b162853b8e034a237110a18479
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-07-31 18:27:12 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-07-31 18:37:14 +0000

    dev-util/rebar-bin: treeclean
    
    Closes: https://bugs.gentoo.org/855728
    Bug: https://bugs.gentoo.org/749363
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-util/rebar-bin/Manifest                |  1 -
 dev-util/rebar-bin/metadata.xml            | 29 -----------------------------
 dev-util/rebar-bin/rebar-bin-3.18.0.ebuild | 21 ---------------------
 profiles/package.mask                      |  5 -----
 4 files changed, 56 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2024-05-12 05:10:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=51dc47cd47c7138b1626f98943b6aaf09118949c

commit 51dc47cd47c7138b1626f98943b6aaf09118949c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-12 05:10:21 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-12 05:10:47 +0000

    [ GLSA 202405-30 ] Rebar3: Command Injection
    
    Bug: https://bugs.gentoo.org/749363
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-30.xml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)