Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 882077 (CVE-2022-4064) - <dev-ruby/dalli-3.2.3: code injection via flush_all
Summary: <dev-ruby/dalli-3.2.3: code injection via flush_all
Status: CONFIRMED
Alias: CVE-2022-4064
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/petergoldstein/dal...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 889964
Blocks:
  Show dependency tree
 
Reported: 2022-11-20 03:07 UTC by John Helmert III
Modified: 2023-01-13 19:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-20 03:07:34 UTC
CVE-2022-4064:

A vulnerability was found in Dalli. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The name of the patch is 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to apply a patch to fix this issue. VDB-214026 is the identifier assigned to this vulnerability.

Patch (in 3.2.3): https://github.com/petergoldstein/dalli/commit/48d594dae55934476fec61789e7a7c3700e0f50d
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-08 17:05:34 UTC
Please cleanup
Comment 2 Hans de Graaff gentoo-dev Security 2023-01-13 09:46:17 UTC
Cleanup done.