Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 621878 (CVE-2015-9096)

Summary: <dev-lang/ruby-{2.2.7-r3, 2.3.4-r3}: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1461846
Whiteboard: B3 [noglsa cve]
Package list:
dev-lang/ruby-2.2.7-r3
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 605536    

Description Agostino Sarubbo gentoo-dev 2017-06-16 07:49:52 UTC 
From ${URL} :

Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA 
substring.

Upstream patch:

https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev Security 2017-07-16 08:16:49 UTC 
We can't mark new slots of ruby stable without a lenghty process, so marking ruby:2.4 stable is not a short-term solution. We may consider backporting this to ruby:2.2 and ruby:2.3.
Comment 2 Hans de Graaff gentoo-dev Security 2017-07-23 08:49:56 UTC 
Fixed in:

dev-lang/ruby-2.2.7-r3
dev-lang/ruby-2.3.4-r3
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-08-08 02:09:21 UTC 
@Ruby, ready to stabilize?
Comment 4 Stabilization helper bot gentoo-dev 2017-08-08 06:00:58 UTC 
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-08 14:04:12 UTC 
ia64 stable
Comment 6 Stabilization helper bot gentoo-dev 2017-08-08 15:01:11 UTC 
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 7 Markus Meier gentoo-dev 2017-08-23 18:27:22 UTC 
arm stable
Comment 8 Stabilization helper bot gentoo-dev 2017-08-23 19:01:09 UTC 
An automated check of this bug failed - repoman reported dependency errors (151 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 9 Stabilization helper bot gentoo-dev 2017-08-24 06:01:00 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 10 Matt Turner gentoo-dev 2017-09-01 18:45:19 UTC 
ppc/ppc64 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-04 07:35:49 UTC 
Stable on alpha.
Comment 12 Hans de Graaff gentoo-dev Security 2017-09-17 06:08:23 UTC 
commit 8993ae97bf0482fbaffed77b1f8b9fc6ba1e954d
Author: Sergei Trofimovich <slyfox@gentoo.org>
Date:   Sat Sep 16 20:13:12 2017 +0100

    dev-lang/ruby: stable 2.2.8 for hppa, bug #631034
Comment 13 Hans de Graaff gentoo-dev Security 2017-10-03 05:28:34 UTC 
Vulnerable versions have been removed.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 20:36:46 UTC 
GLSA Vote: No