Summary: | <dev-ruby/rubygems-2.6.13: multiple security vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ruby |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.rubygems.org/2017/08/27/2.6.13-released.html | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
dev-ruby/rubygems-2.6.13
|
Runtime testing required: | --- |
Description
Hans de Graaff
2017-08-28 18:55:25 UTC
CVE's have been assigned: CVE-2017-0899 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899): RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 https://hackerone.com/reports/226335 CVE-2017-0900 (CVE-2017-0900): RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251 https://hackerone.com/reports/243003 CVE-2017-0901 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901): RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2 https://hackerone.com/reports/243156 CVE-2017-0902 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902): RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. References: http://blog.rubygems.org/2017/08/27/2.6.13-released.html https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32 https://hackerone.com/reports/218088 ia64 stable Stable on alpha. arm stable ppc64 stable hppa stable ppc stable amd64 stable x86 stable @security: are we going to wait for arm64? Haven't seen any activity by them for some time and they are not security supported, correct? Otherwise we are ready for cleanup and we can proceed with this bug. (In reply to Hans de Graaff from comment #10) > @security: are we going to wait for arm64? Haven't seen any activity by them > for some time and they are not security supported, correct? Otherwise we are > ready for cleanup and we can proceed with this bug. ATM no one seems to be working on arm64... I tried to contact them, no answer. Security bugs must proceed since all supported arches are stable now. @arm64 please try to stabilize before cleanup, if you can't you'll need to open a new stabilization request. @Hans proceed to cleanup. New GLSA Request filed. Gentoo Security Padawan ChrisADR This issue was resolved and addressed in GLSA 201710-01 at https://security.gentoo.org/glsa/201710-01 by GLSA coordinator Aaron Bauman (b-man). re-opened for cleanup. Vulnerable versions have been removed. |