Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 696004 (CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255)

Summary: <dev-lang/ruby-{2.4.9, 2.5.7}: multiple vulnerabilities
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+ cve]
Package list:
dev-lang/ruby-2.4.9 dev-lang/ruby-2.5.7 alpha amd64 arm arm64 x86 sparc
Runtime testing required: ---
Bug Depends on: 693358    
Bug Blocks:    

Description Hans de Graaff gentoo-dev 2019-10-01 17:39:02 UTC
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/

A NUL injection vulnerability of Ruby built-in methods (File.fnmatch and File.fnmatch?) was found. An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author. CVE-2019-15845 has been assigned to this vulnerability.
Details

Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.

All users running any affected releases should upgrade as soon as possible.


https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/

Regular expression denial of service vulnerability of WEBrick’s Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service.

CVE-2019-16201 has been assigned to this vulnerability.

All users running any affected releases should upgrade as soon as possible.


https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2019-16254.
Details

If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.

This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

All users running an affected release should upgrade immediately.


https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

A code injection vulnerability of Shell#[] and Shell#test in a standard library (lib/shell.rb) was found. The vulnerability has been assigned the CVE identifier CVE-2019-16255.
Details

Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing.

All users running an affected release should upgrade immediately.
Comment 1 Hans de Graaff gentoo-dev 2019-10-01 18:03:31 UTC
Fixed versions 2.4.8, 2.5.7, 2.6.5 are now in the tree.
Comment 2 Stabilization helper bot gentoo-dev 2019-10-02 11:22:16 UTC
An automated check of this bug failed - repoman reported dependency errors (126 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: PDEPEND: ia64(default/linux/ia64/17.0) ['>=dev-ruby/did_you_mean-1.2.0:2.5[ruby_targets_ruby25]', '>=dev-ruby/minitest-5.10.3[ruby_targets_ruby25]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby25]', '>=dev-ruby/power_assert-1.1.1[ruby_targets_ruby25]', '>=dev-ruby/rake-12.3.0[ruby_targets_ruby25]', '>=dev-ruby/test-unit-3.2.7[ruby_targets_ruby25]', '>=dev-ruby/xmlrpc-0.3.0[ruby_targets_ruby25]', 'virtual/rubygems[ruby_targets_ruby25]', '>=dev-ruby/json-2.0.2[ruby_targets_ruby25]', '>=dev-ruby/rdoc-6.1.2[ruby_targets_ruby25]']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: PDEPEND: ia64(default/linux/ia64/17.0) ['>=dev-ruby/did_you_mean-1.2.0:2.5[ruby_targets_ruby25]', '>=dev-ruby/minitest-5.10.3[ruby_targets_ruby25]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby25]', '>=dev-ruby/power_assert-1.1.1[ruby_targets_ruby25]', '>=dev-ruby/rake-12.3.0[ruby_targets_ruby25]', '>=dev-ruby/test-unit-3.2.7[ruby_targets_ruby25]', '>=dev-ruby/xmlrpc-0.3.0[ruby_targets_ruby25]', 'virtual/rubygems[ruby_targets_ruby25]', '>=dev-ruby/json-2.0.2[ruby_targets_ruby25]', '>=dev-ruby/rdoc-6.1.2[ruby_targets_ruby25]']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
Comment 3 Stabilization helper bot gentoo-dev 2019-10-03 07:03:52 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-03 08:40:08 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-03 08:40:41 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-03 09:41:33 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-04 11:55:09 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-04 12:58:05 UTC
x86 stable
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-10-06 19:06:59 UTC
arm64 stable
Comment 10 Matt Turner gentoo-dev 2019-10-06 22:57:44 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-10-07 07:29:10 UTC
s390 stable
Comment 12 Agostino Sarubbo gentoo-dev 2019-10-07 19:26:33 UTC
ia64 stable
Comment 13 Sergei Trofimovich gentoo-dev 2019-10-11 22:41:38 UTC
hppa stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-10-20 08:54:28 UTC
arm stable
Comment 15 Thomas Deutschmann gentoo-dev Security 2019-10-26 17:39:00 UTC
New GLSA request filed.

@ maintainer(s): Please cleanup and drop =dev-lang/ruby-{2.4.7,2.5.6,2.6.5}!
Comment 16 Hans de Graaff gentoo-dev 2019-10-27 06:52:27 UTC
cleanup done.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-03-13 02:31:46 UTC
This issue was resolved and addressed in
 GLSA 202003-06 at https://security.gentoo.org/glsa/202003-06
by GLSA coordinator Thomas Deutschmann (whissi).