Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 749363 (CVE-2020-13802)

Summary: <dev-util/rebar-bin-3.14.4: Command injection (CVE-2020-13802)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: flow, matthew, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://vuln.be/post/rebar3-command-injection/
See Also: https://github.com/gentoo/gentoo/pull/19953
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 01:59:51 UTC 
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.

Patch: https://github.com/erlang/rebar3/commit/d18e1bea05aa21a92bdbb480643077c0c8b4a00d

Patched in 3.14.0 and beyond according to Github.
Comment 1 Larry the Git Cow gentoo-dev 2021-03-19 08:52:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3103eb0734f4183805a63684415e2ab1924ce864

commit 3103eb0734f4183805a63684415e2ab1924ce864
Author:     Matt Smith <matt@offtopica.uk>
AuthorDate: 2021-03-16 14:26:43 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-19 08:51:48 +0000

    dev-util/rebar-bin: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/749363
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Matt Smith <matt@offtopica.uk>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-util/rebar-bin/Manifest                |  2 --
 dev-util/rebar-bin/rebar-bin-3.13.2.ebuild | 31 ------------------------------
 dev-util/rebar-bin/rebar-bin-3.6.2.ebuild  | 31 ------------------------------
 3 files changed, 64 deletions(-)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:25:43 UTC 
Package list is empty or all packages have requested keywords.
Comment 3 Larry the Git Cow gentoo-dev 2022-07-31 18:38:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9f7c4de6f0ea6b162853b8e034a237110a18479

commit d9f7c4de6f0ea6b162853b8e034a237110a18479
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-07-31 18:27:12 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-07-31 18:37:14 +0000

    dev-util/rebar-bin: treeclean
    
    Closes: https://bugs.gentoo.org/855728
    Bug: https://bugs.gentoo.org/749363
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-util/rebar-bin/Manifest                |  1 -
 dev-util/rebar-bin/metadata.xml            | 29 -----------------------------
 dev-util/rebar-bin/rebar-bin-3.18.0.ebuild | 21 ---------------------
 profiles/package.mask                      |  5 -----
 4 files changed, 56 deletions(-)