Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 882077 (CVE-2022-4064)

Summary: <dev-ruby/dalli-3.2.3: code injection via flush_all
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/petergoldstein/dalli/issues/932
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 889964    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-20 03:07:34 UTC 
CVE-2022-4064:

A vulnerability was found in Dalli. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The name of the patch is 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to apply a patch to fix this issue. VDB-214026 is the identifier assigned to this vulnerability.

Patch (in 3.2.3): https://github.com/petergoldstein/dalli/commit/48d594dae55934476fec61789e7a7c3700e0f50d
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-08 17:05:34 UTC 
Please cleanup
Comment 2 Hans de Graaff gentoo-dev Security 2023-01-13 09:46:17 UTC 
Cleanup done.