Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749363 (CVE-2020-13802) - dev-util/rebar{,-bin}: Command injection (CVE-2020-13802)
Summary: dev-util/rebar{,-bin}: Command injection (CVE-2020-13802)
Status: CONFIRMED
Alias: CVE-2020-13802
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://vuln.be/post/rebar3-command-i...
Whiteboard: B2 [ebuild]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-10-16 01:59 UTC by John Helmert III
Modified: 2021-07-29 17:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-10-16 01:59:51 UTC
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.

Patch: https://github.com/erlang/rebar3/commit/d18e1bea05aa21a92bdbb480643077c0c8b4a00d

Patched in 3.14.0 and beyond according to Github.
Comment 1 Larry the Git Cow gentoo-dev 2021-03-19 08:52:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3103eb0734f4183805a63684415e2ab1924ce864

commit 3103eb0734f4183805a63684415e2ab1924ce864
Author:     Matt Smith <matt@offtopica.uk>
AuthorDate: 2021-03-16 14:26:43 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-19 08:51:48 +0000

    dev-util/rebar-bin: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/749363
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Matt Smith <matt@offtopica.uk>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-util/rebar-bin/Manifest                |  2 --
 dev-util/rebar-bin/rebar-bin-3.13.2.ebuild | 31 ------------------------------
 dev-util/rebar-bin/rebar-bin-3.6.2.ebuild  | 31 ------------------------------
 3 files changed, 64 deletions(-)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:25:43 UTC
Package list is empty or all packages have requested keywords.