Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621878 (CVE-2015-9096) - <dev-lang/ruby-{2.2.7-r3, 2.3.4-r3}: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP
Summary: <dev-lang/ruby-{2.2.7-r3, 2.3.4-r3}: SMTP command injection via CRLF sequence...
Status: RESOLVED FIXED
Alias: CVE-2015-9096
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-2337, CVE-2016-2339
  Show dependency tree
 
Reported: 2017-06-16 07:49 UTC by Agostino Sarubbo
Modified: 2017-10-08 20:36 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/ruby-2.2.7-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-16 07:49:52 UTC
From ${URL} :

Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA 
substring.

Upstream patch:

https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev 2017-07-16 08:16:49 UTC
We can't mark new slots of ruby stable without a lenghty process, so marking ruby:2.4 stable is not a short-term solution. We may consider backporting this to ruby:2.2 and ruby:2.3.
Comment 2 Hans de Graaff gentoo-dev 2017-07-23 08:49:56 UTC
Fixed in:

dev-lang/ruby-2.2.7-r3
dev-lang/ruby-2.3.4-r3
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-08 02:09:21 UTC
@Ruby, ready to stabilize?
Comment 4 Stabilization helper bot gentoo-dev 2017-08-08 06:00:58 UTC
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-08 14:04:12 UTC
ia64 stable
Comment 6 Stabilization helper bot gentoo-dev 2017-08-08 15:01:11 UTC
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 7 Markus Meier gentoo-dev 2017-08-23 18:27:22 UTC
arm stable
Comment 8 Stabilization helper bot gentoo-dev 2017-08-23 19:01:09 UTC
An automated check of this bug failed - repoman reported dependency errors (151 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]']
> dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
Comment 9 Stabilization helper bot gentoo-dev 2017-08-24 06:01:00 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 10 Matt Turner gentoo-dev 2017-09-01 18:45:19 UTC
ppc/ppc64 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-04 07:35:49 UTC
Stable on alpha.
Comment 12 Hans de Graaff gentoo-dev 2017-09-17 06:08:23 UTC
commit 8993ae97bf0482fbaffed77b1f8b9fc6ba1e954d
Author: Sergei Trofimovich <slyfox@gentoo.org>
Date:   Sat Sep 16 20:13:12 2017 +0100

    dev-lang/ruby: stable 2.2.8 for hppa, bug #631034
Comment 13 Hans de Graaff gentoo-dev 2017-10-03 05:28:34 UTC
Vulnerable versions have been removed.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 20:36:46 UTC
GLSA Vote: No