Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631034 (CVE-2017-0898, CVE-2017-10784, CVE-2017-14033) - <dev-lang/ruby-{2.2.8,2.3.5,2.4.2}: multiple vulnerabilities
Summary: <dev-lang/ruby-{2.2.8,2.3.5,2.4.2}: multiple vulnerabilities
Alias: CVE-2017-0898, CVE-2017-10784, CVE-2017-14033
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Blocks: CVE-2017-14064
  Show dependency tree
Reported: 2017-09-15 06:26 UTC by Hans de Graaff
Modified: 2017-11-30 20:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2017-09-15 06:26:39 UTC
Affected versions:

Ruby 2.2 series: 2.2.7 and earlier
Ruby 2.3 series: 2.3.4 and earlier
Ruby 2.4 series: 2.4.1 and earlier

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf

If a malicious format string which contains a precious specifier (*) is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or the Ruby interpreter may crash.

CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick

When using the Basic authentication of WEBrick, clients can pass an arbitrary string as the user name. WEBrick outputs the passed user name intact to its log, then an attacker can inject malicious escape sequences to the log and dangerous control characters may be executed on a victim’s terminal emulator.

CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode

If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.

CVE-2017-14064: Heap exposure vulnerability in generating JSON

The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malicious instance is passed, the result may include contents of heap.

This bug is already fixed in bug 629484
Comment 1 Hans de Graaff gentoo-dev Security 2017-09-15 07:29:23 UTC
Fixed versions have been added:


Only the 2.2 slot is stable, so we can proceed with marking dev-lang/ruby-2.2.8 stable.
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-15 15:40:17 UTC
Stable on alpha.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-16 11:09:23 UTC
ia64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-16 19:14:03 UTC
hppa stable
Comment 5 Markus Meier gentoo-dev 2017-09-18 04:30:47 UTC
arm stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 12:42:14 UTC
ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 19:47:55 UTC
ppc stable
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-10-02 12:54:25 UTC
amd64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-02 23:45:33 UTC
x86 stable

@ Maintainer(s): Please cleanup!
Comment 10 Hans de Graaff gentoo-dev Security 2017-10-03 05:27:26 UTC
Vulnerable versions have been removed.
Comment 11 D'juan McDonald (domhnall) 2017-10-16 18:47:36 UTC
@security, please vote on GLSA, thank you.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-10-18 00:54:49 UTC
This issue was resolved and addressed in
 GLSA 201710-18 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-30 20:10:49 UTC
sparc stable (thanks to Rolf Eike Beer)