CVE-2017-17742: HTTP response splitting in WEBrick CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir CVE-2018-8777: DoS by large request in WEBrick CVE-2018-8778: Buffer under-read in String#unpack CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir Affected versions: <dev-lang/ruby-2.2.10 <dev-lang/ruby-2.3.5 <dev-lang/ruby-2.4.4 <dev-lang/ruby-2.5.1
Fixed versions are now available.
Please test and mark stable.
An automated check of this bug failed - repoman reported dependency errors (4 lines truncated): > dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66f2619ef760bdb938c109f07de6fbe009e75b7d commit 66f2619ef760bdb938c109f07de6fbe009e75b7d Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-03 20:24:51 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-03 21:07:21 +0000 dev-lang/ruby: stable 2.3.7 for sparc Bug: https://bugs.gentoo.org/651884 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-lang/ruby/ruby-2.3.7.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=370e4e1b0707bfaeb281245890620afcb516b19e commit 370e4e1b0707bfaeb281245890620afcb516b19e Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-03 20:23:18 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-03 21:07:21 +0000 dev-lang/ruby: stable 2.2.10 for sparc Bug: https://bugs.gentoo.org/651884 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-lang/ruby/ruby-2.2.10.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
amd64 stable
ia64 stable
An automated check of this bug failed - repoman reported dependency errors (14 lines truncated): > dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]'] > dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
alpha stable
An automated check of this bug succeeded - the previous repoman errors are now resolved.
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29a804f86af7076d99446b99184a780d33fa2df7 commit 29a804f86af7076d99446b99184a780d33fa2df7 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-04-20 21:27:00 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-20 21:27:33 +0000 dev-lang/ruby: stable 2.3.7 for ppc64, bug #651884 Bug: https://bugs.gentoo.org/651884 Package-Manager: Portage-2.3.28, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" dev-lang/ruby/ruby-2.3.7.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c16067c7ee6fe1f5fd69767ebf2220e316ee057 commit 3c16067c7ee6fe1f5fd69767ebf2220e316ee057 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-04-20 21:26:53 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-20 21:27:33 +0000 dev-lang/ruby: stable 2.2.10 for ppc64, bug #651884 Bug: https://bugs.gentoo.org/651884 Package-Manager: Portage-2.3.28, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" dev-lang/ruby/ruby-2.2.10.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
hppa stable
CVE-2018-8780 (https://nvd.nist.gov/vuln/detail/CVE-2018-8780): In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed. CVE-2018-8779 (https://nvd.nist.gov/vuln/detail/CVE-2018-8779): In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket. CVE-2018-8778 (https://nvd.nist.gov/vuln/detail/CVE-2018-8778): In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure. CVE-2018-8777 (https://nvd.nist.gov/vuln/detail/CVE-2018-8777): In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption). CVE-2018-6914 (https://nvd.nist.gov/vuln/detail/CVE-2018-6914): Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument. CVE-2017-17742 (https://nvd.nist.gov/vuln/detail/CVE-2017-17742): Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
ppc stable
Vulnerable versions have been removed.
GLSA Vote: No Thanks all,
re-opening. =dev-lang/ruby-2.3.6 is still in the tree which is vulnerable.
Cleanup now really done.
Thank you guys. Michael Boyle Security Padawan