696004 – (CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255) <dev-lang/ruby-{2.4.9, 2.5.7}: multiple vulnerabilities

Bug 696004 (CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255) - <dev-lang/ruby-{2.4.9, 2.5.7}: multiple vulnerabilities

Summary: <dev-lang/ruby-{2.4.9, 2.5.7}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa+ cve]
Keywords:

Depends on:	693358
Blocks:
	Show dependency tree

Reported:	2019-10-01 17:39 UTC by Hans de Graaff
Modified:	2020-03-13 02:31 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-lang/ruby-2.4.9 dev-lang/ruby-2.5.7 alpha amd64 arm arm64 x86 sparc
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2019-10-01 17:39:02 UTC

https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/

A NUL injection vulnerability of Ruby built-in methods (File.fnmatch and File.fnmatch?) was found. An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author. CVE-2019-15845 has been assigned to this vulnerability.
Details

Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.

All users running any affected releases should upgrade as soon as possible.

https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/

Regular expression denial of service vulnerability of WEBrick’s Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service.

CVE-2019-16201 has been assigned to this vulnerability.

All users running any affected releases should upgrade as soon as possible.

https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2019-16254.
Details

If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.

This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

All users running an affected release should upgrade immediately.

https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

A code injection vulnerability of Shell#[] and Shell#test in a standard library (lib/shell.rb) was found. The vulnerability has been assigned the CVE identifier CVE-2019-16255.
Details

Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing.

All users running an affected release should upgrade immediately.

Comment 1 Hans de Graaff gentoo-dev

2019-10-01 18:03:31 UTC

Fixed versions 2.4.8, 2.5.7, 2.6.5 are now in the tree.

Comment 2 Stabilization helper bot gentoo-dev

2019-10-02 11:22:16 UTC

An automated check of this bug failed - repoman reported dependency errors (126 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: PDEPEND: ia64(default/linux/ia64/17.0) ['>=dev-ruby/did_you_mean-1.2.0:2.5[ruby_targets_ruby25]', '>=dev-ruby/minitest-5.10.3[ruby_targets_ruby25]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby25]', '>=dev-ruby/power_assert-1.1.1[ruby_targets_ruby25]', '>=dev-ruby/rake-12.3.0[ruby_targets_ruby25]', '>=dev-ruby/test-unit-3.2.7[ruby_targets_ruby25]', '>=dev-ruby/xmlrpc-0.3.0[ruby_targets_ruby25]', 'virtual/rubygems[ruby_targets_ruby25]', '>=dev-ruby/json-2.0.2[ruby_targets_ruby25]', '>=dev-ruby/rdoc-6.1.2[ruby_targets_ruby25]']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: PDEPEND: ia64(default/linux/ia64/17.0) ['>=dev-ruby/did_you_mean-1.2.0:2.5[ruby_targets_ruby25]', '>=dev-ruby/minitest-5.10.3[ruby_targets_ruby25]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby25]', '>=dev-ruby/power_assert-1.1.1[ruby_targets_ruby25]', '>=dev-ruby/rake-12.3.0[ruby_targets_ruby25]', '>=dev-ruby/test-unit-3.2.7[ruby_targets_ruby25]', '>=dev-ruby/xmlrpc-0.3.0[ruby_targets_ruby25]', 'virtual/rubygems[ruby_targets_ruby25]', '>=dev-ruby/json-2.0.2[ruby_targets_ruby25]', '>=dev-ruby/rdoc-6.1.2[ruby_targets_ruby25]']
> dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']

Comment 3 Stabilization helper bot gentoo-dev

2019-10-03 07:03:52 UTC

An automated check of this bug succeeded - the previous repoman errors are now resolved.

Comment 4 Agostino Sarubbo gentoo-dev

2019-10-03 08:40:08 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-10-03 08:40:41 UTC

ppc64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-10-03 09:41:33 UTC

sparc stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-10-04 11:55:09 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2019-10-04 12:58:05 UTC

x86 stable

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2019-10-06 19:06:59 UTC

arm64 stable

Comment 10 Matt Turner gentoo-dev

2019-10-06 22:57:44 UTC

alpha stable

Comment 11 Agostino Sarubbo gentoo-dev

2019-10-07 07:29:10 UTC

s390 stable

Comment 12 Agostino Sarubbo gentoo-dev

2019-10-07 19:26:33 UTC

ia64 stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2019-10-11 22:41:38 UTC

hppa stable

Comment 14 Mikle Kolyada (RETIRED) archtester

2019-10-20 08:54:28 UTC

arm stable

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 17:39:00 UTC

New GLSA request filed.

@ maintainer(s): Please cleanup and drop =dev-lang/ruby-{2.4.7,2.5.6,2.6.5}!

Comment 16 Hans de Graaff gentoo-dev

2019-10-27 06:52:27 UTC

cleanup done.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2020-03-13 02:31:46 UTC

This issue was resolved and addressed in
 GLSA 202003-06 at https://security.gentoo.org/glsa/202003-06
by GLSA coordinator Thomas Deutschmann (whissi).