https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ A NUL injection vulnerability of Ruby built-in methods (File.fnmatch and File.fnmatch?) was found. An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author. CVE-2019-15845 has been assigned to this vulnerability. Details Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter. All users running any affected releases should upgrade as soon as possible. https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ Regular expression denial of service vulnerability of WEBrick’s Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service. CVE-2019-16201 has been assigned to this vulnerability. All users running any affected releases should upgrade as soon as possible. https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2019-16254. Details If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. All users running an affected release should upgrade immediately. https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ A code injection vulnerability of Shell#[] and Shell#test in a standard library (lib/shell.rb) was found. The vulnerability has been assigned the CVE identifier CVE-2019-16255. Details Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing. All users running an affected release should upgrade immediately.
Fixed versions 2.4.8, 2.5.7, 2.6.5 are now in the tree.
An automated check of this bug failed - repoman reported dependency errors (126 lines truncated): > dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225'] > dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: PDEPEND: ia64(default/linux/ia64/17.0) ['>=dev-ruby/did_you_mean-1.2.0:2.5[ruby_targets_ruby25]', '>=dev-ruby/minitest-5.10.3[ruby_targets_ruby25]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby25]', '>=dev-ruby/power_assert-1.1.1[ruby_targets_ruby25]', '>=dev-ruby/rake-12.3.0[ruby_targets_ruby25]', '>=dev-ruby/test-unit-3.2.7[ruby_targets_ruby25]', '>=dev-ruby/xmlrpc-0.3.0[ruby_targets_ruby25]', 'virtual/rubygems[ruby_targets_ruby25]', '>=dev-ruby/json-2.0.2[ruby_targets_ruby25]', '>=dev-ruby/rdoc-6.1.2[ruby_targets_ruby25]'] > dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225'] > dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225'] > dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: PDEPEND: ia64(default/linux/ia64/17.0) ['>=dev-ruby/did_you_mean-1.2.0:2.5[ruby_targets_ruby25]', '>=dev-ruby/minitest-5.10.3[ruby_targets_ruby25]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby25]', '>=dev-ruby/power_assert-1.1.1[ruby_targets_ruby25]', '>=dev-ruby/rake-12.3.0[ruby_targets_ruby25]', '>=dev-ruby/test-unit-3.2.7[ruby_targets_ruby25]', '>=dev-ruby/xmlrpc-0.3.0[ruby_targets_ruby25]', 'virtual/rubygems[ruby_targets_ruby25]', '>=dev-ruby/json-2.0.2[ruby_targets_ruby25]', '>=dev-ruby/rdoc-6.1.2[ruby_targets_ruby25]'] > dependency.bad dev-lang/ruby/ruby-2.5.7.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=app-eselect/eselect-ruby-20171225']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
ppc stable
ppc64 stable
sparc stable
amd64 stable
x86 stable
arm64 stable
alpha stable
s390 stable
ia64 stable
hppa stable
arm stable
New GLSA request filed. @ maintainer(s): Please cleanup and drop =dev-lang/ruby-{2.4.7,2.5.6,2.6.5}!
cleanup done.
This issue was resolved and addressed in GLSA 202003-06 at https://security.gentoo.org/glsa/202003-06 by GLSA coordinator Thomas Deutschmann (whissi).