CVE-2021-31799: A command injection vulnerability in RDoc Posted by aycabta on 2 May 2021 There is a vulnerability about Command Injection in RDoc which is bundled in Ruby. It is recommended that all Ruby users update RDoc to the latest version that fixes this issue. Details The following vulnerability has been reported. CVE-2021-31799 RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command. Ruby users whose version of RDoc is affected by this issue should update to the latest version of RDoc. Affected Versions All releases of RDoc from 3.11 to 6.3.0
commit 8b56787e901d9de426027f4d5666822baee42f29 Author: Hans de Graaff <graaff@gentoo.org> Date: Wed Jul 7 08:44:53 2021 +0200 dev-ruby/rdoc: add 6.3.2 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org>
amd64 stable
ppc stable
ppc64 stable
sparc stable
x86 stable
hppa done
arm64 done
arm done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82da0dddbe9346b052529ab3f47d00fff1e7ff88 commit 82da0dddbe9346b052529ab3f47d00fff1e7ff88 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-07-30 09:24:34 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-07-30 09:24:34 +0000 dev-ruby/rdoc: remove vulnerable version Bug: https://bugs.gentoo.org/801301 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/rdoc/Manifest | 1 - dev-ruby/rdoc/rdoc-6.1.2.ebuild | 94 ----------------------------------------- 2 files changed, 95 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=18540d77b43283bbeb478e2efd181954f507ac07 commit 18540d77b43283bbeb478e2efd181954f507ac07 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-05 13:34:12 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-05 13:34:39 +0000 [ GLSA 202401-05 ] RDoc: Command Injection Bug: https://bugs.gentoo.org/801301 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)