Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 801301 (CVE-2021-31799) - <dev-ruby/rdoc-6.3.2: command injection vulnerability
Summary: <dev-ruby/rdoc-6.3.2: command injection vulnerability
Status: IN_PROGRESS
Alias: CVE-2021-31799
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Ruby Team
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-09 10:03 UTC by Hans de Graaff
Modified: 2021-10-11 05:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2021-07-09 10:03:35 UTC
CVE-2021-31799: A command injection vulnerability in RDoc

Posted by aycabta on 2 May 2021

There is a vulnerability about Command Injection in RDoc which is bundled in Ruby. It is recommended that all Ruby users update RDoc to the latest version that fixes this issue.
Details

The following vulnerability has been reported.

    CVE-2021-31799

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

Ruby users whose version of RDoc is affected by this issue should update to the latest version of RDoc.
Affected Versions

    All releases of RDoc from 3.11 to 6.3.0
Comment 1 Hans de Graaff gentoo-dev 2021-07-09 10:07:42 UTC
commit 8b56787e901d9de426027f4d5666822baee42f29
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Wed Jul 7 08:44:53 2021 +0200

    dev-ruby/rdoc: add 6.3.2
    
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>
Comment 2 Agostino Sarubbo gentoo-dev 2021-07-11 08:59:04 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2021-07-11 09:01:01 UTC
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2021-07-13 06:30:00 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-13 06:31:36 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2021-07-13 06:34:29 UTC
x86 stable
Comment 7 Rolf Eike Beer archtester 2021-07-15 20:30:07 UTC
hppa done
Comment 8 Sam James archtester gentoo-dev Security 2021-07-26 11:14:49 UTC
arm64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-07-26 11:14:53 UTC
arm done

all arches done
Comment 10 Larry the Git Cow gentoo-dev 2021-07-30 09:24:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82da0dddbe9346b052529ab3f47d00fff1e7ff88

commit 82da0dddbe9346b052529ab3f47d00fff1e7ff88
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-30 09:24:34 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-30 09:24:34 +0000

    dev-ruby/rdoc: remove vulnerable version
    
    Bug: https://bugs.gentoo.org/801301
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/rdoc/Manifest          |  1 -
 dev-ruby/rdoc/rdoc-6.1.2.ebuild | 94 -----------------------------------------
 2 files changed, 95 deletions(-)