Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 882077 (CVE-2022-4064) - <dev-ruby/dalli-3.2.3: code injection via flush_all
Summary: <dev-ruby/dalli-3.2.3: code injection via flush_all
Status: RESOLVED FIXED
Alias: CVE-2022-4064
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/petergoldstein/dal...
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 889964
Blocks:
  Show dependency tree
 
Reported: 2022-11-20 03:07 UTC by John Helmert III
Modified: 2024-05-04 06:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-20 03:07:34 UTC 
CVE-2022-4064:

A vulnerability was found in Dalli. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The name of the patch is 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to apply a patch to fix this issue. VDB-214026 is the identifier assigned to this vulnerability.

Patch (in 3.2.3): https://github.com/petergoldstein/dalli/commit/48d594dae55934476fec61789e7a7c3700e0f50d
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-08 17:05:34 UTC 
Please cleanup
Comment 2 Hans de Graaff gentoo-dev Security 2023-01-13 09:46:17 UTC 
Cleanup done.
Comment 3 Larry the Git Cow gentoo-dev 2024-05-04 06:43:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=727e6932e82e645f63329d3ceaa8ab56acc0329c

commit 727e6932e82e645f63329d3ceaa8ab56acc0329c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 06:43:24 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:43:48 +0000

    [ GLSA 202405-03 ] Dalli: Code Injection
    
    Bug: https://bugs.gentoo.org/882077
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)