http://blog.rubygems.org/2018/02/15/2.7.6-released.html

RHSA-2018:3729

RHSA-2018:3730

RHSA-2018:3731

https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d

[debian-lts-announce] 20180417 [SECURITY] [DLA 1352-1] jruby security update

[debian-lts-announce] 20180827 [SECURITY] [DLA 1480-1] ruby2.1 security update

[debian-lts-announce] 20190520 [SECURITY] [DLA 1796-1] jruby security update

USN-3621-1

USN-3621-2

USN-3685-1

DSA-4219

DSA-4259

An update for ruby is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es) :

* ruby: HTTP response splitting in WEBrick (CVE-2017-17742)

* ruby: DoS by large request in WEBrick (CVE-2018-8777)

* ruby: Buffer under-read in String#unpack (CVE-2018-8778)

* ruby: Unintentional directory traversal by poisoned NULL byte in Dir (CVE-2018-8780)

* ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396)

* rubygems: Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073)

* rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (CVE-2018-1000074)

* rubygems: Improper verification of signatures in tarball allows to install mis-signed gem (CVE-2018-1000076)

* rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (CVE-2018-1000077)

* rubygems: XSS vulnerability in homepage attribute when displayed via gem server (CVE-2018-1000078)

* rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations (CVE-2018-1000079)

* ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (CVE-2018-6914)

* ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket (CVE-2018-8779)

* rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service (CVE-2018-1000075)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues :

Changes in ruby2.5 :

Update to 2.5.5 and 2.5.4 :

https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/

Security issues fixed :

  - CVE-2019-8320: Delete directory using symlink when     decompressing tar (bsc#1130627)

  - CVE-2019-8321: Escape sequence injection vulnerability     in verbose (bsc#1130623)

  - CVE-2019-8322: Escape sequence injection vulnerability     in gem owner (bsc#1130622)

  - CVE-2019-8323: Escape sequence injection vulnerability     in API response handling (bsc#1130620)

  - CVE-2019-8324: Installing a malicious gem may lead to     arbitrary code execution (bsc#1130617)

  - CVE-2019-8325: Escape sequence injection vulnerability     in errors (bsc#1130611)

Ruby 2.5 was updated to 2.5.3 :

This release includes some bug fixes and some security fixes.

Security issues fixed :

  - CVE-2018-16396: Tainted flags are not propagated in     Array#pack and String#unpack with some directives     (bsc#1112532)

  - CVE-2018-16395: OpenSSL::X509::Name equality check does     not work correctly (bsc#1112530)

Ruby 2.5 was updated to 2.5.1 :

This release includes some bug fixes and some security fixes.

Security issues fixed :

  - CVE-2017-17742: HTTP response splitting in WEBrick     (bsc#1087434)

  - CVE-2018-6914: Unintentional file and directory creation     with directory traversal in tempfile and tmpdir     (bsc#1087441)

  - CVE-2018-8777: DoS by large request in WEBrick     (bsc#1087436)

  - CVE-2018-8778: Buffer under-read in String#unpack     (bsc#1087433)

  - CVE-2018-8779: Unintentional socket creation by poisoned     NUL byte in UNIXServer and UNIXSocket (bsc#1087440)

  - CVE-2018-8780: Unintentional directory traversal by     poisoned NUL byte in Dir (bsc#1087437)

  - Multiple vulnerabilities in RubyGems were fixed :

  - CVE-2018-1000079: Fixed path traversal issue during gem     installation allows to write to arbitrary filesystem     locations (bsc#1082058)

  - CVE-2018-1000075: Fixed infinite loop vulnerability due     to negative size in tar header causes Denial of Service     (bsc#1082014)

  - CVE-2018-1000078: Fixed XSS vulnerability in homepage     attribute when displayed via gem server (bsc#1082011)

  - CVE-2018-1000077: Fixed that missing URL validation on     spec home attribute allows malicious gem to set an     invalid homepage URL (bsc#1082010)

  - CVE-2018-1000076: Fixed improper verification of     signatures in tarball allows to install mis-signed gem     (bsc#1082009)

  - CVE-2018-1000074: Fixed unsafe Object Deserialization     Vulnerability in gem owner allowing arbitrary code     execution on specially crafted YAML (bsc#1082008)

  - CVE-2018-1000073: Fixed path traversal when writing to a     symlinked basedir outside of the root (bsc#1082007)

Other changes :

  - Fixed Net::POPMail methods modify frozen literal when     using default arg

  - ruby: change over of the Japanese Era to the new emperor     May 1st 2019 (bsc#1133790)

  - build with PIE support (bsc#1130028)

Changes in ruby-bundled-gems-rpmhelper :

  - Add a new helper for bundled ruby gems.

This update was imported from the SUSE:SLE-15:Update update project.

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues :

Changes in ruby2.5 :

Update to 2.5.5 and 2.5.4 :

https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/

Security issues fixed :

CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627)

CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623)

CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622)

CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620)

CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617)

CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611)

Ruby 2.5 was updated to 2.5.3 :

This release includes some bug fixes and some security fixes.

Security issues fixed: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532)

CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530)

Ruby 2.5 was updated to 2.5.1 :

This release includes some bug fixes and some security fixes.

Security issues fixed: CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)

CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441)

CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)

CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)

CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440)

CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437)

Multiple vulnerabilities in RubyGems were fixed :

  - CVE-2018-1000079: Fixed path traversal issue during gem     installation allows to write to arbitrary filesystem     locations (bsc#1082058)

  - CVE-2018-1000075: Fixed infinite loop vulnerability due     to negative size in tar header causes Denial of Service     (bsc#1082014)

  - CVE-2018-1000078: Fixed XSS vulnerability in homepage     attribute when displayed via gem server (bsc#1082011)

  - CVE-2018-1000077: Fixed that missing URL validation on     spec home attribute allows malicious gem to set an     invalid homepage URL (bsc#1082010)

  - CVE-2018-1000076: Fixed improper verification of     signatures in tarball allows to install mis-signed gem     (bsc#1082009)

  - CVE-2018-1000074: Fixed unsafe Object Deserialization     Vulnerability in gem owner allowing arbitrary code     execution on specially crafted YAML (bsc#1082008)

  - CVE-2018-1000073: Fixed path traversal when writing to a     symlinked basedir outside of the root (bsc#1082007)

Other changes: Fixed Net::POPMail methods modify frozen literal when using default arg

ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790)

build with PIE support (bsc#1130028)

Changes in ruby-bundled-gems-rpmhelper: Add a new helper for bundled ruby gems.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.

CVE-2018-1000074

Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file

CVE-2018-1000075

an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop

CVE-2018-1000076

Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.

CVE-2018-1000077

Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL

CVE-2018-1000078

Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server

CVE-2019-8321

Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible

CVE-2019-8322

The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line of gemspec

CVE-2019-8325

Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

For Debian 8 'Jessie', these problems have been fixed in version 1.5.6-9+deb8u1.

We recommend that you upgrade your jruby packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Ruby 2.1.

CVE-2016-2337

Type confusion exists in _cancel_eval Ruby's TclTkIp class method.
Attacker passing different type of object than String as 'retval' argument can cause arbitrary code execution.

CVE-2018-1000073

RubyGems contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root.

CVE-2018-1000074

RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file.

For Debian 8 'Jessie', these problems have been fixed in version 2.1.5-2+deb8u5.

We recommend that you upgrade your ruby2.1 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure.

This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.

Some of these CVE were already addressed in previous USN: 3439-1, 3553-1, 3528-1. Here we address for the remain releases.

It was discovered that Ruby incorrectly handled certain inputs. An attacker could use this to cause a buffer overrun. (CVE-2017-0898)

It was discovered that Ruby incorrectly handled certain files. An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)

It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. An attacker could use this to possibly force the RubyGems client to download and install gems from a server that the attacker controls. (CVE-2017-0902)

It was discovered that Ruby incorrectly handled certain YAML files. An attacker could use this to possibly execute arbitrary code.
(CVE-2017-0903)

It was discovered that Ruby incorrectly handled certain files. An attacker could use this to expose sensitive information.
(CVE-2017-14064)

It was discovered that Ruby incorrectly handled certain inputs. An attacker could use this to execute arbitrary code. (CVE-2017-10784)

It was discovered that Ruby incorrectly handled certain network requests. An attacker could possibly use this to inject a crafted key into a HTTP response. (CVE-2017-17742)

It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code. This update is only addressed to ruby2.0. (CVE-2018-1000074)

It was discovered that Ruby incorrectly handled certain network requests. An attacker could possibly use this to cause a denial of service. (CVE-2018-8777).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in jruby, a Java implementation of the Ruby programming language. They would allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.

Path traversal when writing to a symlinked basedir outside of the root

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000073)

Improper verification of signatures in tarball allows to install mis-signed gem :

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000076)

Infinite loop vulnerability due to negative size in tar header causes Denial of Service

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000075)

Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution :

The 'lazy_initialize' function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)

Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL :

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000077)

XSS vulnerability in homepage attribute when displayed via gem server

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000078)

Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000074)

Path traversal issue during gem installation allows to write to arbitrary filesystem locations

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000079)

An unsafe object deserialization vulnerability was found in jruby, a 100% pure-Java implementation of Ruby. An attacker can use this flaw to run arbitrary code when gem owner is run on a specially crafted YAML file.

For Debian 7 'Wheezy', these problems have been fixed in version 1.5.6-5+deb7u2.

We recommend that you upgrade your jruby packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3621-1 fixed vulnerabilities in Ruby. The update caused an issue due to an incomplete patch for CVE-2018-1000074. This update reverts the problematic patch pending further investigation.

We apologize for the inconvenience.

Original advisory details :

It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this to access sensitive information.
(CVE-2018-1000073)

It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code. (CVE-2018-1000074)

It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this to cause a denial of service. (CVE-2018-1000075)

It was discovered that Ruby incorrectly handled certain crypto signatures. An attacker could possibly use this to execute arbitrary code. (CVE-2018-1000076)

It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code. (CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this to access sensitive information.
(CVE-2018-1000073)

It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000074)

It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this to cause a denial of service.
(CVE-2018-1000075)

It was discovered that Ruby incorrectly handled certain crypto signatures. An attacker could possibly use this to execute arbitrary code. (CVE-2018-1000076)

It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Path traversal when writing to a symlinked basedir outside of the root

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000073)

Improper verification of signatures in tarball allows to install mis-signed gem :

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000076)

Infinite loop vulnerability due to negative size in tar header causes Denial of Service

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000075)

Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution :

The 'lazy_initialize' function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)

Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL :

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000077)

XSS vulnerability in homepage attribute when displayed via gem server

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000078)

Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000074)

Path traversal issue during gem installation allows to write to arbitrary filesystem locations

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000079)

If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients.(CVE-2017-17742)

The Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers '../', so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory.(CVE-2018-6914)

If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.(CVE-2018-8777)

String#unpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the argument of String#unpack, the attacker can read data on heaps.(CVE-2018-8778)

UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open.
So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.(CVE-2018-8779)

Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL (\0) bytes, these methods recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.(CVE-2018-8780)

ID	Name	Product	Family	Severity
127649	RHEL 7 : ruby (RHSA-2019:2028)	Nessus	Red Hat Local Security Checks	high
126904	openSUSE Security Update : ruby-bundled-gems-rpmhelper / ruby2.5 (openSUSE-2019-1771)	Nessus	SuSE Local Security Checks	high
126617	SUSE SLED15 / SLES15 Security Update : ruby-bundled-gems-rpmhelper, ruby2.5 (SUSE-SU-2019:1804-1)	Nessus	SuSE Local Security Checks	high
125297	Debian DLA-1796-1 : jruby security update	Nessus	Debian Local Security Checks	high
112167	Debian DLA-1480-1 : ruby2.1 security update	Nessus	Debian Local Security Checks	high
111468	Debian DSA-4259-1 : ruby2.3 - security update	Nessus	Debian Local Security Checks	high
110551	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities (USN-3685-1)	Nessus	Ubuntu Local Security Checks	high
110418	Debian DSA-4219-1 : jruby - security update	Nessus	Debian Local Security Checks	high
109136	Amazon Linux 2 : ruby (ALAS-2018-983)	Nessus	Amazon Linux Local Security Checks	high
109091	Debian DLA-1352-1 : jruby security update	Nessus	Debian Local Security Checks	medium
109058	Ubuntu 14.04 LTS : ruby1.9.1, ruby2.0 regression (USN-3621-2)	Nessus	Ubuntu Local Security Checks	high
108879	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities (USN-3621-1)	Nessus	Ubuntu Local Security Checks	high
108846	Amazon Linux AMI : ruby20 / ruby22,ruby23,ruby24 (ALAS-2018-983)	Nessus	Amazon Linux Local Security Checks	high

CVE-2018-1000074

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins