Описание
Security update for ruby-bundled-gems-rpmhelper, ruby2.5
This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues:
Changes in ruby2.5:
Update to 2.5.5 and 2.5.4:
https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/
Security issues fixed:
- CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627)
- CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623)
- CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622)
- CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620)
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617)
- CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611)
Ruby 2.5 was updated to 2.5.3:
This release includes some bug fixes and some security fixes.
Security issues fixed:
- CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532)
- CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530)
Ruby 2.5 was updated to 2.5.1:
This release includes some bug fixes and some security fixes.
Security issues fixed:
-
CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)
-
CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441)
-
CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)
-
CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)
-
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440)
-
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437)
-
Multiple vulnerabilities in RubyGems were fixed:
- CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058)
- CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014)
- CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server (bsc#1082011)
- CVE-2018-1000077: Fixed that missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (bsc#1082010)
- CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem (bsc#1082009)
- CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (bsc#1082008)
- CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root (bsc#1082007)
Other changes:
- Fixed Net::POPMail methods modify frozen literal when using default arg
- ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790)
- build with PIE support (bsc#1130028)
Changes in ruby-bundled-gems-rpmhelper:
- Add a new helper for bundled ruby gems.
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.0
openSUSE Leap 15.1
Ссылки
- E-Mail link for openSUSE-SU-2019:1771-1
- SUSE Security Ratings
- SUSE Bug 1082007
- SUSE Bug 1082008
- SUSE Bug 1082009
- SUSE Bug 1082010
- SUSE Bug 1082011
- SUSE Bug 1082014
- SUSE Bug 1082058
- SUSE Bug 1087433
- SUSE Bug 1087434
- SUSE Bug 1087436
- SUSE Bug 1087437
- SUSE Bug 1087440
- SUSE Bug 1087441
- SUSE Bug 1112530
- SUSE Bug 1112532
- SUSE Bug 1130028
- SUSE Bug 1130611
- SUSE Bug 1130617
Описание
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
Затронутые продукты
Ссылки
- CVE-2017-17742
- SUSE Bug 1087434
- SUSE Bug 1136906
- SUSE Bug 1152992
Описание
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
Затронутые продукты
Ссылки
- CVE-2018-1000073
- SUSE Bug 1082007
Описание
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
Затронутые продукты
Ссылки
- CVE-2018-1000074
- SUSE Bug 1082008
- SUSE Bug 1175764
Описание
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
Затронутые продукты
Ссылки
- CVE-2018-1000075
- SUSE Bug 1082014
Описание
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
Затронутые продукты
Ссылки
- CVE-2018-1000076
- SUSE Bug 1082009
Описание
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.
Затронутые продукты
Ссылки
- CVE-2018-1000077
- SUSE Bug 1082010
- SUSE Bug 1183937
Описание
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.
Затронутые продукты
Ссылки
- CVE-2018-1000078
- SUSE Bug 1082011
Описание
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
Затронутые продукты
Ссылки
- CVE-2018-1000079
- SUSE Bug 1082058
Описание
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
Затронутые продукты
Ссылки
- CVE-2018-16395
- SUSE Bug 1112530
- SUSE Bug 1136906
Описание
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
Затронутые продукты
Ссылки
- CVE-2018-16396
- SUSE Bug 1112532
- SUSE Bug 1136906
Описание
Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.
Затронутые продукты
Ссылки
- CVE-2018-6914
- SUSE Bug 1087441
- SUSE Bug 1136906
Описание
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
Затронутые продукты
Ссылки
- CVE-2018-8777
- SUSE Bug 1087436
- SUSE Bug 1136906
Описание
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure.
Затронутые продукты
Ссылки
- CVE-2018-8778
- SUSE Bug 1087433
- SUSE Bug 1136906
Описание
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
Затронутые продукты
Ссылки
- CVE-2018-8779
- SUSE Bug 1087440
- SUSE Bug 1136906
Описание
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.
Затронутые продукты
Ссылки
- CVE-2018-8780
- SUSE Bug 1087437
- SUSE Bug 1136906
Описание
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
Затронутые продукты
Ссылки
- CVE-2019-8320
- SUSE Bug 1130627
Описание
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.
Затронутые продукты
Ссылки
- CVE-2019-8321
- SUSE Bug 1130623
Описание
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
Затронутые продукты
Ссылки
- CVE-2019-8322
- SUSE Bug 1130622
Описание
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
Затронутые продукты
Ссылки
- CVE-2019-8323
- SUSE Bug 1130620
Описание
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
Затронутые продукты
Ссылки
- CVE-2019-8324
- SUSE Bug 1130617
Описание
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
Затронутые продукты
Ссылки
- CVE-2019-8325
- SUSE Bug 1130611