Description Quality Assurance 2018-08-08 12:52:04 CEST

New Debian ruby2.3 2.3.3-1+deb9u3 fixes:
This update addresses the following issue(s):
* 
* Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution. (CVE-2017-17405)
* Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick. (CVE-2017-17742)
* The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely. (CVE-2017-17790)
* Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument. (CVE-2018-6914)
* In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption). (CVE-2018-8777)
* In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure. (CVE-2018-8778)
* In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket. (CVE-2018-8779)
* In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed. (CVE-2018-8780)
* RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000073)
* RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000074)
* RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000075)
* RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000076)
* RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000077)
* RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000078)
* RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000079)

2.3.3-1+deb9u3 (Thu, 19 Jul 2018 13:28:10 +0200) [ Santiago R.R. ] * Fix Command injection vulnerability in Net::FTP. [CVE-2017-17405] * webrick: use IO.copy_stream for multipart response. Required changes in WEBrick to fix CVE-2017-17742 and CVE-2018-8777 * Fix HTTP response splitting in WEBrick. [CVE-2017-17742] * Fix Command Injection in Hosts::new() by use of Kernel#open. [CVE-2017-17790] * Fix Unintentional directory traversal by poisoned NUL byte in Dir [CVE-2018-8780] * Fix multiple vulnerabilities in RubyGems. CVE-2018-1000073: Prevent Path Traversal issue during gem installation. CVE-2018-1000074: Fix possible Unsafe Object Deserialization Vulnerability in gem owner. CVE-2018-1000075: Strictly interpret octal fields in tar headers. CVE-2018-1000076: Raise a security error when there are duplicate files in a package. CVE-2018-1000077: Enforce URL validation on spec homepage attribute. CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. CVE-2018-1000079: Prevent path traversal when writing to a symlinked basedir outside of the root. * Fix directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library [CVE-2018-6914] * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket [CVE-2018-8779] * Fix Buffer under-read in String#unpack [CVE-2018-8778] * Fix tests to cope with updates in tzdata * Exclude Rinda TestRingFinger and TestRingServer test units requiring network access [ Antonio Terceiro ] * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to assumptions that don't hold on newer tzdata update. Upstream bug: https://bugs.ruby-lang.org/issues/14655
* CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)
* CVE-2017-17742 ruby: HTTP response splitting in WEBrick (CVE-2017-17742)
* CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)
* CVE-2018-6914 ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (CVE-2018-6914)
* CVE-2018-8777 ruby: DoS by large request in WEBrick (CVE-2018-8777)
* CVE-2018-8778 ruby: Buffer under-read in String#unpack (CVE-2018-8778)
* CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket (CVE-2018-8779)
* CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir (CVE-2018-8780)
* CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073)
* CVE-2018-1000074 rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (CVE-2018-1000074)
* CVE-2018-1000075 rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service (CVE-2018-1000075)
* CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem (CVE-2018-1000076)
* CVE-2018-1000077 rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (CVE-2018-1000077)
* CVE-2018-1000078 rubygems: XSS vulnerability in homepage attribute when displayed via gem server (CVE-2018-1000078)
* CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations (CVE-2018-1000079)