[Secure-testing-team] Bug#884878: ruby2.5: CVE-2017-17790: fixed command injection
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 20 21:31:24 UTC 2017
Source: ruby2.5
Version: 2.5.0~preview1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ruby/ruby/pull/1777
Control: clone -1 -2
Control: reassign -2 ruby2.3 2.3.5-1
Control: found -2 2.3.3-1
Control: retitle -2 ruby2.3: CVE-2017-17790: fixed command injection
Hi,
the following vulnerability was published for ruby2.5.
CVE-2017-17790[0]:
| The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3
| uses Kernel#open, which might allow Command Injection attacks, as
| demonstrated by a Resolv::Hosts::new argument beginning with a '|'
| character, a different vulnerability than CVE-2017-17405. NOTE:
| situations with untrusted input may be highly unlikely.
As already mentioned in the CVE description, it's quite unlikely that
there is external input fed to Resolv::Hosts. But a fix can be
included in any future DSA as well.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790
[1] https://github.com/ruby/ruby/pull/1777
[2] https://github.com/ruby/ruby/commit/e7464561b5151501beb356fc750d5dd1a88014f7
Regards,
Salvatore
More information about the Secure-testing-team
mailing list