[Buildroot] [PATCH] ruby: add upstream security patches bumping rubygems to 2.6.13

Peter Korsgaard peter at korsgaard.com
Mon Oct 16 21:53:08 UTC 2017


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > We unfortunately cannot use the upstream patches directly as they are not in
 > 'patch -p1' format, so convert them and include instead.

 > Fixes:

 > CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
 > maliciously crafted gem specifications that include terminal escape
 > characters.  Printing the gem specification would execute terminal escape
 > sequences.

 > CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
 > maliciously crafted gem specifications to cause a denial of service attack
 > against RubyGems clients who have issued a `query` command.

 > CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
 > specification names, allowing a maliciously crafted gem to potentially
 > overwrite any file on the filesystem.

 > CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
 > hijacking vulnerability that allows a MITM attacker to force the RubyGems
 > client to download and install gems from a server that the attacker
 > controls.

 > For more details, see
 > https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2017.08.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list