CVE-2017-0899
Description
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-0899
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-0899.html
Vendor advisory: support@hackerone.com — https://hackerone.com/reports/226335
Vendor advisory: support@hackerone.com — https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
Vendor advisory: support@hackerone.com — https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
Vendor advisory: support@hackerone.com — http://blog.rubygems.org/2017/08/27/2.6.13-released.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | 8.0 | affected | |
| debian | 9.0 | affected | |
| rhel | 7.0 | affected | |
| debian | bookworm | fixed | 3.2.0~rc.1-1 |
| debian | bullseye | fixed | 3.2.0~rc.1-1 |
| debian | forky | fixed | 3.2.0~rc.1-1 |
| debian | sid | fixed | 3.2.0~rc.1-1 |
| debian | trixie | fixed | 3.2.0~rc.1-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | rubygems-update | <>= 2.4.5.3 | >= 2.4.5.3 |
| RubyGems | rubygems-update | <2.6.13 | 2.6.13 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rubygems | rubygems | {"endIncluding":"2.6.12"} | |
References
- https://blog.rubygems.org/2017/08/27/2.6.13-released.html
- http://blog.rubygems.org/2017/08/27/2.6.13-released.html
- http://www.securityfocus.com/bid/100576
- http://www.securitytracker.com/id/1039249
- https://access.redhat.com/errata/RHSA-2017:3485
- https://access.redhat.com/errata/RHSA-2018:0378
- https://access.redhat.com/errata/RHSA-2018:0583
- https://access.redhat.com/errata/RHSA-2018:0585
- https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
- https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
- https://hackerone.com/reports/226335
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://security.gentoo.org/glsa/201710-01
- https://www.debian.org/security/2017/dsa-3966
- https://www.suse.com/security/cve/CVE-2017-0899.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-0899
- https://github.com/rubygems/rubygems
- https://web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249
- https://web.archive.org/web/20170915000000*/http://www.securityfocus.com/bid/100576#:~:text=1%20snapshot-,11%3A49%3A33,-Note
- https://security-tracker.debian.org/tracker/CVE-2017-0899
CWEs
CWE-150 CWE-94
Verify integrity in audit chain (admin only). AS-IS.