Date: Thu, 29 Mar 2018 20:12:42 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r465925 - head/security/vuxml Message-ID: <201803292012.w2TKCgOS004187@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Thu Mar 29 20:12:42 2018 New Revision: 465925 URL: https://svnweb.freebsd.org/changeset/ports/465925 Log: Document Ruby vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Mar 29 20:08:58 2018 (r465924) +++ head/security/vuxml/vuln.xml Thu Mar 29 20:12:42 2018 (r465925) @@ -58,6 +58,93 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="eb69bcf2-18ef-4aa2-bb0c-83b263364089"> + <topic>ruby -- multiple vulnerabilities</topic> + <affects> + <package> + <name>ruby</name> + <range><ge>2.3.0,1</ge><lt>2.3.7,1</lt></range> + <range><ge>2.4.0,1</ge><lt>2.4.4,1</lt></range> + <range><ge>2.5.0,1</ge><lt>2.5.1,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Ruby news:</p> + <blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/">; + <p>CVE-2017-17742: HTTP response splitting in WEBrick</p> + <p>If a script accepts an external input and outputs it without + modification as a part of HTTP responses, an attacker can use newline + characters to deceive the clients that the HTTP response header is + stopped at there, and can inject fake HTTP responses after the newline + characters to show malicious contents to the clients.</p> + <p>CVE-2018-6914: Unintentional file and directory creation with + directory traversal in tempfile and tmpdir</p> + <p>Dir.mktmpdir method introduced by tmpdir library accepts the prefix + and the suffix of the directory which is created as the first parameter. + The prefix can contain relative directory specifiers "../", so this + method can be used to target any directory. So, if a script accepts an + external input as the prefix, and the targeted directory has + inappropriate permissions or the ruby process has inappropriate + privileges, the attacker can create a directory or a file at any + directory.</p> + <p>CVE-2018-8777: DoS by large request in WEBrick</p> + <p>If an attacker sends a large request which contains huge HTTP headers, + WEBrick try to process it on memory, so the request causes the + out-of-memory DoS attack.</p> + <p>CVE-2018-8778: Buffer under-read in String#unpack</p> + <p>String#unpack receives format specifiers as its parameter, and can + be specified the position of parsing the data by the specifier @. If a + big number is passed with @, the number is treated as the negative + value, and out-of-buffer read is occurred. So, if a script accepts an + external input as the argument of String#unpack, the attacker can read + data on heaps.</p> + <p>CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in + UNIXServer and UNIXSocket</p> + <p>UNIXServer.open accepts the path of the socket to be created at the + first parameter. If the path contains NUL (\0) bytes, this method + recognize that the path is completed before the NUL bytes. So, if a + script accepts an external input as the argument of this method, the + attacker can make the socket file in the unintentional path. And, + UNIXSocket.open also accepts the path of the socket to be created at + the first parameter without checking NUL bytes like UNIXServer.open. + So, if a script accepts an external input as the argument of this + method, the attacker can accepts the socket file in the unintentional + path.</p> + <p>CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte + in Dir</p> + <p>Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the + target directory as their parameter. If the parameter contains NUL (\0) + bytes, these methods recognize that the path is completed before the + NUL bytes. So, if a script accepts an external input as the argument of + these methods, the attacker can make the unintentional directory + traversal.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/</url>; + <url>https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/</url>; + <cvename>CVE-2017-17742</cvename> + <cvename>CVE-2018-6914</cvename> + <cvename>CVE-2018-8777</cvename> + <cvename>CVE-2018-8778</cvename> + <cvename>CVE-2018-8779</cvename> + <cvename>CVE-2018-8780</cvename> + </references> + <dates> + <discovery>2018-03-28</discovery> + <entry>2018-03-29</entry> + </dates> + </vuln> + <vuln vid="5a9bbb6e-32d3-11e8-a769-6daaba161086"> <topic>node.js -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803292012.w2TKCgOS004187>