svn commit: r465925 - head/security/vuxml
Sunpoet Po-Chuan Hsieh
sunpoet at FreeBSD.org
Thu Mar 29 20:12:43 UTC 2018
Author: sunpoet
Date: Thu Mar 29 20:12:42 2018
New Revision: 465925
URL: https://svnweb.freebsd.org/changeset/ports/465925
Log:
Document Ruby vulnerability
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Mar 29 20:08:58 2018 (r465924)
+++ head/security/vuxml/vuln.xml Thu Mar 29 20:12:42 2018 (r465925)
@@ -58,6 +58,93 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="eb69bcf2-18ef-4aa2-bb0c-83b263364089">
+ <topic>ruby -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>ruby</name>
+ <range><ge>2.3.0,1</ge><lt>2.3.7,1</lt></range>
+ <range><ge>2.4.0,1</ge><lt>2.4.4,1</lt></range>
+ <range><ge>2.5.0,1</ge><lt>2.5.1,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Ruby news:</p>
+ <blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/">
+ <p>CVE-2017-17742: HTTP response splitting in WEBrick</p>
+ <p>If a script accepts an external input and outputs it without
+ modification as a part of HTTP responses, an attacker can use newline
+ characters to deceive the clients that the HTTP response header is
+ stopped at there, and can inject fake HTTP responses after the newline
+ characters to show malicious contents to the clients.</p>
+ <p>CVE-2018-6914: Unintentional file and directory creation with
+ directory traversal in tempfile and tmpdir</p>
+ <p>Dir.mktmpdir method introduced by tmpdir library accepts the prefix
+ and the suffix of the directory which is created as the first parameter.
+ The prefix can contain relative directory specifiers "../", so this
+ method can be used to target any directory. So, if a script accepts an
+ external input as the prefix, and the targeted directory has
+ inappropriate permissions or the ruby process has inappropriate
+ privileges, the attacker can create a directory or a file at any
+ directory.</p>
+ <p>CVE-2018-8777: DoS by large request in WEBrick</p>
+ <p>If an attacker sends a large request which contains huge HTTP headers,
+ WEBrick try to process it on memory, so the request causes the
+ out-of-memory DoS attack.</p>
+ <p>CVE-2018-8778: Buffer under-read in String#unpack</p>
+ <p>String#unpack receives format specifiers as its parameter, and can
+ be specified the position of parsing the data by the specifier @. If a
+ big number is passed with @, the number is treated as the negative
+ value, and out-of-buffer read is occurred. So, if a script accepts an
+ external input as the argument of String#unpack, the attacker can read
+ data on heaps.</p>
+ <p>CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
+ UNIXServer and UNIXSocket</p>
+ <p>UNIXServer.open accepts the path of the socket to be created at the
+ first parameter. If the path contains NUL (\0) bytes, this method
+ recognize that the path is completed before the NUL bytes. So, if a
+ script accepts an external input as the argument of this method, the
+ attacker can make the socket file in the unintentional path. And,
+ UNIXSocket.open also accepts the path of the socket to be created at
+ the first parameter without checking NUL bytes like UNIXServer.open.
+ So, if a script accepts an external input as the argument of this
+ method, the attacker can accepts the socket file in the unintentional
+ path.</p>
+ <p>CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte
+ in Dir</p>
+ <p>Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the
+ target directory as their parameter. If the parameter contains NUL (\0)
+ bytes, these methods recognize that the path is completed before the
+ NUL bytes. So, if a script accepts an external input as the argument of
+ these methods, the attacker can make the unintentional directory
+ traversal.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/</url>
+ <url>https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/</url>
+ <cvename>CVE-2017-17742</cvename>
+ <cvename>CVE-2018-6914</cvename>
+ <cvename>CVE-2018-8777</cvename>
+ <cvename>CVE-2018-8778</cvename>
+ <cvename>CVE-2018-8779</cvename>
+ <cvename>CVE-2018-8780</cvename>
+ </references>
+ <dates>
+ <discovery>2018-03-28</discovery>
+ <entry>2018-03-29</entry>
+ </dates>
+ </vuln>
+
<vuln vid="5a9bbb6e-32d3-11e8-a769-6daaba161086">
<topic>node.js -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list