ArchLinux: 201910-5: ruby2.5: multiple issues

    Date03 Oct 2019
    CategoryArchLinux
    571
    Posted ByLinuxSecurity Advisories
    The package ruby2.5 before version 2.5.7-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, cross-site scripting, denial of service and insufficient validation.
    Arch Linux Security Advisory ASA-201910-5
    =========================================
    
    Severity: Medium
    Date    : 2019-10-02
    CVE-ID  : CVE-2012-6708  CVE-2015-9251  CVE-2019-15845 CVE-2019-16201
              CVE-2019-16254 CVE-2019-16255
    Package : ruby2.5
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1040
    
    Summary
    =======
    
    The package ruby2.5 before version 2.5.7-1 is vulnerable to multiple
    issues including arbitrary code execution, content spoofing, cross-site
    scripting, denial of service and insufficient validation.
    
    Resolution
    ==========
    
    Upgrade to 2.5.7-1.
    
    # pacman -Syu "ruby2.5>=2.5.7-1"
    
    The problems have been fixed upstream in version 2.5.7.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2012-6708 (cross-site scripting)
    
    jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS)
    attacks. The jQuery(strInput) function does not differentiate selectors
    from HTML in a reliable fashion. In vulnerable versions, jQuery
    determined whether the input was HTML by looking for the '<' character
    anywhere in the string, giving attackers more flexibility when
    attempting to construct a malicious payload. In fixed versions, jQuery
    only deems the input to be HTML if it explicitly starts with the '<'
    character, limiting exploitability only to attackers who can control
    the beginning of a string, which is far less common.
    
    - CVE-2015-9251 (cross-site scripting)
    
    jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks
    when a cross-domain Ajax request is performed without the dataType
    option, causing text/javascript responses to be executed.
    
    - CVE-2019-15845 (insufficient validation)
    
    It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
    vulnerable to NUL injection in built-in methods (File.fnmatch and
    File.fnmatch?). An attacker who has the control of the path pattern
    parameter could exploit this vulnerability to make path matching pass
    despite the intention of the program author.
    The Built-in methods File.fnmatch and its alias File.fnmatch? accept
    the path pattern as their first parameter. When the pattern contains
    NUL character (\0), the methods recognize that the path pattern ends
    immediately before the NUL byte. Therefore, a script that uses an
    external input as the pattern argument, an attacker can make it wrongly
    match a pathname that is the second parameter.
    
    - CVE-2019-16201 (denial of service)
    
    It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
    vulnerable to denial of service via regular expressions in WEBrick's
    Digest access authentication module. An attacker can exploit this
    vulnerability to cause an effective denial of service against a WEBrick
    service.
    
    - CVE-2019-16254 (content spoofing)
    
    It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
    vulnerable to HTTP response splitting in WEBrick bundled with Ruby. If
    a program using WEBrick inserts untrusted input into the response
    header, an attacker can exploit it to insert a newline character to
    split a header, and inject malicious content to deceive clients.
    This is the same issue as CVE-2017-17742. The previous fix was
    incomplete, which addressed the CRLF vector, but did not address an
    isolated CR or an isolated LF.
    
    - CVE-2019-16255 (arbitrary code execution)
    
    It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
    vulnerable to code injection. Shell#[] and its alias Shell#test defined
    in lib/shell.rb allow code injection if the first argument (aka the
    “command” argument) is untrusted data. An attacker can exploit this to
    call an arbitrary Ruby method.
    
    Impact
    ======
    
    A remote attacker is able to bypass path restrictions, perform a denial
    of service attack, inject malicious content or call an arbitrary Ruby
    method under certain circumstances. Furthermore, an attacker is able to
    perform cross-side scripting attacks by tricking users to generate
    documentation with a vulnerable RDoc version. RDoc is a static
    documentation generation tool, patching the tool itself is insufficient
    to mitigate these vulnerabilities. Documentations generated with
    previous versions have to be re-generated with newer RDoc.
    
    References
    ==========
    
    https://bugs.archlinux.org/task/63977
    https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
    https://bugs.jquery.com/ticket/11290
    https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d
    https://github.com/jquery/jquery/issues/2432
    https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc
    https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
    https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
    https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
    https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
    https://security.archlinux.org/CVE-2012-6708
    https://security.archlinux.org/CVE-2015-9251
    https://security.archlinux.org/CVE-2019-15845
    https://security.archlinux.org/CVE-2019-16201
    https://security.archlinux.org/CVE-2019-16254
    https://security.archlinux.org/CVE-2019-16255
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.