Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Debian 8: DLA-1480-1 High: Ruby2.1 Code Execution and Data Issues

debian lts
Calendar Grey August 27, 2018
Dist Debian Esm H88
Enhance ruby2.1 to address various security issues, particularly those related to the potential execution of malicious code stemming from unverified input.
Several vulnerabilities were discovered in Ruby 2.1

Summary

Type confusion exists in _cancel_eval Ruby's TclTkIp class
method. Attacker passing different type of object than String as
"retval" argument can cause arbitrary code execution.

CVE-2018-1000073

RubyGems contains a Directory Traversal vulnerability in
install_location function of package.rb that can result in path
traversal when writing to a symlinked basedir outside of the root.

CVE-2018-1000074

RubyGems contains a Deserialization of Untrusted Data
vulnerability in owner command that can result in code
execution. This attack appear to be exploitable via victim must
run the `gem owner` command on a gem with a specially crafted YAML
file.

For Debian 8 "Jessie", these problems have been fixed in version
2.1.5-2+deb8u5.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


<pre><font face="Courier">Package: ruby2.1
Version: 2.1.5-2+deb8u5
CVE ID: CVE-2016-2337 CVE-2018-1000073 CVE-2018-1000074
Debian Bug: 895778 851161

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here