From adde9d47fd1755117020b612fd20c22035bf1174 Mon Sep 17 00:00:00 2001 From: Justin Bull Date: Wed, 2 Oct 2019 15:50:13 -0400 Subject: [PATCH 1/5] Add CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255 --- rubies/ruby/CVE-2019-15845.yml | 20 ++++++++++++++++++++ rubies/ruby/CVE-2019-16201.yml | 19 +++++++++++++++++++ rubies/ruby/CVE-2019-16254.yml | 21 +++++++++++++++++++++ rubies/ruby/CVE-2019-16255.yml | 22 ++++++++++++++++++++++ 4 files changed, 82 insertions(+) create mode 100644 rubies/ruby/CVE-2019-15845.yml create mode 100644 rubies/ruby/CVE-2019-16201.yml create mode 100644 rubies/ruby/CVE-2019-16254.yml create mode 100644 rubies/ruby/CVE-2019-16255.yml diff --git a/rubies/ruby/CVE-2019-15845.yml b/rubies/ruby/CVE-2019-15845.yml new file mode 100644 index 0000000000..4632f5a800 --- /dev/null +++ b/rubies/ruby/CVE-2019-15845.yml @@ -0,0 +1,20 @@ +--- +engine: ruby +cve: 2019-15845 +url: https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ +title: A NUL injection vulnerability of File.fnmatch and File.fnmatch? +date: 2019-10-01 +description: | + Built-in methods File.fnmatch and its alias File.fnmatch? accept the path + pattern as their first parameter. When the pattern contains NUL character + (\0), the methods recognize that the path pattern ends immediately before the + NUL byte. Therefore, a script that uses an external input as the pattern + argument, an attacker can make it wrongly match a pathname that is the second + parameter. + + All users running any affected releases should upgrade as soon as possible. +patched_versions: + - "~> 2.4.8" + - "~> 2.5.7" + - "~> 2.6.5" + - "> 2.7.0-preview1" diff --git a/rubies/ruby/CVE-2019-16201.yml b/rubies/ruby/CVE-2019-16201.yml new file mode 100644 index 0000000000..07d688c687 --- /dev/null +++ b/rubies/ruby/CVE-2019-16201.yml @@ -0,0 +1,19 @@ +--- +engine: ruby +cve: 2019-16201 +url: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ +title: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication +date: 2019-10-01 +description: | + Regular expression denial of service vulnerability of WEBrick’s Digest + authentication module was found. An attacker can exploit this vulnerability + to cause an effective denial of service against a WEBrick service. + + CVE-2019-16201 has been assigned to this vulnerability. + + All users running any affected releases should upgrade as soon as possible. +patched_versions: + - "~> 2.4.8" + - "~> 2.5.7" + - "~> 2.6.5" + - "> 2.7.0-preview1" diff --git a/rubies/ruby/CVE-2019-16254.yml b/rubies/ruby/CVE-2019-16254.yml new file mode 100644 index 0000000000..97c34ec55c --- /dev/null +++ b/rubies/ruby/CVE-2019-16254.yml @@ -0,0 +1,21 @@ +--- +engine: ruby +cve: 2019-16254 +url: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ +title: HTTP response splitting in WEBrick (Additional fix) +date: 2019-10-01 +description: | + If a program using WEBrick inserts untrusted input into the response header, + an attacker can exploit it to insert a newline character to split a header, + and inject malicious content to deceive clients. + + This is the same issue as CVE-2017-17742. The previous fix was incomplete, + which addressed the CRLF vector, but did not address an isolated CR or an + isolated LF. + + All users running an affected release should upgrade immediately. +patched_versions: + - "~> 2.4.8" + - "~> 2.5.7" + - "~> 2.6.5" + - "> 2.7.0-preview1" diff --git a/rubies/ruby/CVE-2019-16255.yml b/rubies/ruby/CVE-2019-16255.yml new file mode 100644 index 0000000000..3a7730b8ab --- /dev/null +++ b/rubies/ruby/CVE-2019-16255.yml @@ -0,0 +1,22 @@ +--- +engine: ruby +cve: 2019-16255 +url: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ +title: A code injection vulnerability of Shell#[] and Shell#test +date: 2019-10-01 +description: | + Shell#[] and its alias Shell#test defined in lib/shell.rb allow code + injection if the first argument (aka the “command” argument) is untrusted + data. An attacker can exploit this to call an arbitrary Ruby method. + + Note that passing untrusted data to methods of Shell is dangerous in general. + Users must never do it. However, we treat this particular case as a + vulnerability because the purpose of Shell#[] and Shell#[] is considered file + testing. + + All users running an affected release should upgrade immediately. +patched_versions: + - "~> 2.4.8" + - "~> 2.5.7" + - "~> 2.6.5" + - "> 2.7.0-preview1" From 71bcf28a735a735e080e1e153d765b4d69a22220 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Thu, 3 Oct 2019 16:05:57 -0400 Subject: [PATCH 2/5] Update CVE-2019-16201.yml --- rubies/ruby/CVE-2019-16201.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rubies/ruby/CVE-2019-16201.yml b/rubies/ruby/CVE-2019-16201.yml index 07d688c687..bd40d58308 100644 --- a/rubies/ruby/CVE-2019-16201.yml +++ b/rubies/ruby/CVE-2019-16201.yml @@ -8,10 +8,6 @@ description: | Regular expression denial of service vulnerability of WEBrick’s Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service. - - CVE-2019-16201 has been assigned to this vulnerability. - - All users running any affected releases should upgrade as soon as possible. patched_versions: - "~> 2.4.8" - "~> 2.5.7" From a16d56a61c7e1f4c031aad42065c519fc6556c2f Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Thu, 3 Oct 2019 16:06:13 -0400 Subject: [PATCH 3/5] Update CVE-2019-16254.yml --- rubies/ruby/CVE-2019-16254.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rubies/ruby/CVE-2019-16254.yml b/rubies/ruby/CVE-2019-16254.yml index 97c34ec55c..dd32ae88e3 100644 --- a/rubies/ruby/CVE-2019-16254.yml +++ b/rubies/ruby/CVE-2019-16254.yml @@ -12,8 +12,6 @@ description: | This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. - - All users running an affected release should upgrade immediately. patched_versions: - "~> 2.4.8" - "~> 2.5.7" From 30025a3c6dccfa2f9886444923b9c2fe87ee2625 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Thu, 3 Oct 2019 16:06:32 -0400 Subject: [PATCH 4/5] Update CVE-2019-16255.yml --- rubies/ruby/CVE-2019-16255.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rubies/ruby/CVE-2019-16255.yml b/rubies/ruby/CVE-2019-16255.yml index 3a7730b8ab..d41053fccb 100644 --- a/rubies/ruby/CVE-2019-16255.yml +++ b/rubies/ruby/CVE-2019-16255.yml @@ -13,8 +13,6 @@ description: | Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing. - - All users running an affected release should upgrade immediately. patched_versions: - "~> 2.4.8" - "~> 2.5.7" From 1282d4b0a278e7e8accbe8831c7ddd2e1ae49078 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Thu, 3 Oct 2019 16:06:50 -0400 Subject: [PATCH 5/5] Update CVE-2019-15845.yml --- rubies/ruby/CVE-2019-15845.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rubies/ruby/CVE-2019-15845.yml b/rubies/ruby/CVE-2019-15845.yml index 4632f5a800..06cde88107 100644 --- a/rubies/ruby/CVE-2019-15845.yml +++ b/rubies/ruby/CVE-2019-15845.yml @@ -11,8 +11,6 @@ description: | NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter. - - All users running any affected releases should upgrade as soon as possible. patched_versions: - "~> 2.4.8" - "~> 2.5.7"