GHSA SYNC: 2 modified advisories; 3 brand new advisories (#957)

Author: jasnow

rubies/ruby/CVE-2011-4121.yml

@@ -0,0 +1,31 @@
+---
+engine: ruby
+cve: 2011-4121
+ghsa: mjg4-5rfj-952f
+url: https://nvd.nist.gov/vuln/detail/CVE-2011-4121
+title: Private Ruby OpenSSL RSA key generation is always "1"
+date: 2019-11-26
+description: |
+  The OpenSSL extension of Ruby (Git trunk) versions after
+  2011-09-01 up to 2011-11-03 always generated an exponent value
+  of '1' to be used for private RSA key generation. A remote
+  attacker could use this flaw to bypass or corrupt integrity
+  of services, depending on strong private RSA keys generation
+  mechanism.
+
+  - "The fix was introduced via SVN revision 33633, resolving
+    the faulty random exponent generation."
+  - "fix was integrated into the Ruby 1.9.3 series"
+cvss_v2: 7.5
+cvss_v3: 9.8
+patched_versions:
+  - ">= 1.9.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2011-4121
+    - https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc
+    - https://access.redhat.com/security/cve/cve-2011-4121
+    - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4121
+    - https://security-tracker.debian.org/tracker/CVE-2011-4121
+    - http://www.openwall.com/lists/oss-security/2013/07/01/1
+    - https://github.com/advisories/GHSA-mjg4-5rfj-952f

rubies/ruby/CVE-2016-2337.yml

@@ -0,0 +1,22 @@
+---
+engine: ruby
+cve: 2016-2337
+ghsa: f58m-77qc-8gjv
+url: https://nvd.nist.gov/vuln/detail/CVE-2016-2337
+title: Type confusion exists in _cancel_eval Ruby's TclTkIp class
+date: 2017-01-06
+description: |
+  Type confusion exists in _cancel_eval Ruby's TclTkIp class method.
+  Attacker passing different type of object than String as "retval"
+  argument can cause arbitrary code execution.
+cvss_v3: 9.8
+cvss_v4: 7.5
+patched_versions:
+  - ">= 2.2.8"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-2337
+    - https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
+    - https://security.gentoo.org/glsa/201710-18
+    - http://www.talosintelligence.com/reports/TALOS-2016-0031
+    - https://github.com/advisories/GHSA-f58m-77qc-8gjv

rubies/ruby/CVE-2016-2338.yml

@@ -0,0 +1,31 @@
+---
+engine: ruby
+cve: 2016-2338
+ghsa: r46x-xjwr-8v2g
+url: https://nvd.nist.gov/vuln/detail/CVE-2016-2338
+title: Exploitable heap overflow vulnerability exists
+  in Ruby's Psych::Emitter start_document function
+date: 2022-09-28
+description: |
+  An exploitable heap overflow vulnerability exists in the
+  Psych::Emitter start_document function of Ruby. In Psych::Emitter
+  start_document function heap buffer "head" allocation is made
+  based on tags array length. Specially constructed object passed
+  as element of tags array can increase this array size after
+  mentioned allocation and cause heap overflow.
+
+  - "Ruby versions 2.2.2 (4/13/2015) and 2.3.0 (12/25/2015)
+     are susceptible"
+cvss_v3: 9.8
+patched_versions:
+  - "~> 2.3.1"
+  - ">= 2.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-2338
+    - https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html
+    - http://www.talosintelligence.com/reports/TALOS-2016-0032
+    - https://security.netapp.com/advisory/ntap-20221228-0005
+    - https://cve.reconshell.com/cve/CVE-2016-2338
+    - https://alas.aws.amazon.com/AL2/ALAS2-2025-2990.html
+    - https://github.com/advisories/GHSA-r46x-xjwr-8v2g

rubies/ruby/CVE-2016-2339.yml

@@ -0,0 +1,33 @@
+---
+engine: ruby
+cve: 2016-2339
+ghsa: c4w7-m676-pcvp
+url: https://nvd.nist.gov/vuln/detail/CVE-2016-2339
+title: Ruby 2.1 has exploitable heap overflow vulnerability
+date: 2017-01-06
+description: |
+  An exploitable heap overflow vulnerability exists in the
+  Fiddle::Function.new "initialize" function functionality of
+  Ruby. In Fiddle::Function.new "initialize" heap buffer
+  "arg_types" allocation is made based on args array length.
+  Specially constructed object passed as element of args array
+  can increase this array size after mentioned allocation and
+  cause heap overflow.
+
+  Versions affected:
+    - Ruby "2.0.0-p648, 2.1.0-p0 through 2.1.9, and 2.2.0 through 2.2.5."
+      - NOTE: Unclear where the patches where applied.
+    - "Fix was introduced in Ruby 2.1.9, with related packages like
+       ruby2.1 updated to version 2.1.9-19.3.2 or newer"
+cvss_v3: 9.8
+patched_versions:
+  - ">= 2.1.9"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-2339
+    - https://app.opencve.io/cve/CVE-2016-2339
+    - http://www.talosintelligence.com/reports/TALOS-2016-0034
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://web.archive.org/web/20210123144757/https://www.securityfocus.com/bid/91234
+    - https://www.cybersecurity-help.cz/vulnerabilities/39952/
+    - https://github.com/advisories/GHSA-c4w7-m676-pcvp

rubies/ruby/CVE-2018-8780.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-8780
+ghsa: fphx-j9v2-w2cx
 url: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
 title: Unintentional directory traversal by poisoned NUL byte in Dir
 date: 2018-03-28
@@ -14,9 +15,20 @@ description: |
   attacker can make the unintentional directory traversal.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 7.5
+cvss_v3: 9.1
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8780
+    - https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://github.com/advisories/GHSA-fphx-j9v2-w2cx

rubies/ruby/CVE-2022-28738.yml

@@ -1,18 +1,37 @@
 ---
 engine: ruby
 cve: 2022-28738
+ghsa: 8pqg-8p79-j5j8
 url: https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/
 title: Double free in Regexp compilation
 date: 2022-04-12
 description: |
-  A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned the CVE identifier CVE-2022-28738. We strongly recommend upgrading Ruby.
+  A double-free vulnerability is discovered in Regexp compilation. This
+  vulnerability has been assigned the CVE identifier CVE-2022-28738.
+  We strongly recommend upgrading Ruby.
 
-  Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.
+  Due to a bug in the Regexp compilation process, creating a Regexp
+  object with a crafted source string could cause the same memory to
+  be freed twice. This is known as a “double free” vulnerability. Note
+  that, in general, it is considered unsafe to create and use a Regexp
+  object generated from untrusted input. In this case, however,
+  following a comprehensive assessment, we treat this issue as a vulnerability.
 
-  Please update Ruby to 3.0.4, or 3.1.2.
+  Please update Ruby to 3.0.4 or 3.1.2.
+cvss_v2: 7.5
+cvss_v3: 9.8
 patched_versions:
   - "~> 3.0.4"
   - ">= 3.1.2"
 unaffected_versions:
   - "~> 2.6.0"
   - "~> 2.7.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-28738
+    - https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738
+    - https://hackerone.com/reports/1220911
+    - https://security-tracker.debian.org/tracker/CVE-2022-28738
+    - https://security.netapp.com/advisory/ntap-20220624-0002
+    - https://security.gentoo.org/glsa/202401-27
+    - https://github.com/advisories/GHSA-8pqg-8p79-j5j8