GHSA SYNC: 6 enhanced ruby advisories

Author: jasnow

rubies/ruby/CVE-2005-2337.yml

@@ -0,0 +1,32 @@
+---
+engine: ruby
+cve: 2005-2337
+ghsa: w8mr-4m5w-x8wv
+url: https://nvd.nist.gov/vuln/detail/CVE-2005-2337
+title: Security Bypass Vulnerability with Ruby
+date: 2005-10-07
+description: |
+  The Ruby language has a security mechanism (security model) that
+  can restrict operations on untrusted objects. This security model
+  is based on mechanisms called "object taint" and "safe level."
+  A vulnerability has been confirmed that allows arbitrary script
+  execution by bypassing the "safe level" setting and taint
+  flag protections and execute disallowed code when Ruby
+  processes a program through standard input (stdin).
+cvss_v2: 7.5
+patched_versions:
+  - "~> 1.6.9"
+  - ">= 1.8.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2005-2337
+    - https://web.archive.org/web/20060104024955/https://www.ruby-lang.org/en/20051003.html
+    - https://jvn.jp/jp/JVN62914675/index.html
+
+    - http://www.debian.org/security/2005/dsa-860
+    - http://www.debian.org/security/2005/dsa-862
+    - http://www.debian.org/security/2005/dsa-864
+    - http://www.kb.cert.org/vuls/id/160012
+    - http://www.gentoo.org/security/en/glsa/glsa-200510-05.xml
+    - https://ubuntu.com/security/notices/USN-195-1
+    - https://github.com/advisories/GHSA-w8mr-4m5w-x8wv

rubies/ruby/CVE-2006-6303.yml

@@ -0,0 +1,25 @@
+---
+engine: ruby
+cve: 2006-6303
+ghsa: fx2r-qhmq-3jjp
+url: https://nvd.nist.gov/vuln/detail/CVE-2006-6303
+title: Another DoS Vulnerability in CGI Library
+date: 2006-12-06
+description: |
+  The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does
+  not properly detect boundaries in MIME multipart content, which
+  allows remote attackers to cause a denial of service (infinite
+  loop) via crafted HTTP requests, a different issue than CVE-2006-5467.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 1.8.5-p2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2006-6303
+    - http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library
+    - https://jvn.jp/jp/JVN84798830/index.html
+    - http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218287
+    - https://ubuntu.com/security/notices/USN-394-1
+    - http://bugs.gentoo.org/show_bug.cgi?id=157048
+    - http://security.gentoo.org/glsa/glsa-200612-21.xml
+    - https://github.com/advisories/GHSA-fx2r-qhmq-3jjp

rubies/ruby/CVE-2008-1145.yml

@@ -0,0 +1,29 @@
+---
+engine: ruby
+cve: 2008-1145
+ghsa: f279-rf2r-m6m5
+url: https://nvd.nist.gov/vuln/detail/CVE-2008-1145
+title: Directory traversal vulnerability in WEBrick
+date: 2008-03-04
+description: |
+  Directory traversal vulnerability in WEBrick
+  when running on systems that support backslash () path separators
+  or case-insensitive file names, allows remote attackers to access
+  arbitrary files via (1) "..%5c" (encoded backslash) sequences or
+  (2) filenames that match patterns in the :NondisclosureName option.
+
+  NOTE: Fixes are mentioned in 2008/03/03 reference.
+cvss_v2: 5.0
+patched_versions:
+  - "~> 1.8.5.p115"
+  - "~> 1.8.6.p114"
+  - ">= 1.9.0.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2008-1145
+    - http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability
+    - https://www.exploit-db.com/exploits/5215
+    - http://www.kb.cert.org/vuls/id/404515
+    - http://support.apple.com/kb/HT2163
+    - http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
+    - https://github.com/advisories/GHSA-f279-rf2r-m6m5

rubies/ruby/CVE-2017-14064.yml

@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2017-14064
-url: https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/
+ghsa: 954h-8gv7-2q75
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-14064
 title: Heap exposure vulnerability in generating JSON
 date: 2017-09-14
 description: |
@@ -14,7 +15,28 @@ description: |
 
   The JSON library is also distributed as a gem. If you can’t upgrade Ruby
   itself, install JSON gem newer than version 2.0.4.
+cvss_v2: 7.5
+cvss_v3: 9.8
 patched_versions:
   - "~> 2.2.8"
   - "~> 2.3.5"
   - ">= 2.4.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-14064
+    - https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released
+    - https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released
+    - https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released
+    - https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064
+    - https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85
+    - https://bugs.ruby-lang.org/issues/13853
+    - https://hackerone.com/reports/209949
+    - https://www.debian.org/security/2017/dsa-3966
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://ubuntu.com/security/notices/USN-3685-1
+    - https://security.gentoo.org/glsa/201710-18
+    - https://access.redhat.com/errata/RHSA-2017:3485
+    - https://access.redhat.com/errata/RHSA-2018:0378
+    - https://access.redhat.com/errata/RHSA-2018:0583
+    - https://access.redhat.com/errata/RHSA-2018:0585
+    - https://github.com/advisories/GHSA-954h-8gv7-2q75

rubies/ruby/CVE-2017-6181.yml

@@ -0,0 +1,26 @@
+---
+engine: ruby
+cve: 2017-6181
+ghsa: 5pfp-rwpx-xgfx
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-6181
+title: DoS caused by infinite recursion (stack overflow) in parse_char_class()
+date: 2017-04-03
+description: |
+  The parse_char_class function in regparse.c in the Onigmo (aka
+  Oniguruma-mod) regular expression library, as used in Ruby 2.4.0,
+  allows remote attackers to cause a denial of service (deep
+  recursion and application crash) via a crafted regular expression.
+
+  ## RELEASE NOTE
+  In bug report, found
+  - "Applied in changeset r57660" and
+  - "ruby_2_4 r57909 merged revision(s) 57660"
+cvss_v2: 5.0
+cvss_v3: 7.5
+patched_versions:
+  - ">= 2.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-6181
+    - https://bugs.ruby-lang.org/issues/13234
+    - https://github.com/advisories/GHSA-5pfp-rwpx-xgfx

rubies/ruby/CVE-2019-16255.yml

@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2019-16255
-url: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
+ghsa: ph7w-p94x-9vvw
+url: https://nvd.nist.gov/vuln/detail/CVE-2019-16255
 title: A code injection vulnerability of Shell#[] and Shell#test
 date: 2019-10-01
 description: |
@@ -13,8 +14,33 @@ description: |
   Users must never do it. However, we treat this particular case as a
   vulnerability because the purpose of Shell#[] and Shell#[] is considered file
   testing.
+
+  Note: Mentioned as being fixed in JRuby 9.3.0.0 release. URLs at bottom of list.
+cvss_v2: 6.8
+cvss_v3: 8.1
 patched_versions:
   - "~> 2.4.8"
   - "~> 2.5.7"
   - "~> 2.6.5"
   - "> 2.7.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-16255
+    - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released
+    - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released
+    - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released
+    - https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255
+    - https://seclists.org/bugtraq/2019/Dec/31
+    - https://seclists.org/bugtraq/2019/Dec/32
+    - https://www.debian.org/security/2019/dsa-4587
+    - https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
+    - http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
+    - https://security.gentoo.org/glsa/202003-06
+    - https://www.oracle.com/security-alerts/cpujan2020.html
+    - https://hackerone.com/reports/327512
+    - https://github.com/jruby/jruby/releases/tag/9.3.0.0
+    - https://github.com/jruby/jruby/issues/5126
+    - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
+    - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://github.com/advisories/GHSA-ph7w-p94x-9vvw