GHSA SYNC: Advisories (2 mruby and 1 mrubyc) plus schema change (#971)

jasnow · web-flow · commit 8ba0f94087d1 · 2026-01-30T23:11:36.000-08:00
diff --git a/gems/activerecord/CVE-2013-3221.yml b/gems/activerecord/CVE-2013-3221.yml
@@ -0,0 +1,38 @@
+---
+gem: activerecord
+framework: rails
+cve: 2013-3221
+ghsa: f57c-hx33-hvh8
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-3221
+title: Data-type injection vulnerability
+date: 2013-04-21
+description: |
+  The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x,
+  and 3.2.x does not ensure that the declared data type of a database
+  column is used during comparisons of input values to stored values
+  in that column, which makes it easier for remote attackers to
+  conduct data-type injection attacks against Ruby on Rails applications
+  via a crafted value, as demonstrated by unintended interaction
+  between the "typed XML" feature and a MySQL database.
+
+  ## RELEASE INFO
+  - Phrack writeup says that 'couple of days after the advisory the
+    issue was "fixed" in Rails 3.2.12 as by the following commit' 921a296.
+    But "Indeed the vector is completely fixed as of Rails 4.2 almost
+    two years after the original advisory."
+cvss_v2: 6.4
+patched_versions:
+  - ">= 4.2.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2013-3221
+    - https://github.com/rails/rails/commit/c9909db9f2f81575ef2ea2ed3b4e8743c8d6f1b9
+    - https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8
+    - https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce
+    - http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails
+    - http://openwall.com/lists/oss-security/2013/02/06/7
+    - http://openwall.com/lists/oss-security/2013/04/24/7
+    - https://gist.github.com/marianposaceanu/5442275
+    - https://web.archive.org/web/20160307143147/http://www.phenoelit.org/blog/archives/2013/02/index.html
+    - https://github.com/advisories/GHSA-f57c-hx33-hvh8
+    - https://phrack.org/issues/69/12
diff --git a/rubies/mruby/CVE-2025-12875.yml b/rubies/mruby/CVE-2025-12875.yml
@@ -0,0 +1,35 @@
+---
+engine: mruby
+cve: 2025-12875
+ghsa: q269-xqww-45mm
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-12875
+title: Out-of-bounds write vulnerability
+date: 2025-11-07
+description: |
+  A weakness has been identified in mruby 3.4.0. This vulnerability
+  affects the function ary_fill_exec of the file
+  mrbgems/mruby-array-ext/src/array.c. Executing manipulation of
+  the argument start/length can lead to out-of-bounds write. The
+  attack needs to be launched locally. The exploit has been made
+  available to the public and could be exploited.
+  This patch is called 93619f06dd378db6766666b30c08978311c7ec94.
+  It is best practice to apply a patch to resolve this issue.
+
+  ## RELEASE INFO
+  - Commit 93619f0 10/22//2025 for ISS#6650 (Found in
+    unreleased mruby3.5 NEWS.md file)
+cvss_v2: 4.3
+cvss_v3: 7.8
+cvss_v4: 4.8
+patched_versions:
+  - ">= 3.5.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-12875
+    - https://github.com/mruby/mruby/blob/master/NEWS.md
+    - https://github.com/mruby/mruby/commit/93619f06dd378db6766666b30c08978311c7ec94
+    - https://github.com/mruby/mruby/issues/6650
+    - https://vuldb.com/?ctiid.331511
+    - https://vuldb.com/?id.331511
+    - https://vuldb.com/?submit.680879
+    - https://github.com/advisories/GHSA-q269-xqww-45mm
diff --git a/rubies/mruby/CVE-2025-13120.yml b/rubies/mruby/CVE-2025-13120.yml
@@ -0,0 +1,35 @@
+---
+engine: mruby
+cve: 2025-13120
+ghsa: j383-q79v-268x
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-13120
+title: Use-after-realloc vulnerablity in mruby 3.4.0
+date: 2025-11-13
+description: |
+  A vulnerability has been found in mruby up to 3.4.0. This
+  vulnerability affects the function sort_cmp of the file src/array.c.
+  Such manipulation leads to use after free. An attack has to be
+  approached locally. The exploit has been disclosed to the public
+  and may be used.
+  The name of the patch is eb398971bfb43c38db3e04528b68ac9a7ce509bc.
+  It is advisable to implement a patch to correct this issue.
+
+  ## RELEASE INFO
+  - Commit eb39897 10/27//2025 for ISS#6649 (Found in
+    unreleased mruby3.5 NEWS.md file)
+cvss_v2: 4.3
+cvss_v3: 5.5
+cvss_v4: 4.8
+patched_versions:
+  - ">= 3.5.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-13120
+    - https://github.com/mruby/mruby/blob/master/NEWS.md
+    - https://github.com/mruby/mruby/commit/eb398971bfb43c38db3e04528b68ac9a7ce509bc
+    - https://github.com/mruby/mruby/issues/6649
+    - https://github.com/makesoftwaresafe/mruby/pull/263
+    - https://vuldb.com/?ctiid.332325
+    - https://vuldb.com/?id.332325
+    - https://vuldb.com/?submit.683435
+    - https://github.com/advisories/GHSA-j383-q79v-268x
diff --git a/rubies/mrubyc/CVE-2025-13397.yml b/rubies/mrubyc/CVE-2025-13397.yml
@@ -0,0 +1,31 @@
+---
+engine: mrubyc
+cve: 2025-13397
+ghsa: 99jr-qh2r-jwfm
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-13397
+title: null pointer dereference vulnerability in mrubyc 3.4
+date: 2025-11-19
+description: |
+  A security vulnerability has been detected in mrubyc up to 3.4.
+  This impacts the function mrbc_raw_realloc of the file src/alloc.c.
+  Such manipulation of the argument ptr leads to null pointer
+  dereference. An attack has to be approached locally.
+  The name of the patch is 009111904807b8567262036bf45297c3da8f1c87.
+  It is advisable to implement a patch to correct this issue.
+
+  ## RELEASE INFO
+  - Release 3.4 commit stopped on 6/26/2025 and ommit 0091119 was
+    on 10/14/2025 so not in 3.4. Do not see any CHANGELOG or NEWS files.
+cvss_v2: .17
+cvss_v3: 5.5
+cvss_v4: 4.8
+notes: "Never patched"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-13397
+    - https://github.com/mrubyc/mrubyc/commit/009111904807b8567262036bf45297c3da8f1c87
+    - https://github.com/mrubyc/mrubyc/issues/244
+    - https://vuldb.com/?ctiid.332925
+    - https://vuldb.com/?id.332925
+    - https://vuldb.com/?submit.692130
+    - https://github.com/advisories/GHSA-99jr-qh2r-jwfm
diff --git a/rubies/ruby/CVE-2009-1904.yml b/rubies/ruby/CVE-2009-1904.yml
@@ -1,7 +1,7 @@
 ---
 engine: ruby
 cve: 2009-1904
-ghsa: v74x-h8vc-p3j5
+ghsa: prwc-wj59-8vwr
 osvdb: 55031
 url: https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal
 title: "CVE-2009-1904 ruby: DoS vulnerability in BigDecimal"
@@ -19,5 +19,5 @@ related:
   url:
     - https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal
     - https://nvd.nist.gov/vuln/detail/CVE-2009-1904
-    - https://github.com/advisories/GHSA-v74x-h8vc-p3j5
+    - https://github.com/advisories/GHSA-prwc-wj59-8vwr
     - http://www.osvdb.org/show/osvdb/55031
diff --git a/spec/schemas/ruby.yml b/spec/schemas/ruby.yml
@@ -4,7 +4,7 @@ mapping:
   "engine":
     type: str
     required: true
-    enum: [jruby, rbx, ruby, mruby]
+    enum: [jruby, rbx, ruby, mruby, mrubyc]
   "platform":
     type: str
   "cve":
