Skip to content

Commit f8ab84e

Browse files
jasnowjasnow
committed
GHSA SYNC: 1 modified advisory; 1 new advisory
1 parent 1f1b9c8 commit f8ab84e

File tree

2 files changed

+52
-1
lines changed

2 files changed

+52
-1
lines changed

rubies/mruby/CVE-2020-36401.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
---
2+
engine: mruby
3+
cve: 2020-36401
4+
ghsa: qq64-7fh7-7hmw
5+
url: https://nvd.nist.gov/vuln/detail/CVE-2020-36401
6+
title: double free vulnerabliity
7+
date: 2021-06-30
8+
description: |
9+
mruby 2.1.2 has a double free in mrb_default_allocf (called
10+
from mrb_free and obj_free).
11+
12+
# RELEASE NOTES
13+
14+
Cloned "mruby" repo, ran "git fetch --all --tags", then
15+
"git tag --contains 97319697c8f9f6ff27b32589947e1918e3015503"
16+
and got "3.0.0-preview, 3.0.0-rc, 3.0.0, ... 3.4.0-rc2".
17+
cvss_v2: 6.8
18+
cvss_v3: 7.8
19+
patched_versions:
20+
- ">= 3.0.0"
21+
related:
22+
url:
23+
- https://nvd.nist.gov/vuln/detail/CVE-2020-36401
24+
- https://mruby.org/releases/2021/03/05/mruby-3.0.0-released.html
25+
- https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
26+
- https://issues.oss-fuzz.com/issues/42485317
27+
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml
28+
- https://github.com/advisories/GHSA-qq64-7fh7-7hmw

rubies/ruby/CVE-2017-0898.yml

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
---
22
engine: ruby
33
cve: 2017-0898
4-
url: https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/
4+
url: https://nvd.nist.gov/vuln/detail/CVE-2017-0898
5+
ghsa: wvmx-3rv2-5jgf
56
title: Buffer underrun vulnerability in Kernel.sprintf
67
date: 2017-09-14
78
description: |
@@ -13,7 +14,29 @@ description: |
1314
the Ruby interpreter may crash.
1415
1516
All users running an affected release should upgrade immediately.
17+
18+
Also impacted mruby - issue #3722 mentioned it was fixed in 1.3.0.
19+
cvss_v2: 6.4
20+
cvss_v3: 9.1
1621
patched_versions:
1722
- "~> 2.2.8"
1823
- "~> 2.3.5"
1924
- ">= 2.4.2"
25+
related:
26+
url:
27+
- https://nvd.nist.gov/vuln/detail/CVE-2017-0898
28+
- https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898
29+
- https://github.com/mruby/mruby/issues/3722
30+
- https://hackerone.com/reports/212241
31+
- https://access.redhat.com/errata/RHSA-2017:3485
32+
- https://access.redhat.com/errata/RHSA-2018:0378
33+
- https://access.redhat.com/errata/RHSA-2018:0583
34+
- https://access.redhat.com/errata/RHSA-2018:0585
35+
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
36+
- https://security.gentoo.org/glsa/201710-18
37+
- https://www.debian.org/security/2017/dsa-4031
38+
- https://ubuntu.com/security/notices/USN-3685-1
39+
- https://web.archive.org/web/20200227145420/https://www.securityfocus.com/bid/100862
40+
- https://github.com/advisories/GHSA-wvmx-3rv2-5jgf
41+
notes: |
42+
- Do I need to duplicate this advisory under "mruby" directory?

0 commit comments

Comments
 (0)