ruby2.5: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives

Debian Bug report logs - #911920
ruby2.5: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby2.5: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives

Date: Fri, 26 Oct 2018 08:40:43 +0200

Source: ruby2.5
Version: 2.5.1-6
Severity: grave
Tags: patch security upstream
Justification: user security hole

Hi,

The following vulnerability was published for ruby2.5.

CVE-2018-16396[0]:
Tainted flags are not propagated in Array#pack and String#unpack with some directives

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16396
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396
[1] https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/

Regards,
Salvatore

Message #10 received at 911920-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 911920-close@bugs.debian.org

Subject: Bug#911920: fixed in ruby2.5 2.5.3-1

Date: Sat, 24 Nov 2018 15:19:30 +0000

Source: ruby2.5
Source-Version: 2.5.3-1

We believe that the bug you reported is fixed in the latest version of
ruby2.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 911920@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby2.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 24 Nov 2018 12:38:59 -0200
Source: ruby2.5
Binary: ruby2.5 libruby2.5 ruby2.5-dev ruby2.5-doc
Architecture: source
Version: 2.5.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 libruby2.5 - Libraries necessary to run Ruby 2.5
 ruby2.5    - Interpreter of object-oriented scripting language Ruby
 ruby2.5-dev - Header files for compiling extension modules for the Ruby 2.5
 ruby2.5-doc - Documentation for Ruby 2.5
Closes: 898051 911717 911920 913181
Changes:
 ruby2.5 (2.5.3-1) unstable; urgency=medium
 .
   * New upstream version 2.5.3
     - Includes fix for CVE-2018-16396, "Tainted flags are not propagated in
       Array#pack and String#unpack with some directives" (Closes: #911920)
   * Refresh patches:
     - Dropped 0009-merge-changes-in-ruby-openssl-v2.1.1.patch, already applied
       upstream.
   * Add tzdata to Build-Depends (Closes: #911717)
   * Cherry-pick upstream commmit with update to tests due to changes in tzdata
     2018f (Closes: #913181)
   * Update gemspec reproducibility patch to also make new default gems fiddle
     and ipaddr reproducible. (Closes: #898051)
   * debian/rules: don't install created.rid file produced by rdoc to make
     build reproducible. This file is used by rdoc to decide when to update
     documentation when in use in interactive settings, and containing a
     timestamp is one of its functions. Is is not necessary for a binary
     package, though, because the included documentation will never need to be
     updated in-place.
Checksums-Sha1:
 91c316a3fd26f55cbfbb07ca6983f04f9b60a877 2421 ruby2.5_2.5.3-1.dsc
 acfe8bd7820ca0a0ebee4d08a6200ce90b47ba95 10184868 ruby2.5_2.5.3.orig.tar.xz
 23321f29233feb0b1dd5885be29a024412933612 116476 ruby2.5_2.5.3-1.debian.tar.xz
 1bab5f8ed23d8d49bab97f502a8591372c0225f2 7014 ruby2.5_2.5.3-1_source.buildinfo
Checksums-Sha256:
 8c6635f4cfc0a3173c2ae0dd000aae4dac41b84946b8c1f98512784e1c25f257 2421 ruby2.5_2.5.3-1.dsc
 4953ab3299b6feaec99f4fa1507f3b276951f4c1c99aa435b8e0b1b4afe38302 10184868 ruby2.5_2.5.3.orig.tar.xz
 964f7c083c484e8a73a16e9be1caa7a6e0403e05abb77f91ea1ab8aca983e9e6 116476 ruby2.5_2.5.3-1.debian.tar.xz
 2bf8cf72f5ccb85bd9475f9098fa248e750c63f76c87e241f2708a5f53bfea1f 7014 ruby2.5_2.5.3-1_source.buildinfo
Files:
 891297786d509cecce3f3e7078472584 2421 ruby optional ruby2.5_2.5.3-1.dsc
 dc21f9f1a5c327e0bb3520770b72d3f6 10184868 ruby optional ruby2.5_2.5.3.orig.tar.xz
 84653f68ab37e468612218f51b7b5829 116476 ruby optional ruby2.5_2.5.3-1.debian.tar.xz
 1139383347d2cb885278be4eeca4c5e6 7014 ruby optional ruby2.5_2.5.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAlv5aSoACgkQ/A2xu81G
C95fURAAvYioYRVGjCOvoTZM6eZnpGtj5mDaEUgZ14+IAW6LeDLksOiadjPZNpAa
sVmf6yEhWUfBwpWwTH/lzeQihXUCdjq0P3yn/24cEOn7og/qHHoWXl8H77/hUApg
VPHs6MRXAeZ8OM78gPSQKF3GPbnrHHFvKv32/8jDgfWto+UnMWvLOvw5bFcnZdr0
cBNVMWsSsP+AzEppVElRxUmX6//nKjgDV10lspAWqabIG6+Vb6/ibSyKEnAjsa8+
AwEtt+ACtvnfSLt38aPkL0hpygd8q/s84qZT3+o6hFE6p+Sj22QOeCTlRWb6jjlb
3tKoi3keJVy0ooW1Hi3CQ7Ftbr6j9syVjDwTSgEs7ipm8PH/7k1+HYHAtlj520Ez
yYGkyxjEyUP8FLJfo47ow0vTNR3S7BcacJ2RQjAsxAaVScSPr1QaVmVoZwgYXxNz
+iZGqAJCLHlKVuzYB/JT5Uqr+qKItPLNPe/UgtdYtw03ukd6Jp2j2BPcLhZQrcrO
l/ZzkOs5mpKCAzj6gyYcd/nqF8LwcPcwYfbM8YAbL8YePzQhiT23Hb8P6RZzZpDR
HAancOvMITiwwCkUsQ5wngiWAzgRoPZgwInC8BUq5oYyzENCz69jlXcfZY/Co2/v
4iEsPYiabE3ua8jzTcmg6zXDNVZfdD1QcDVVgW2p1uUYCxzYj0g=
=yI7J
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.