Debian Bug report logs -
#911920
ruby2.5: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 26 Oct 2018 06:45:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version ruby2.5/2.5.1-6
Fixed in version ruby2.5/2.5.3-1
Done: Antonio Terceiro <terceiro@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#911920
; Package src:ruby2.5
.
(Fri, 26 Oct 2018 06:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Fri, 26 Oct 2018 06:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby2.5
Version: 2.5.1-6
Severity: grave
Tags: patch security upstream
Justification: user security hole
Hi,
The following vulnerability was published for ruby2.5.
CVE-2018-16396[0]:
Tainted flags are not propagated in Array#pack and String#unpack with some directives
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16396
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396
[1] https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
Regards,
Salvatore
Reply sent
to Antonio Terceiro <terceiro@debian.org>
:
You have taken responsibility.
(Sat, 24 Nov 2018 15:21:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 24 Nov 2018 15:21:10 GMT) (full text, mbox, link).
Message #10 received at 911920-close@bugs.debian.org (full text, mbox, reply):
Source: ruby2.5
Source-Version: 2.5.3-1
We believe that the bug you reported is fixed in the latest version of
ruby2.5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 911920@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby2.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Nov 2018 12:38:59 -0200
Source: ruby2.5
Binary: ruby2.5 libruby2.5 ruby2.5-dev ruby2.5-doc
Architecture: source
Version: 2.5.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
libruby2.5 - Libraries necessary to run Ruby 2.5
ruby2.5 - Interpreter of object-oriented scripting language Ruby
ruby2.5-dev - Header files for compiling extension modules for the Ruby 2.5
ruby2.5-doc - Documentation for Ruby 2.5
Closes: 898051 911717 911920 913181
Changes:
ruby2.5 (2.5.3-1) unstable; urgency=medium
.
* New upstream version 2.5.3
- Includes fix for CVE-2018-16396, "Tainted flags are not propagated in
Array#pack and String#unpack with some directives" (Closes: #911920)
* Refresh patches:
- Dropped 0009-merge-changes-in-ruby-openssl-v2.1.1.patch, already applied
upstream.
* Add tzdata to Build-Depends (Closes: #911717)
* Cherry-pick upstream commmit with update to tests due to changes in tzdata
2018f (Closes: #913181)
* Update gemspec reproducibility patch to also make new default gems fiddle
and ipaddr reproducible. (Closes: #898051)
* debian/rules: don't install created.rid file produced by rdoc to make
build reproducible. This file is used by rdoc to decide when to update
documentation when in use in interactive settings, and containing a
timestamp is one of its functions. Is is not necessary for a binary
package, though, because the included documentation will never need to be
updated in-place.
Checksums-Sha1:
91c316a3fd26f55cbfbb07ca6983f04f9b60a877 2421 ruby2.5_2.5.3-1.dsc
acfe8bd7820ca0a0ebee4d08a6200ce90b47ba95 10184868 ruby2.5_2.5.3.orig.tar.xz
23321f29233feb0b1dd5885be29a024412933612 116476 ruby2.5_2.5.3-1.debian.tar.xz
1bab5f8ed23d8d49bab97f502a8591372c0225f2 7014 ruby2.5_2.5.3-1_source.buildinfo
Checksums-Sha256:
8c6635f4cfc0a3173c2ae0dd000aae4dac41b84946b8c1f98512784e1c25f257 2421 ruby2.5_2.5.3-1.dsc
4953ab3299b6feaec99f4fa1507f3b276951f4c1c99aa435b8e0b1b4afe38302 10184868 ruby2.5_2.5.3.orig.tar.xz
964f7c083c484e8a73a16e9be1caa7a6e0403e05abb77f91ea1ab8aca983e9e6 116476 ruby2.5_2.5.3-1.debian.tar.xz
2bf8cf72f5ccb85bd9475f9098fa248e750c63f76c87e241f2708a5f53bfea1f 7014 ruby2.5_2.5.3-1_source.buildinfo
Files:
891297786d509cecce3f3e7078472584 2421 ruby optional ruby2.5_2.5.3-1.dsc
dc21f9f1a5c327e0bb3520770b72d3f6 10184868 ruby optional ruby2.5_2.5.3.orig.tar.xz
84653f68ab37e468612218f51b7b5829 116476 ruby optional ruby2.5_2.5.3-1.debian.tar.xz
1139383347d2cb885278be4eeca4c5e6 7014 ruby optional ruby2.5_2.5.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAlv5aSoACgkQ/A2xu81G
C95fURAAvYioYRVGjCOvoTZM6eZnpGtj5mDaEUgZ14+IAW6LeDLksOiadjPZNpAa
sVmf6yEhWUfBwpWwTH/lzeQihXUCdjq0P3yn/24cEOn7og/qHHoWXl8H77/hUApg
VPHs6MRXAeZ8OM78gPSQKF3GPbnrHHFvKv32/8jDgfWto+UnMWvLOvw5bFcnZdr0
cBNVMWsSsP+AzEppVElRxUmX6//nKjgDV10lspAWqabIG6+Vb6/ibSyKEnAjsa8+
AwEtt+ACtvnfSLt38aPkL0hpygd8q/s84qZT3+o6hFE6p+Sj22QOeCTlRWb6jjlb
3tKoi3keJVy0ooW1Hi3CQ7Ftbr6j9syVjDwTSgEs7ipm8PH/7k1+HYHAtlj520Ez
yYGkyxjEyUP8FLJfo47ow0vTNR3S7BcacJ2RQjAsxAaVScSPr1QaVmVoZwgYXxNz
+iZGqAJCLHlKVuzYB/JT5Uqr+qKItPLNPe/UgtdYtw03ukd6Jp2j2BPcLhZQrcrO
l/ZzkOs5mpKCAzj6gyYcd/nqF8LwcPcwYfbM8YAbL8YePzQhiT23Hb8P6RZzZpDR
HAancOvMITiwwCkUsQ5wngiWAzgRoPZgwInC8BUq5oYyzENCz69jlXcfZY/Co2/v
4iEsPYiabE3ua8jzTcmg6zXDNVZfdD1QcDVVgW2p1uUYCxzYj0g=
=yI7J
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 27 Dec 2018 07:26:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:10:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.