ruby-2.0.0.648-33.0.1.el7.AXS7

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es):

* It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module. (CVE-2017-17405)

* A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter. (CVE-2017-0898)

* It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)

* A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)

* A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)

* It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)

* It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service. (CVE-2017-14033)

* A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)

* It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary. (CVE-2017-0900)

* A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory. (CVE-2017-14064)

* The "lazy_initialize" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)

CVE-2017-0898
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious
format string which contains a precious specifier (*) with a huge
minus value. Such situation can lead to a buffer overrun, resulting in
a heap memory corruption or an information disclosure from the heap.
CVE-2017-0899
RubyGems version 2.6.12 and earlier is vulnerable to maliciously
crafted gem specifications that include terminal escape characters.
Printing the gem specification would execute terminal escape
sequences.
CVE-2017-0900
RubyGems version 2.6.12 and earlier is vulnerable to maliciously
crafted gem specifications to cause a denial of service attack against
RubyGems clients who have issued a `query` command.
CVE-2017-0901
RubyGems version 2.6.12 and earlier fails to validate specification
names, allowing a maliciously crafted gem to potentially overwrite any
file on the filesystem.
CVE-2017-0902
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
vulnerability that allows a MITM attacker to force the RubyGems client
to download and install gems from a server that the attacker controls.
CVE-2017-0903
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a
possible remote code execution vulnerability. YAML deserialization of
gem specifications can bypass class white lists. Specially crafted
serialized objects can possibly be used to escalate to remote code
execution.
CVE-2017-10784
The Basic authentication code in WEBrick library in Ruby before 2.2.8,
2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to
inject terminal emulator escape sequences into its log and possibly
execute arbitrary commands via a crafted user name.
CVE-2017-14033
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8,
2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause
a denial of service (interpreter crash) via a crafted string.
CVE-2017-14064
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can
expose arbitrary memory during a JSON.generate call. The issues lies in
using strdup in ext/json/ext/generator/generator.c, which will stop
after encountering a '\0' byte, returning a pointer to a string of
length zero, which is not the length stored in space_len.
CVE-2017-17405
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get,
getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use
Kernel#open to open a local file. If the localfile argument starts with
the "|" pipe character, the command following the pipe character is
executed. The default value of localfile is File.basename(remotefile),
so malicious FTP servers could cause arbitrary command execution.
CVE-2017-17790
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3
uses Kernel#open, which might allow Command Injection attacks, as
demonstrated by a Resolv::Hosts::new argument beginning with a '|'
character, a different vulnerability than CVE-2017-17405. NOTE:
situations with untrusted input may be highly unlikely.