1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202401-05 ] RDoc: Command Injection

    From glsamaker@gentoo.org@21:1/5 to All on Fri Jan 5 14:40:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202401-05
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: RDoc: Command Injection
    Date: January 05, 2024
    Bugs: #801301
    ID: 202401-05

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been found in RDoc which allows for command
    injection.

    Background
    ==========

    RDoc produces HTML and command-line documentation for Ruby projects.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------- ------------ ------------
    dev-ruby/rdoc < 6.3.2 >= 6.3.2

    Description
    ===========

    A vulnerability has been discovered in RDoc. Please review the CVE
    identifier referenced below for details.

    Impact
    ======

    RDoc used to call Kernel#open to open a local file. If a Ruby project
    has a file whose name starts with | and ends with tags, the command
    following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who
    attempts to run the rdoc command.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All RDoc users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.3.2"

    References
    ==========

    [ 1 ] CVE-2021-31799
    https://nvd.nist.gov/vuln/detail/CVE-2021-31799

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202401-05

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWYBYQACgkQFMQkOaVy +9kn7g/9F0EUgB1HgYY+x9RIdnd3gYqmYhTrtZzrgYJjWonWet1VQvSldBdMEaMb q2cA4CiZDl6HJmaWrDTS22pLNovk1mg+nFumgBeDKDFQUFRvEmgIegf0QzSb97et xrB+YyEy9GNVhGnHOW5YzzyJu0ICsSyXTbujtJaFmqK6MeL4yd1sR/2m16G8wzej rImk5SYf4RU3sSeAV2vxon3/vxDoCBb3lTQX5iCmcGNZVsQXgLloJqh6ljYppdYu JfwQS01/tCP3HRovHnUwV1vNJm1hkrbEs6/KxXelYMq4uihcpz+WDMqdWhd/7iJI p58Kq3meFlupLk9fA/WIAUtulaymjqZY2y/mVEgq5tHqcOcCKtINQgq85/OXQrzK 2odRllvUMPLqcOcuJk9Qcu/OC/g4sq98D6qLm/9eI9LCS8rILT/35iyIIElpXDkH TqTwoRBJbT0loR5ahr+zVF5PtiurBgxP+fxizoK5VTJQ0YGCTTh51XDbf7Q/qKEH TuNWQudUQQ4gfIrhhSRV40LHThWlS1DRy4eROwX0Gvrv3Kb+UX/0mpwVfCV+/vOn MGr/l9dId6dHkYlX5oEb+ua//u/A4RiHqSxldbS3SA357/77NRw6M1Y8YSzMGcbf i2RfWnf+kyae3uUVb6ZGjAKaSqkCLMmnZGHDZ03LjbqX75vGBlU=
    =Tl7A
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)