1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202405-30 ] Rebar3: Command Injection

    From glsamaker@gentoo.org@21:1/5 to All on Sun May 12 07:20:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202405-30
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: Rebar3: Command Injection
    Date: May 12, 2024
    Bugs: #749363
    ID: 202405-30

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Rebar3, which can lead to command injection.

    Background
    ==========

    A sophisticated build-tool for Erlang projects that follows OTP
    principles.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------------ ------------ ------------
    dev-util/rebar-bin < 3.14.4 >= 3.14.4

    Description
    ===========

    Rebar3 is vulnerable to OS command injection via the URL parameter of a dependency specification.

    Impact
    ======

    A vulnerability has been discovered in Rebar3. Please review the CVE
    identifier referenced below for details.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    Gentoo has discontinued support for Rebar3 binary package. We recommend
    that users unmerge it:

    # emerge --ask --depclean "dev-util/rebar-bin"

    References
    ==========

    [ 1 ] CVE-2020-13802
    https://nvd.nist.gov/vuln/detail/CVE-2020-13802

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202405-30

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmZAT2oACgkQFMQkOaVy +9lZkxAAqPzzx1u095+oWAhJb9jUF0vXhQQ6lcxuA+rcD2bXCd8GtUcez4aLl2Kp qfSvg1tWNVNDkz4juot44Can3zD00/JYQCBXSvzD2xJ/4SH61XsXdGuigIpFljux RVKBCRwvrUAJ5NzMr7Vg8SvZGfXtkU4erOeQSx9MM7aHPvDxCyXjjbPehGVVnqkz mQ4YPfHq2kYwK1sR4tXdXWdQgwdrdkLiLT295k22YgVXNGtuzAOFk0ss7plRMUOQ E1KXbE4zdCSARQqxZVlMfeZKhBS6TVFt1A+ichRMhF6lso0xhCdvW4JiuWuSLfQZ 0249GfDIFE3OUx22VsvWvAPrEe7wjA1LGOrQlSq63aUO36/9FD/WTFRv8RivUxmc WVCPl0N670SYhDrYhFeWkoO5wAWiSJNFHwjYGRRCOWAAfuAGkOneL8wtqPLKKjX9 YStAOxEXxCxx5OEL0Y10wnPQFFG6qOX0mGpXxP7s2hUsUHW2lXBea3bBID+kSC6z +OaHsF6kqh2nj0kwhne/ZMFR83XBRxxN1xzcI5UMglKQq6a+v3GqQX6iuebDp6np rIAZXFDzXmocBr6x1hMGy+wr3zu7Avx8w8QDNpJY13v8hGcku+JUUOcgQjnPMVC7 VSA9A8EoxHdfL4NSx/iAcykIp496r+U9hE7G/0g26H7ZbOO6dBo=
    =9dpu
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)