Re: rubygems / CVE-2018-1000074

To: "Santiago R.R." <santiagorr@riseup.net>, debian-lts@lists.debian.org
Subject: Re: rubygems / CVE-2018-1000074
From: Brian May <bam@debian.org>
Date: Wed, 11 Apr 2018 17:08:58 +1000
Message-id: <[🔎] 87in8yb4ol.fsf@silverfish.pri>
In-reply-to: <[🔎] 20180410084135.GA27029@novelo>
References: <[🔎] 87tvsjbifx.fsf@silverfish.pri> <[🔎] 20180410084135.GA27029@novelo>

"Santiago R.R." <santiagorr@riseup.net> writes:

> As I said in a previous mail, I think it is a not-so-severe issue (the
> user has to run the `gem owner` command for being exploitable), *and* I
> found it too intrusive to be backported to versions <= 2.2. I.e. it
> depends on a version of ruby's Psych that includes safe_load and all the
> functions it depends on. It is to note that, AFAICS, upstream did not
> included this fix in the patch for ruby 2.2 that relates to the rubygems
> CVEs:
> https://bugs.ruby-lang.org/attachments/download/7030/rubygems-276-for-ruby22.patch

Oops, sorry, I missed that post. I added references to both that thread
and this thread to dla-needed.txt and rubgems.

Yes, probably this should be marked no-dsa.

> I think it is a similar case for CVE-2018-1000079. I'd like
> security-team's opinion before tagging them as no-dsa.

The security tracker has wheezy marked as "Vulnerable code not present"
for CVE-2018-1000079.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- rubygems / CVE-2018-1000074
  - From: Brian May <bam@debian.org>
- Re: rubygems / CVE-2018-1000074
  - From: "Santiago R.R." <santiagorr@riseup.net>

Prev by Date: ruby1.9.1 test packages for wheezy
Next by Date: Re: calibre / CVE-2018-7889
Previous by thread: Re: rubygems / CVE-2018-1000074
Next by thread: My Debian LTS activities in March 2018
Index(es):
- Date
- Thread