[ALAS2-2018-983] Amazon Linux 2 2017.12 - ALAS2-2018-983: medium priority package update for ruby

Severity Medium

Affected Packages 16

CVEs 8

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2018-1000079:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
1547426:
CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations

CVE-2018-1000078:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.
1547425:
CVE-2018-1000078 rubygems: XSS vulnerability in homepage attribute when displayed via gem server

CVE-2018-1000077:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.
1547422:
CVE-2018-1000077 rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL

CVE-2018-1000076:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
1547421:
CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem

CVE-2018-1000075:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
1547420:
CVE-2018-1000075 rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service

CVE-2018-1000074:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the gem owner command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
1547419:
CVE-2018-1000074 rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML

CVE-2018-1000073:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
1547418:
CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root

CVE-2017-17790:
The "lazy_initialize" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands.
1528218:
CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution

Package	Affected Version
pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2	< 2.0.14.1-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2	< 2.0.14.1-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2	< 4.0.0-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2	< 0.9.6-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2	< 2.0.0-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2	< 4.3.2-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2	< 1.7.7-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2	< 0.4.2-33.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2	< 1.2.0-33.amzn2.0.1
pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-33.amzn2.0.1
pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-33.amzn2.0.1
pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-33.amzn2.0.1
pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2	< 2.0.0.648-33.amzn2.0.1
pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2	< 2.0.0.648-33.amzn2.0.1
pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-33.amzn2.0.1
pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-33.amzn2.0.1

ID

ALAS2-2018-983

Severity

medium

URL

https://alas.aws.amazon.com/AL2/ALAS-2018-983.html

Published

2018-04-05T16:06:00
(6 years ago)

Modified

2018-04-05T23:22:00
(6 years ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2017-17790	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790
CVE	CVE-2018-1000073	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073
CVE	CVE-2018-1000074	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074
CVE	CVE-2018-1000075	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075
CVE	CVE-2018-1000076	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076
CVE	CVE-2018-1000077	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077
CVE	CVE-2018-1000078	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078
CVE	CVE-2018-1000079	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygems	< 2.0.14.1-33.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygems-devel	< 2.0.14.1-33.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-rdoc	< 4.0.0-33.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-rake	< 0.9.6-33.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-psych	< 2.0.0-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-minitest	< 4.3.2-33.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-json	< 1.7.7-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-io-console	< 0.4.2-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-bigdecimal	< 1.2.0-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby	< 2.0.0.648-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-tcltk	< 2.0.0.648-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-libs	< 2.0.0.648-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2	amazonlinux	ruby-irb	< 2.0.0.648-33.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2	amazonlinux	ruby-doc	< 2.0.0.648-33.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-devel	< 2.0.0.648-33.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-debuginfo	< 2.0.0.648-33.amzn2.0.1	amazonlinux-2	x86_64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date