[GLSA-202401-05] RDoc: Command Injection

Severity Normal

Affected Packages 1

Unaffected Packages 1

CVEs 1

A vulnerability has been found in RDoc which allows for command injection.

Background
RDoc produces HTML and command-line documentation for Ruby projects.

Description
A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details.

Impact
RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.

Workaround
There is no known workaround at this time.

Resolution
All RDoc users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.3.2"

Package	Affected Version
pkg:ebuild/dev-ruby/rdoc?distro=gentoo	< 6.3.2

Package	Unaffected Version
pkg:ebuild/dev-ruby/rdoc?distro=gentoo	>= 6.3.2

ID

GLSA-202401-05

Severity

normal

URL

https://security.gentoo.org/glsa/202401-05

Published

2024-01-05T00:00:00
(8 months ago)

Modified

2024-01-05T00:00:00
(8 months ago)

Rights

Gentoo Foundation, Inc.

Other Advisories

Source	# ID	Name	URL
CVE	CVE-2021-31799	CVE-2021-31799	https://nvd.nist.gov/vuln/detail/CVE-2021-31799
Bugzilla	801301	Bugzilla #801301	https://bugs.gentoo.org/show_bug.cgi?id=801301

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:ebuild/dev-ruby/rdoc?distro=gentoo	dev-ruby	rdoc	< 6.3.2	gentoo
Unaffected	pkg:ebuild/dev-ruby/rdoc?distro=gentoo	dev-ruby	rdoc	>= 6.3.2	gentoo

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date