Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add RubyGems's vulnerabilities fixed by 2.6.13. #298

Closed
wants to merge 1 commit into from
Closed

Add RubyGems's vulnerabilities fixed by 2.6.13. #298

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions libraries/rubygems/CVE-2017-0899.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
library: rubygems
cve: 2017-0899
url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
title: |
an ANSI escape sequence vulnerability.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update the titles and descriptions for all of these to be aligned to the official CVE descriptions. These are not detailed enough based on our standards.

Use info from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899 for this one, as an example.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@reedloden like this?

---
library: rubygems
cve: 2017-0899
url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
title: |
  RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
date: 2017-08-27
description: |
  RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
patched_versions:
  - ">= 2.6.13"

Or, description needs more information?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The title and description are two different things. Title should be pretty short, while description is where most of the information will go. See https://github.com/rubysec/ruby-advisory-db#format for an example.

For this one, perhaps "RubyGems Improper Neutralization of Escape Sequence" as title?

Also, please break the description on 80 chars and continue on next line.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this one, perhaps "RubyGems Improper Neutralization of Escape Sequence" as title?

Title should be pretty short, and different from description is OK.
But I want to use announced sentence like An ANSI escape sequence vulnerability., First sentence, ... This is because everyone can find easily.

Also, please break the description on 80 chars and continue on next line.

OK, I'll fix.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chiming in a little late here, but you should simply use the title from the original advisory. Description is often the first paragraph or a brief summary of the advisory.

date: 2017-08-27
description: |
an ANSI escape sequence vulnerability.
patched_versions:
- ">= 2.6.13"
11 changes: 11 additions & 0 deletions libraries/rubygems/CVE-2017-0900.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
library: rubygems
cve: 2017-0900
url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
title: |
A DoS vulnerability in the query command.
date: 2017-08-27
description: |
A DoS vulnerability in the query command.
patched_versions:
- ">= 2.6.13"
11 changes: 11 additions & 0 deletions libraries/rubygems/CVE-2017-0901.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
library: rubygems
cve: 2017-0901
url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
title: |
A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files.
date: 2017-08-27
description: |
A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files.
patched_versions:
- ">= 2.6.13"
11 changes: 11 additions & 0 deletions libraries/rubygems/CVE-2017-0902.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
library: rubygems
cve: 2017-0902
url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
title: |
A DNS request hijacking vulnerability.
date: 2017-08-27
description: |
A DNS request hijacking vulnerability.
patched_versions:
- ">= 2.6.13"