(Adding ruby-maint ML into CC)Folks, could somebody help Borja find the answers sooner then me? I have to go through my backlog after a few days of PTO.
Thx Vít Dne 19. 08. 24 v 7:21 Borja Tarraso Hueso napsal(a):
Hi Vit,This is Borja Tarraso from Red Hat Product SecurityI am looking to determine if ruby 2.x is vulnerable for CVE-2024-27281?In the ruby page, it states the affected versions are 3.0.6 or lower: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ <https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/>The version that puppet is using (ruby 2.7.8p225), it states that 2.7.8 is the last version and vulnerabilities will not be addressed anymore: https://ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/ <https://ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/> : "After this release, Ruby 2.7 reaches EOL. In other words, this is expected to be the last release of Ruby 2.7 series. We will not release Ruby 2.7.9 even if a security vulnerability is found (but could release if a severe regression is found). We recommend all Ruby 2.7 users to start migration to Ruby 3.2, 3.1, or 3.0 immediately." Though this is not RH, Ubuntu has found that 2.x is also affected: https://ubuntu.com/security/CVE-2024-27281 <https://ubuntu.com/security/CVE-2024-27281>. So I am unsure if CVE-2024-27281 only affects ruby package 3.x only and not 2.x.But after looking at it a bit more, I think the issue is just impacting ruby 3.0.x as here is the fix: https://github.com/ruby/ruby/commit/ffdf0232efd4955a234955c8372885b850fcfe33 <https://github.com/ruby/ruby/commit/ffdf0232efd4955a234955c8372885b850fcfe33>In ruby 2.7 we do not do *load_file_unsafe* but just *load_file*: https://github.com/ruby/ruby/blob/1f4d4558484b370999954f3ede7e3aa3a3a01ef3/lib/rdoc/rdoc.rb <https://github.com/ruby/ruby/blob/1f4d4558484b370999954f3ede7e3aa3a3a01ef3/lib/rdoc/rdoc.rb>Then by running git-blame I noticed this was introduced via this commit and this person 3 years ago: https://github.com/ruby/ruby/blame/70613595645fc3ae2bdde8f023728e3f10122ffb/ext/psych/lib/psych.rb#L661 <https://github.com/ruby/ruby/blame/70613595645fc3ae2bdde8f023728e3f10122ffb/ext/psych/lib/psych.rb#L661>So I think it was never implemented, back-ported, or existed in 2.x and ruby 3.0 was already released on 2020-12-25. If you could confirm for the matter of a sanity check?Regards, -- - Borja Tarraso Principal Product Security Engineer Red Hat Nordics
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ ruby-sig mailing list -- ruby-sig@lists.fedoraproject.org To unsubscribe send an email to ruby-sig-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ruby-sig@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
