CVE-2016-7954

NameCVE-2016-7954
DescriptionBundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs842504

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bundler (PTS)wheezy1.1.4-6vulnerable
jessie1.7.4-1vulnerable
stretch1.13.6-2vulnerable
buster, sid1.15.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bundlersource(unstable)(unfixed)high842504

Notes

[stretch] - bundler <ignored> (Minor issue, too intrusive to backport)
[jessie] - bundler <ignored> (Minor issue, too intrusive to backport)
[wheezy] - bundler <no-dsa> (Minor issue, too intrusive to backport)
http://www.openwall.com/lists/oss-security/2016/10/04/5
There is no plan (yet) from upstream to address this for bundler 1.x
due to lockfile format.

Search for package or bug name: Reporting problems