CVE-2017-0903

NameCVE-2017-0903
DescriptionRubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1421-1, DSA-4031-1
NVD severityhigh (attack range: remote)
Debian Bugs879231

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.1 (PTS)jessie2.1.5-2+deb8u3vulnerable
jessie (security)2.1.5-2+deb8u4fixed
ruby2.3 (PTS)stretch2.3.3-1+deb9u2fixed
stretch (security)2.3.3-1+deb9u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby1.9.1source(unstable)(unfixed)high
ruby1.9.1sourcewheezy(not affected)
ruby2.1source(unstable)(unfixed)high
ruby2.1sourcejessie2.1.5-2+deb8u4highDLA-1421-1
ruby2.3source(unstable)2.3.5-1high879231
ruby2.3sourcestretch2.3.3-1+deb9u2highDSA-4031-1
rubygemssource(unstable)(unfixed)high
rubygemssourcewheezy(not affected)

Notes

[wheezy] - ruby1.9.1 <not-affected> (Vulnerable code introduced later)
[wheezy] - rubygems <not-affected> (Vulnerable code introduced later)
http://www.openwall.com/lists/oss-security/2017/10/10/2
https://justi.cz/security/2017/10/07/rubygems-org-rce.html
Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

Search for package or bug name: Reporting problems