CVE-2017-0903

NameCVE-2017-0903
DescriptionRubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4031-1
NVD severityhigh (attack range: remote)
Debian Bugs879231

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby1.9.1 (PTS)wheezy1.9.3.194-8.1+deb7u5fixed
wheezy (security)1.9.3.194-8.1+deb7u6fixed
ruby2.1 (PTS)jessie2.1.5-2+deb8u3vulnerable
jessie (security)2.1.5-2+deb8u1vulnerable
ruby2.3 (PTS)stretch (security), stretch2.3.3-1+deb9u2fixed
buster2.3.3-1+deb9u1vulnerable
sid2.3.5-1fixed
rubygems (PTS)wheezy1.8.24-1fixed
wheezy (security)1.8.24-1+deb7u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby1.9.1source(unstable)(unfixed)high
ruby1.9.1sourcewheezy(not affected)
ruby2.1source(unstable)(unfixed)high
ruby2.3source(unstable)2.3.5-1high879231
ruby2.3sourcestretch2.3.3-1+deb9u2highDSA-4031-1
rubygemssource(unstable)(unfixed)high
rubygemssourcewheezy(not affected)

Notes

[wheezy] - ruby1.9.1 <not-affected> (Vulnerable code introduced later)
[wheezy] - rubygems <not-affected> (Vulnerable code introduced later)
http://www.openwall.com/lists/oss-security/2017/10/10/2
https://justi.cz/security/2017/10/07/rubygems-org-rce.html
Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

Search for package or bug name: Reporting problems