CVE-2017-0903

NameCVE-2017-0903
DescriptionRubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
Debian Bugs879231

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby1.9.1 (PTS)wheezy1.9.3.194-8.1+deb7u5vulnerable
wheezy (security)1.9.3.194-8.1+deb7u6vulnerable
ruby2.1 (PTS)jessie2.1.5-2+deb8u3vulnerable
jessie (security)2.1.5-2+deb8u1vulnerable
ruby2.3 (PTS)buster, sid, stretch (security), stretch2.3.3-1+deb9u1vulnerable
rubygems (PTS)wheezy1.8.24-1vulnerable
wheezy (security)1.8.24-1+deb7u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby1.9.1source(unstable)(unfixed)
ruby2.1source(unstable)(unfixed)
ruby2.3source(unstable)(unfixed)879231
rubygemssource(unstable)(unfixed)

Notes

http://www.openwall.com/lists/oss-security/2017/10/10/2
https://justi.cz/security/2017/10/07/rubygems-org-rce.html
Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

Search for package or bug name: Reporting problems