Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1796-1 jruby

Debian Security Advisory

DLA-1796-1 jruby -- LTS security update

Date Reported:

21 May 2019

Affected Packages:

jruby

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 895778, Bug 925987.
In Mitre's CVE dictionary: CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325.

More information:

Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.

• CVE-2018-1000074

  Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file

• CVE-2018-1000075

  an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop

• CVE-2018-1000076

  Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.

• CVE-2018-1000077

  Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL

• CVE-2018-1000078

  Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server

• CVE-2019-8321

  Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible

• CVE-2019-8322

  The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur

• CVE-2019-8323

  Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

• CVE-2019-8324

  A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec

• CVE-2019-8325

  Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

For Debian 8 Jessie, these problems have been fixed in version 1.5.6-9+deb8u1.

We recommend that you upgrade your jruby packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS