Bump uri from 0.10.2 to 0.10.3 in /ruby #6
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [uri](https://github.com/ruby/uri) from 0.10.2 to 0.10.3. - [Release notes](https://github.com/ruby/uri/releases) - [Commits](ruby/uri@v0.10.2...v0.10.3) --- updated-dependencies: - dependency-name: uri dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
jenia-sakirko
force-pushed
the
main
branch
4 times, most recently
from
b95f970 to
cf20524
Compare
|
|
||
|
|
||
| BUNDLED WITH | ||
| 2.2.1 |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.: CVE-2021-43809 |
| Ecosystem | RubyGems |
| Dependency | bundler |
| Dependency Paths | `` |
| Direct Dependency | No |
| Development Dependency | No |
| Upgrade | 2.2.33 |
In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false.
To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as git clone. These commands are being constructed using user input (e.g. the repository URL). When building the
commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.
Since this value comes from the Gemfile file, it can contain any character, including a leading dash.
Exploitation
To exploit this vulnerability, an attacker has to craft a directory containing a Gemfile file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of -u./payload. This URL
will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as bundle lock, inside.
Impact
This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the Gemfile (although they would need the weird URL with a leading dash to not raise any flags).
This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on.
Patches
Bundler 2.2.33 has patched this problem by inserting -- as an argument before any positional arguments to those Git commands that were affected by this issue.
Workarounds
Regardless of whether users can upgrade or not, they should review any untrustred Gemfile's before running any bundler commands that may read them, since they can contain arbitrary ruby code.
References
|
|
||
|
|
||
| BUNDLED WITH | ||
| 2.2.1 |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Dependency Confusion in Bundler: CVE-2020-36327 |
| Ecosystem | RubyGems |
| Dependency | bundler |
| Dependency Paths | `` |
| Direct Dependency | No |
| Development Dependency | No |
| Upgrade | 2.2.10 |
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
| thor (>= 0.19, < 2.0) | ||
| mustermann (3.0.0) | ||
| ruby2_keywords (~> 0.0.1) | ||
| nokogiri (1.15.3-arm64-darwin) |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062: GHSA-xc9x-jj77-9p9j |
| Ecosystem | RubyGems |
| Dependency | nokogiri |
| Dependency Paths | licensee 9.15.0 -> reverse_markdown 2.1.1 -> nokogiri 1.15.3 |
| Direct Dependency | No |
| Upgrade | 1.16.2 |
Summary
Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.
libxml2 v2.12.5 addresses the following vulnerability:
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.16.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.12.5 which will also address these same issues.
Impact
From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Timeline
- 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
- 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
- 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
- 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
Bumps uri from 0.10.2 to 0.10.3.
Commits
1af8bd4Merge branch 'h1-1958260-v0-10' into v0-10974a008Bump up v0.10.3ead7c91Merge pull request #79 from ruby/use-test-unit-ruby-core3cd938dFix quadratic backtracking on invalid port number4d02315Fix quadratic backtracking on invalid relative URIYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.