GHSA-74pv-v9gh-h25p
- Source
- https://github.com/advisories/GHSA-74pv-v9gh-h25p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-74pv-v9gh-h25p/GHSA-74pv-v9gh-h25p.json
- Aliases
- Published
- 2022-05-13T01:48:31Z
- Modified
- 2024-03-13T05:19:28.550250Z
- Summary
- RubyGems Infinite Loop vulnerability
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000075
- https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
- https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
- https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83
- https://www.debian.org/security/2018/dsa-4259
- https://www.debian.org/security/2018/dsa-4219
- https://usn.ubuntu.com/3621-1
- https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
- https://access.redhat.com/errata/RHSA-2020:0663
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3729
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
Affected packages
RubyGems / rubygems-update
Package
- Name
- rubygems-update
Affected versions
0.*
0.8.3
0.8.4
0.8.5
0.8.6
0.8.8
0.8.10
0.8.11
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.5.0
1.5.2
1.5.3
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.8.20
1.8.21
1.8.22
1.8.23
1.8.23.2
1.8.24
1.8.25
1.8.26
1.8.27
1.8.28
1.8.29
1.8.30
2.*
2.0.0.preview2
2.0.0.preview2.1
2.0.0.preview2.2
2.0.0.rc.1
2.0.0.rc.2
2.0.0
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.1.0.rc.1
2.1.0.rc.2
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.2.0.rc.1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4.pre1
2.7.4
2.7.5
Maven / org.jruby:jruby-stdlib
Package
- Name
- org.jruby:jruby-stdlib
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed9.1.16.0
Affected versions
1.*
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.5.1
1.6.6
1.6.7
1.6.7.1
1.6.7.2
1.6.8
1.7.0.RC1
1.7.0.RC2
1.7.0
1.7.0.preview1
1.7.0.preview2
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.16.1
1.7.16.2
1.7.17
1.7.18
1.7.19
1.7.20
1.7.20.1
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.27
9.*
9.0.0.0.rc1
9.0.0.0.rc2
9.0.0.0
9.0.0.0.pre1
9.0.0.0.pre2
9.0.1.0
9.0.2.0
9.0.3.0
9.0.4.0
9.0.5.0
9.1.0.0
9.1.1.0
9.1.2.0
9.1.3.0
9.1.4.0
9.1.5.0
9.1.6.0
9.1.7.0
9.1.8.0
9.1.9.0
9.1.10.0
9.1.11.0
9.1.12.0
9.1.13.0
9.1.14.0
9.1.15.0