CVE-2017-0899

Priority
Description
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted
gem specifications that include terminal escape characters. Printing the
gem specification would execute terminal escape sequences.
References
Bugs
Notes
tyhicksruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems.
rodrigo-zaidenruby2.3 (xenial) was fixed back in release version
2.3.1-2~16.04.6. The patch that fixed this CVE came along
with other CVEs fixes (CVE-2017-0899, CVE-2017-0900,
CVE-2017-0901, CVE-2017-0902) and at that time this CVE
was not included in the changelog.
Package
Source: jruby (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 18.04 LTS:needed
Ubuntu 20.04 LTS:needed
Ubuntu 21.10:needed
Ubuntu 14.04 ESM:needs-triage
Patches:
Package
Upstream:needs-triage
Ubuntu 18.04 LTS:DNE
Ubuntu 20.04 LTS:DNE
Ubuntu 21.10:DNE
Ubuntu 22.04 LTS:DNE
Ubuntu 14.04 ESM:DNE (trusty was released [1.9.3.484-2ubuntu1.5])
Patches:
Upstream:https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
Upstream:https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
Upstream:https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch
Upstream:https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch
Package
Upstream:needs-triage
Ubuntu 18.04 LTS:DNE
Ubuntu 20.04 LTS:DNE
Ubuntu 21.10:DNE
Ubuntu 22.04 LTS:DNE
Ubuntu 14.04 ESM:DNE (trusty was needed)
Patches:
Package
Upstream:released (2.3.5)
Ubuntu 18.04 LTS:DNE
Ubuntu 20.04 LTS:DNE
Ubuntu 21.10:DNE
Ubuntu 16.04 ESM:released (2.3.1-2~16.04.6)
Ubuntu 22.04 LTS:DNE
Ubuntu 14.04 ESM:DNE
Patches:
More Information

Updated: 2022-04-25 00:18:30 UTC (commit ecc1009cb19540b950de59270950018900f37f15)