PublicDateAtUSN: 2017-10-11
Candidate: CVE-2017-0903
PublicDate: 2017-10-11 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903
 http://blog.rubygems.org/2017/10/09/2.6.14-released.html
 http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
 https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
 https://hackerone.com/reports/274990
 https://ubuntu.com/security/notices/USN-3553-1
 https://ubuntu.com/security/notices/USN-3685-1
 https://ubuntu.com/security/notices/USN-3685-2
Description:
 RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible
 remote code execution vulnerability. YAML deserialization of gem
 specifications can bypass class white lists. Specially crafted serialized
 objects can possibly be used to escalate to remote code execution.
Ubuntu-Description:
Notes:
 tyhicks> ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems.
 leosilva> following http://www.openwall.com/lists/oss-security/2017/10/10/2, versions < 2.0.0 of ruby
 leosilva> are not affected
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_ruby1.9.1:
upstream_ruby1.9.1: needs-triage
precise/esm_ruby1.9.1: DNE
trusty_ruby1.9.1: not-affected (code not present)
trusty/esm_ruby1.9.1: DNE (trusty was not-affected [code not present])
vivid/ubuntu-core_ruby1.9.1: DNE
xenial_ruby1.9.1: DNE
zesty_ruby1.9.1: DNE
artful_ruby1.9.1: DNE
bionic_ruby1.9.1: DNE
cosmic_ruby1.9.1: DNE
disco_ruby1.9.1: DNE
eoan_ruby1.9.1: DNE
focal_ruby1.9.1: DNE
groovy_ruby1.9.1: DNE
hirsute_ruby1.9.1: DNE
impish_ruby1.9.1: DNE
jammy_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
precise/esm_ruby2.0: DNE
trusty_ruby2.0: released (2.0.0.484-1ubuntu2.10)
trusty/esm_ruby2.0: DNE (trusty was released [2.0.0.484-1ubuntu2.10])
vivid/ubuntu-core_ruby2.0: DNE
xenial_ruby2.0: DNE
zesty_ruby2.0: DNE
artful_ruby2.0: DNE
bionic_ruby2.0: DNE
cosmic_ruby2.0: DNE
disco_ruby2.0: DNE
eoan_ruby2.0: DNE
focal_ruby2.0: DNE
groovy_ruby2.0: DNE
hirsute_ruby2.0: DNE
impish_ruby2.0: DNE
jammy_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
precise/esm_ruby2.3: DNE
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
vivid/ubuntu-core_ruby2.3: DNE
xenial_ruby2.3: released (2.3.1-2~16.04.6)
esm-infra/xenial_ruby2.3: released (2.3.1-2~16.04.6)
zesty_ruby2.3: ignored (reached end-of-life)
artful_ruby2.3: released (2.3.3-1ubuntu1.3)
bionic_ruby2.3: DNE
cosmic_ruby2.3: DNE
disco_ruby2.3: DNE
eoan_ruby2.3: DNE
focal_ruby2.3: DNE
groovy_ruby2.3: DNE
hirsute_ruby2.3: DNE
impish_ruby2.3: DNE
jammy_ruby2.3: DNE
devel_ruby2.3: DNE

Patches_jruby:
upstream_jruby: released (0.1.17.0-1~18.04)
precise/esm_jruby: DNE
trusty_jruby: ignored (reached end-of-life)
trusty/esm_jruby: needs-triage
vivid/ubuntu-core_jruby: DNE
xenial_jruby: ignored (end of standard support, was needed)
zesty_jruby: ignored (reached end-of-life)
artful_jruby: ignored (reached end-of-life)
bionic_jruby: not-affected (0.1.17.0-1~18.04)
cosmic_jruby: ignored (reached end-of-life)
disco_jruby: not-affected (0.1.17.0-1~18.04)
eoan_jruby: not-affected (0.1.17.0-1~18.04)
focal_jruby: not-affected (0.1.17.0-1~18.04)
groovy_jruby: not-affected (0.1.17.0-1~18.04)
hirsute_jruby: not-affected (0.1.17.0-1~18.04)
impish_jruby: not-affected (0.1.17.0-1~18.04)