PublicDateAtUSN: 2017-12-15
Candidate: CVE-2017-17405
PublicDate: 2017-12-15 09:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
 https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
 https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431
 https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/
 https://ubuntu.com/security/notices/USN-3515-1
Description:
 Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get,
 getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use
 Kernel#open to open a local file. If the localfile argument starts with the
 "|" pipe character, the command following the pipe character is executed.
 The default value of localfile is File.basename(remotefile), so malicious
 FTP servers could cause arbitrary command execution.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884438
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_ruby1.9.1:
upstream_ruby1.9.1: needs-triage
precise/esm_ruby1.9.1: DNE
trusty_ruby1.9.1: released (1.9.3.484-2ubuntu1.6)
trusty/esm_ruby1.9.1: DNE (trusty was released [1.9.3.484-2ubuntu1.6])
xenial_ruby1.9.1: DNE
zesty_ruby1.9.1: DNE
artful_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
precise/esm_ruby2.0: DNE
trusty_ruby2.0: released (2.0.0.484-1ubuntu2.5)
trusty/esm_ruby2.0: DNE (trusty was released [2.0.0.484-1ubuntu2.5])
xenial_ruby2.0: DNE
zesty_ruby2.0: DNE
artful_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.3:
upstream_ruby2.3: released (2.3.6)
precise/esm_ruby2.3: DNE
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
xenial_ruby2.3: released (2.3.1-2~16.04.4)
esm-infra/xenial_ruby2.3: released (2.3.1-2~16.04.4)
zesty_ruby2.3: released (2.3.3-1ubuntu0.3)
artful_ruby2.3: released (2.3.3-1ubuntu1.1)
devel_ruby2.3: not-affected (2.3.6-2)