PublicDateAtUSN: 2018-04-03
Candidate: CVE-2018-8780
PublicDate: 2018-04-03 22:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780
 https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
 https://github.com/ruby/ruby/commit/bd5661a3cbb38a8c3a3ea10cd76c88bbef7871b8
 https://github.com/ruby/ruby/commit/143eb22f1877815dd802f7928959c5f93d4c7bb3
 https://ubuntu.com/security/notices/USN-3626-1
Description:
 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before
 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and
 Dir.empty? methods do not check NULL characters. When using the
 corresponding method, unintentional directory traversal may be performed.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N [9.1 CRITICAL]

Patches_ruby1.9.1:
upstream_ruby1.9.1: needs-triage
precise/esm_ruby1.9.1: DNE
trusty_ruby1.9.1: released (1.9.3.484-2ubuntu1.11)
trusty/esm_ruby1.9.1: DNE (trusty was released [1.9.3.484-2ubuntu1.11])
xenial_ruby1.9.1: DNE
artful_ruby1.9.1: DNE
bionic_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
precise/esm_ruby2.0: DNE
trusty_ruby2.0: released (2.0.0.484-1ubuntu2.9)
trusty/esm_ruby2.0: DNE (trusty was released [2.0.0.484-1ubuntu2.9])
xenial_ruby2.0: DNE
artful_ruby2.0: DNE
bionic_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
precise/esm_ruby2.3: DNE
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
xenial_ruby2.3: released (2.3.1-2~16.04.9)
esm-infra/xenial_ruby2.3: released (2.3.1-2~16.04.9)
artful_ruby2.3: released (2.3.3-1ubuntu1.5)
bionic_ruby2.3: DNE
devel_ruby2.3: DNE

Patches_ruby2.5:
upstream_ruby2.5: needs-triage
precise/esm_ruby2.5: DNE
trusty_ruby2.5: DNE
trusty/esm_ruby2.5: DNE
xenial_ruby2.5: DNE
artful_ruby2.5: DNE
bionic_ruby2.5: released (2.5.1-1)
devel_ruby2.5: released (2.5.1-1)