CVE-2017-17405

Priority
Medium
Description
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get,
getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use
Kernel#open to open a local file. If the localfile argument starts with the
"|" pipe character, the command following the pipe character is executed.
The default value of localfile is File.basename(remotefile), so malicious
FTP servers could cause arbitrary command execution.
References
Assigned-to
leosilva
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2.3.1-2~16.04.4)
Ubuntu 17.04 (Zesty Zapus):released (2.3.3-1ubuntu0.3)
Ubuntu 17.10 (Artful Aardvark):released (2.3.3-1ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (1.9.3.484-2ubuntu1.6)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (2.0.0.484-1ubuntu2.5)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2018-01-04 17:14:15 UTC (commit 13948)