Fluid Attacks Database

Description

RubyGems Infinite Loop vulnerability RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jruby:jruby-stdlib	>=0 <9.1.16.0	9.1.16.0
debian 14	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 13	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 14	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 12	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 12	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
rubygems	rubygems-update	>=0 <2.7.6	2.7.6
debian 13	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 11	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
rpm rhel7.6	ruby	<0:2.0.0.648-36.el7_6	0:2.0.0.648-36.el7_6

1-10 of 13

Aliases

1. CVE-2018-10000752. NVD-2018-10000753. OSV-2018-10000754. OSV-DEBIAN-2018-10000755. GCVE-2018-10000756. lists.debian.org7. lists.debian.org8. lists.debian.org9. lists.debian.org10. lists.debian.org11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com16. access.redhat.com17. access.redhat.com18. SECURITY-TRACKER-CVE-2018-1000075

References

1. https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f72. https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce1833. https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d834. https://www.debian.org/security/2018/dsa-42595. https://www.debian.org/security/2018/dsa-42196. https://usn.ubuntu.com/3621-17. http://blog.rubygems.org/2018/02/15/2.7.6-released.html8. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html