FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygems -- deserialization vulnerability

Affected packages
ruby22-gems < 2.6.14
ruby23-gems < 2.6.14
ruby24-gems < 2.6.14

Details

VuXML ID 2c8bd00d-ada2-11e7-82af-8dbff7d75206
Discovery 2017-10-09
Entry 2017-10-10

oss-security mailing list:

There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

References

CVE Name CVE-2017-0903
URL http://blog.rubygems.org/2017/10/09/2.6.14-released.html
URL http://www.openwall.com/lists/oss-security/2017/10/10/2