Update security docs for RubyGems CVEs

chrisseaton · chrisseaton · commit 78600e8ffa29 · 2019-03-13T21:28:09.000Z
diff --git a/doc/user/security.md b/doc/user/security.md
@@ -35,29 +35,35 @@ https://www.ruby-lang.org/en/security/.
 
 Number | Description | Their Mitigation | Test | Our Mitigation
 --- | --- | --- | --- | ---
+CVE-2019-8320 | Delete directory using symlink when decompressing `tar` | Check the expanded path | Tested in MRI `test/rubygems/test_gem_package.rb` | Applied the same patch
+CVE-2019-8321 | Escape sequence injection in `verbose` | Sanitise message | Tested in `ruby/spec` `:security` | Applied the same patch
+CVE-2019-8322 | Escape sequence injection in `gem owner` | Sanitise message | Tested in `ruby/spec` `:security` | Applied the same patch
+CVE-2019-8323 | Escape sequence injection vulnerability in API response handling | Sanitise message | Tested in `ruby/spec` `:security` | Applied the same patch
+CVE-2019-8324 | Installing a malicious gem may lead to arbitrary code execution | Verifying gems before pre-install checks | Tested in MRI `test/rubygems/test_gem_installer.rb` | Applied the same patch
+CVE-2019-8325 | Escape sequence injection in errors | Sanitise error messages | Tested in `ruby/spec` `:security` | Applied the same patch
 CVE-2018-16395 | `OpenSSL::X509::Name` equality check does not work correctly | *todo* | *todo* | *todo*
-CVE-2018-16396 | Tainted flags are not propagated in `Array#pack` and `String#unpack` with some directives | Additional taint operations | Tested in ruby/spec `:security` | Additional taint operations
-CVE-2018-6914 | Unintentional file and directory creation with directory traversal in `tempfile` and `tmpdir` | Sanitization of paths | Tested in ruby/spec `:security` | Sanitization of paths
-CVE-2018-8779 | Unintentional socket creation by poisoned NUL byte in `UNIXServer` and `UNIXSocket` | Check for NUL bytes | Tested in ruby/spec `:security` | Check for NUL bytes
-CVE-2018-8780 | Unintentional directory traversal by poisoned NUL byte in `Dir` | Check for NUL bytes | Tested in ruby/spec `:security` | Check for NUL bytes
-CVE-2018-8777 | DoS by large request in WEBrick | Logic for header length | Tested in MRI `test/webrick/test_httpserver.rb` | We share the same code, so also have the mitigation
-CVE-2017-17742 | HTTP response splitting in WEBrick | Logic for invalid headers | Tested in ruby/spec `:security` | We share the same code, so also have the mitigation
-CVE-2018-8778 | Buffer under-read in String#unpack | A range check | Tested in ruby/spec `:security` | A range check
-CVE-2017-17405 | Command injection vulnerability in `Net::FTP` | Treat paths in commands explicitly as paths, not general IO commands | Tested in MRI `test/net/ftp/test_ftp.rb` | We share the same code, so also have the mitigation
-CVE-2017-10784 | Escape sequence injection vulnerability in the Basic authentication of WEBrick | Proper escaping of logs | Tested in MRI `test/webrick/test_httpauth.rb` | We share the same code, so also have the mitigation
+CVE-2018-16396 | Tainted flags are not propagated in `Array#pack` and `String#unpack` with some directives | Additional taint operations | Tested in `ruby/spec` `:security` | Additional taint operations
+CVE-2018-6914 | Unintentional file and directory creation with directory traversal in `tempfile` and `tmpdir` | Sanitization of paths | Tested in `ruby/spec` `:security` | Sanitization of paths
+CVE-2018-8779 | Unintentional socket creation by poisoned NUL byte in `UNIXServer` and `UNIXSocket` | Check for NUL bytes | Tested in `ruby/spec` `:security` | Check for NUL bytes
+CVE-2018-8780 | Unintentional directory traversal by poisoned NUL byte in `Dir` | Check for NUL bytes | Tested in `ruby/spec` `:security` | Check for NUL bytes
+CVE-2018-8777 | DoS by large request in WEBrick | Logic for header length | Tested in MRI `test/webrick/test_httpserver.rb` | Applied the same mitigation
+CVE-2017-17742 | HTTP response splitting in WEBrick | Logic for invalid headers | Tested in `ruby/spec` `:security` |Applied the same mitigation
+CVE-2018-8778 | Buffer under-read in String#unpack | A range check | Tested in `ruby/spec` `:security` | A range check
+CVE-2017-17405 | Command injection vulnerability in `Net::FTP` | Treat paths in commands explicitly as paths, not general IO commands | Tested in MRI `test/net/ftp/test_ftp.rb` | Applied the same mitigation
+CVE-2017-10784 | Escape sequence injection vulnerability in the Basic authentication of WEBrick | Proper escaping of logs | Tested in MRI `test/webrick/test_httpauth.rb` | Applied the same mitigation
 CVE-2017-0898 | Buffer underrun vulnerability in `Kernel.sprintf` | *todo* | *todo* | *todo*
 CVE-2017-14033 | Buffer underrun vulnerability in OpenSSL ASN1 decode | *todo* | *todo* | *todo*
 CVE-2017-14064 | Heap exposure vulnerability in generating JSON | *todo* | *todo* | *todo*
 CVE-2017-0902, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901 | Multiple vulnerabilities in RubyGems | *todo* | *todo* | *todo*
 CVE-2015-7551 | Unsafe tainted string usage in Fiddle and DL (regression of the mitigation of CVE-2009-5147) | Additional taint checks | Tested in MRI `test/mri/tests/fiddle/test_handle.rb` | Not applicable as we do not support `$SAFE`, and the `DL` module was removed in Ruby 2.2.0
 CVE-2015-1855 | Ruby OpenSSL Hostname Verification | *todo* | *todo* | *todo*
 CVE-2014-8090 | Another Denial of Service XML Expansion | *todo* | *todo* | *todo*
-CVE-2014-8080 | Denial of Service XML Expansion | *todo* | Tested in ruby/spec `:security` | *todo*
+CVE-2014-8080 | Denial of Service XML Expansion | *todo* | Tested in `ruby/spec` `:security` | *todo*
 None | Changed default settings of ext/openssl | *todo* | *todo* | *todo*
 CVE-2014-2734 | Dispute of Vulnerability | *todo* | *todo* | *todo*
 CVE-2014-0160 | OpenSSL Severe Vulnerability in TLS Heartbeat Extension | *todo* | *todo* | *todo*
 CVE-2014-2525 | Heap Overflow in YAML URI Escape Parsing | *todo* | *todo* | *todo*
-CVE-2013-4164 | Heap Overflow in Floating Point Parsing  | *todo* | Tested in ruby/spec `:security` | *todo*
+CVE-2013-4164 | Heap Overflow in Floating Point Parsing  | *todo* | Tested in `ruby/spec` `:security` | *todo*
 CVE-2013-4073 | Hostname check bypassing vulnerability in SSL client | *todo* | *todo* | *todo*
 CVE-2013-2065 | Object taint bypassing in DL and Fiddle in Ruby | Additional taint checks | Tested in MRI `test/mri/tests/fiddle/test_func.rb` | Not applicable as we do not support `$SAFE`, and the `DL` module was removed in Ruby 2.2.0
 CVE-2013-1821 | Entity expansion DoS vulnerability in REXML | *todo* | *todo* | *todo*
@@ -68,7 +74,7 @@ CVE-2012-4522 | Unintentional file creation caused by inserting a illegal NUL ch
 CVE-2012-4464, CVE-2012-4466  | $SAFE escaping vulnerability about `Exception#to_s` / `NameError#to_s` | *todo* | *todo* | Not applicable as we do not support `$SAFE`
 None | Security Fix for RubyGems: SSL server verification failure for remote repository | *todo* | *todo* | *todo*
 CVE-2011-3389 | Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack | *todo* | *todo* | *todo*
-CVE-2011-4815 | Denial of service attack was found for Ruby's Hash algorithm (cross-reference CVE-2011-4838, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
+CVE-2011-4815 | Denial of service attack was found for Ruby's Hash algorithm (cross-reference CVE-2011-4838, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in `ruby/spec` `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
 None | Exception methods can bypass `$SAFE` | *todo* | *todo* | Not applicable as we do not support `$SAFE`
 None | FileUtils is vulnerable to symlink race attacks | *todo* | *todo* | *todo*
 CVE-2010-0541 | XSS in WEBrick | *todo* | *todo* | *todo*
@@ -93,8 +99,8 @@ apply to TruffleRuby.
 
 Number | Description | Their Mitigation | Test | Our Mitigation
 --- | --- | --- | --- | ---
-CVE-2012-5370 | JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
-CVE-2011-4838 | JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
+CVE-2012-5370 | JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in `ruby/spec` `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
+CVE-2011-4838 | JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in `ruby/spec` `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
 
 ## Rubinius Vulnerabilities
 
@@ -103,7 +109,7 @@ Rubinius may apply to TruffleRuby.
 
 Number | Description | Their Mitigation | Test | Our Mitigation
 --- | --- | --- | --- | ---
-CVE-2012-5372 | Rubinius computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5370) | Hashes are made non-deterministic by incorporating output from `/dev/urandom` | Tested in ruby/spec `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
+CVE-2012-5372 | Rubinius computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5370) | Hashes are made non-deterministic by incorporating output from `/dev/urandom` | Tested in `ruby/spec` `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
 
 ## Java Dependency Vulnerabilities
 
@@ -115,7 +121,7 @@ We are not aware of any known vulnerabilities.
 
 Number | Description | Their Mitigation | Test | Our Mitigation
 --- | --- | --- | --- | ---
-CVE-2010-1330 | The regular expression engine in JRuby before 1.4.1, when `$KCODE` is set to `'u'`, does not properly handle characters immediately after a UTF-8 character | Check byte sequences for the UTF-8 encoding when perform regexp operations | Tested in ruby/spec `:security` | We share the same code, so also have the mitigation
+CVE-2010-1330 | The regular expression engine in JRuby before 1.4.1, when `$KCODE` is set to `'u'`, does not properly handle characters immediately after a UTF-8 character | Check byte sequences for the UTF-8 encoding when perform regexp operations | Tested in `ruby/spec` `:security` | Applied the same mitigation
 
 ## Other Dependency Vulnerabilities
 
