====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN406
_____________________________________________________________________

DATE                : 15/12/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ruby.

=====================================================================
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
_____________________________________________________________________

CVE-2017-17405: Command injection vulnerability in Net::FTP

Posted by nagachika on 14 Dec 2017

There is a command injection vulnerability in Net::FTP bundled with
Ruby. This vulnerability has been assigned the CVE identifier
CVE-2017-17405.

Details

Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and
puttextfile use Kernel#open to open a local file. If the localfile
argument starts with the pipe character "|", the command following the
pipe character is executed. The default value of localfile is
File.basename(remotefile), so malicious FTP servers could cause
arbitrary command execution.

All users running an affected release should upgrade immediately.

Affected Versions

  * Ruby 2.2 series: 2.2.8 and earlier
  * Ruby 2.3 series: 2.3.5 and earlier
  * Ruby 2.4 series: 2.4.2 and earlier
  * Ruby 2.5 series: 2.5.0-preview1
  * prior to trunk revision r61242

Credit

Thanks to Etienne Stalmans from the Heroku product security team for
reporting the issue.

History

  * Originally published at 2017-12-14 16:00:00 (UTC)

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================