Bug 1526189 (CVE-2017-17405)

Summary: CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bkearney, cbillett, ccoleman, cpelland, dajohnso, dclarizi, dedgar, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jgoulding, jhardy, jorton, jprause, kseifried, mmorsi, mtasaka, obarenbo, pvalena, roliveri, ruby-maint, ruby-packagers-sig, simaishi, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 2.2.9, ruby 2.3.6, ruby 2.4.3, ruby 2.5.0 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-03 08:13:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1526539, 1526540, 1526542, 1526543, 1526544, 1534935, 1534936, 1534937, 1534938, 1534939, 1534940, 1534941, 1534942, 1545725, 1724855    
Bug Blocks: 1526190    

Description Pedro Sampaio 2017-12-14 21:42:14 UTC 
There is a command injection vulnerability in Net::FTP bundled with Ruby. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

External references:

https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
Comment 4 Kurt Seifried 2017-12-15 18:18:51 UTC 
Statement:

This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1 and CloudForms 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 5 Stefan Cornelius 2018-01-11 18:45:08 UTC 
Patch:
https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=61242
Comment 8 Mark Knowles 2018-02-09 04:12:07 UTC 
OpenShift Container Platform is not vulnerable to this, I am determining whether OpenShift Online is affected.
Comment 10 errata-xmlrpc 2018-02-28 20:03:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378
Comment 11 errata-xmlrpc 2018-03-26 09:46:55 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583
Comment 12 errata-xmlrpc 2018-03-26 10:00:36 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0584 https://access.redhat.com/errata/RHSA-2018:0584
Comment 13 errata-xmlrpc 2018-03-26 10:24:59 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585
Comment 15 errata-xmlrpc 2019-09-19 06:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:2806 https://access.redhat.com/errata/RHSA-2019:2806