Bug 2270749 (CVE-2024-27281)

Summary: CVE-2024-27281 ruby: RCE vulnerability with .rdoc_options in RDoc
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, bbuckingham, bcourt, eglynn, ehelms, ggainey, hhorak, jjoyce, jorton, jschluet, jsherril, juwatts, lhh, lsvaty, lzap, mburns, mgarciac, mhulan, nmoumoul, orabin, osousa, pcreech, pgrist, rchan, rhos-maint, ruby-maint, slinaber, smallamp, tvignaud, vondruch, zbitter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rdoc 6.3.4.1, rdoc 6.4.1.1, rdoc 6.5.1.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML file there are no restrictions on the classes that can be restored. This issue may lead to object injection, resulting in remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2277054, 2277055, 2270786, 2270787, 2270788, 2270789, 2270790, 2270791, 2270792, 2270793, 2270794, 2270795, 2270796, 2270797, 2270798, 2270799, 2270800, 2270801, 2270802, 2270803, 2270804, 2270805, 2270806, 2270807, 2270808, 2270809, 2270810, 2270811, 2270812, 2270813, 2270814, 2270815, 2270816, 2270817, 2270818, 2270819, 2270820, 2270821, 2270822, 2270823, 2270824, 2270825, 2270826, 2270827, 2270828, 2270829, 2270830, 2270831, 2276875, 2277049, 2277050, 2277051, 2277052, 2277053, 2280544    
Bug Blocks: 2270748    

Description Zack Miele 2024-03-21 17:48:54 UTC 
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.
Comment 2 Zack Miele 2024-03-21 18:12:28 UTC 
Created puppet tracking bugs for this issue:

Affects: epel-8 [bug 2270792]


Created ruby:3.1/rubygem-pg tracking bugs for this issue:

Affects: fedora-38 [bug 2270798]


Created rubygem-ammeter tracking bugs for this issue:

Affects: fedora-all [bug 2270813]


Created rubygem-bcrypt tracking bugs for this issue:

Affects: epel-7 [bug 2270787]


Created rubygem-bcrypt_pbkdf tracking bugs for this issue:

Affects: fedora-all [bug 2270815]


Created rubygem-domain_name tracking bugs for this issue:

Affects: fedora-38 [bug 2270801]


Created rubygem-haml tracking bugs for this issue:

Affects: fedora-all [bug 2270817]


Created rubygem-highline tracking bugs for this issue:

Affects: epel-8 [bug 2270793]


Created rubygem-http-cookie tracking bugs for this issue:

Affects: fedora-all [bug 2270818]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-38 [bug 2270803]


Created rubygem-marc tracking bugs for this issue:

Affects: fedora-all [bug 2270819]


Created rubygem-mechanize tracking bugs for this issue:

Affects: fedora-38 [bug 2270805]


Created rubygem-minitest-around tracking bugs for this issue:

Affects: fedora-all [bug 2270820]


Created rubygem-net-http-persistent tracking bugs for this issue:

Affects: fedora-all [bug 2270821]


Created rubygem-pdfkit tracking bugs for this issue:

Affects: fedora-all [bug 2270822]


Created rubygem-pg tracking bugs for this issue:

Affects: fedora-all [bug 2270823]


Created rubygem-power_assert tracking bugs for this issue:

Affects: fedora-all [bug 2270824]


Created rubygem-rest-client tracking bugs for this issue:

Affects: fedora-all [bug 2270825]


Created rubygem-ruby_engine tracking bugs for this issue:

Affects: epel-7 [bug 2270788]
Affects: fedora-all [bug 2270826]


Created rubygem-ruby_version tracking bugs for this issue:

Affects: epel-7 [bug 2270789]
Affects: fedora-38 [bug 2270808]


Created rubygem-shindo tracking bugs for this issue:

Affects: fedora-all [bug 2270827]


Created rubygem-shoulda-context tracking bugs for this issue:

Affects: fedora-all [bug 2270828]


Created rubygem-sinatra tracking bugs for this issue:

Affects: epel-7 [bug 2270790]


Created rubygem-sqlite3 tracking bugs for this issue:

Affects: epel-8 [bug 2270794]
Affects: fedora-38 [bug 2270810]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2270829]


Created rubygem-tins tracking bugs for this issue:

Affects: epel-7 [bug 2270791]
Affects: fedora-all [bug 2270830]


Created rubygem-webmock tracking bugs for this issue:

Affects: fedora-all [bug 2270831]


Created whatweb tracking bugs for this issue:

Affects: epel-8 [bug 2270797]
Affects: fedora-all [bug 2270786]
Comment 3 Mamoru TASAKA 2024-03-22 09:34:43 UTC 
I don't think this affects generated documents, only rubygem-rdoc is affected if possible.
Comment 4 Vít Ondruch 2024-03-22 09:49:45 UTC 
This is the official announcement:

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

This is the patch:

https://github.com/ruby/rdoc/commit/33221979e3a6a18de962553b56c396abb5ba3244

And I'd like to elaborate that having `.rdoc_options` file around does not mean the package is vulnerable. It could be in theory, but using upstream sources, the chances are minimal.
Comment 7 Sandipan Roy 2024-04-25 05:03:18 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2277049]
Affects: fedora-39 [bug 2277051]
Affects: fedora-40 [bug 2277052]


Created ruby:3.1/ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2277050]


Created rubygem-rdoc tracking bugs for this issue:

Affects: fedora-38 [bug 2277053]
Affects: fedora-39 [bug 2277054]
Affects: fedora-40 [bug 2277055]
Comment 10 errata-xmlrpc 2024-05-30 13:12:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3500 https://access.redhat.com/errata/RHSA-2024:3500
Comment 11 errata-xmlrpc 2024-06-03 07:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3546 https://access.redhat.com/errata/RHSA-2024:3546
Comment 12 errata-xmlrpc 2024-06-06 08:57:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3668 https://access.redhat.com/errata/RHSA-2024:3668
Comment 13 errata-xmlrpc 2024-06-06 09:23:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3670 https://access.redhat.com/errata/RHSA-2024:3670
Comment 14 errata-xmlrpc 2024-06-06 09:48:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3671 https://access.redhat.com/errata/RHSA-2024:3671
Comment 15 errata-xmlrpc 2024-06-11 19:42:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3838 https://access.redhat.com/errata/RHSA-2024:3838
Comment 16 errata-xmlrpc 2024-07-11 11:48:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4499 https://access.redhat.com/errata/RHSA-2024:4499