Bug 671207 (CVE-2010-3928)

Summary: CVE-2010-3928 rubygem-rvm: escape sequence injection vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mfojtik, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 20:06:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 671209    
Bug Blocks:    

Description Vincent Danen 2011-01-20 18:37:34 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3928 to
the following vulnerability:

Name: CVE-2010-3928
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3928
Assigned: 20101012
Reference: JVN:JVN#30414126
Reference: URL: http://jvn.jp/en/jp/JVN30414126/index.html
Reference: JVNDB:JVNDB-2011-000005
Reference: URL: http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000005.html
Reference: BID:45841
Reference: URL: http://www.securityfocus.com/bid/45841
Reference: XF:ruby-manager-escape-command-execution(64746)
Reference: URL: http://xforce.iss.net/xforce/xfdb/64746

Ruby Version Manager (RVM) before 1.2.1 writes file contents to a
terminal without sanitizing non-printable characters, which might
allow remote attackers to execute arbitrary commands via a crafted
file, related to an "escape sequence injection vulnerability." NOTE:
some of these details are obtained from third party information.
Comment 1 Vincent Danen 2011-01-20 18:38:38 UTC 
Created rubygem-rvm tracking bugs for this issue

Affects: fedora-all [bug 671209]
Comment 2 Vít Ondruch 2013-01-08 14:34:41 UTC 
This package was entirely dropped from Fedora. May be this issue could be closed now.
Comment 3 Tomas Hoger 2013-01-08 14:44:44 UTC 
It only seems dropped from F17 and later, and remains in F16.  If it's not planned to get fixed before EOL, we can only close with wontfix.
Comment 4 Vít Ondruch 2013-01-08 15:00:07 UTC 
Ah, the package is blocked F17+ but in pkgdb, it is retired entirely. Nevertheless, there is definitely no plan to fix it.