Bug 1526189 (CVE-2017-17405) - CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP
Summary: CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-17405
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1526539 1526540 1526542 1526543 1526544 1534935 1534936 1534937 1534938 1534939 1534940 1534941 1534942 1545725 1724855
Blocks: 1526190
TreeView+ depends on / blocked
 
Reported: 2017-12-14 21:42 UTC by Pedro Sampaio
Modified: 2021-02-17 01:05 UTC (History)
32 users (show)

Fixed In Version: ruby 2.2.9, ruby 2.3.6, ruby 2.4.3, ruby 2.5.0
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.
Clone Of:
Environment:
Last Closed: 2018-04-03 08:13:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0378 0 normal SHIPPED_LIVE Important: ruby security update 2018-03-01 01:06:17 UTC
Red Hat Product Errata RHSA-2018:0583 0 None None None 2018-03-26 09:47:09 UTC
Red Hat Product Errata RHSA-2018:0584 0 None None None 2018-03-26 10:00:52 UTC
Red Hat Product Errata RHSA-2018:0585 0 None None None 2018-03-26 10:25:12 UTC
Red Hat Product Errata RHSA-2019:2806 0 None None None 2019-09-19 06:17:03 UTC

Description Pedro Sampaio 2017-12-14 21:42:14 UTC 
There is a command injection vulnerability in Net::FTP bundled with Ruby. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

External references:

https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
Comment 4 Kurt Seifried 2017-12-15 18:18:51 UTC 
Statement:

This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1 and CloudForms 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 5 Stefan Cornelius 2018-01-11 18:45:08 UTC 
Patch:
https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=61242
Comment 8 Mark Knowles 2018-02-09 04:12:07 UTC 
OpenShift Container Platform is not vulnerable to this, I am determining whether OpenShift Online is affected.
Comment 10 errata-xmlrpc 2018-02-28 20:03:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378
Comment 11 errata-xmlrpc 2018-03-26 09:46:55 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583
Comment 12 errata-xmlrpc 2018-03-26 10:00:36 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0584 https://access.redhat.com/errata/RHSA-2018:0584
Comment 13 errata-xmlrpc 2018-03-26 10:24:59 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585
Comment 15 errata-xmlrpc 2019-09-19 06:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:2806 https://access.redhat.com/errata/RHSA-2019:2806
Note You need to log in before you can comment on or make changes to this bug.