An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.
Created puppet tracking bugs for this issue: Affects: epel-8 [bug 2270792] Created ruby:3.1/rubygem-pg tracking bugs for this issue: Affects: fedora-38 [bug 2270798] Created rubygem-ammeter tracking bugs for this issue: Affects: fedora-all [bug 2270813] Created rubygem-bcrypt tracking bugs for this issue: Affects: epel-7 [bug 2270787] Created rubygem-bcrypt_pbkdf tracking bugs for this issue: Affects: fedora-all [bug 2270815] Created rubygem-domain_name tracking bugs for this issue: Affects: fedora-38 [bug 2270801] Created rubygem-haml tracking bugs for this issue: Affects: fedora-all [bug 2270817] Created rubygem-highline tracking bugs for this issue: Affects: epel-8 [bug 2270793] Created rubygem-http-cookie tracking bugs for this issue: Affects: fedora-all [bug 2270818] Created rubygem-jquery-rails tracking bugs for this issue: Affects: fedora-38 [bug 2270803] Created rubygem-marc tracking bugs for this issue: Affects: fedora-all [bug 2270819] Created rubygem-mechanize tracking bugs for this issue: Affects: fedora-38 [bug 2270805] Created rubygem-minitest-around tracking bugs for this issue: Affects: fedora-all [bug 2270820] Created rubygem-net-http-persistent tracking bugs for this issue: Affects: fedora-all [bug 2270821] Created rubygem-pdfkit tracking bugs for this issue: Affects: fedora-all [bug 2270822] Created rubygem-pg tracking bugs for this issue: Affects: fedora-all [bug 2270823] Created rubygem-power_assert tracking bugs for this issue: Affects: fedora-all [bug 2270824] Created rubygem-rest-client tracking bugs for this issue: Affects: fedora-all [bug 2270825] Created rubygem-ruby_engine tracking bugs for this issue: Affects: epel-7 [bug 2270788] Affects: fedora-all [bug 2270826] Created rubygem-ruby_version tracking bugs for this issue: Affects: epel-7 [bug 2270789] Affects: fedora-38 [bug 2270808] Created rubygem-shindo tracking bugs for this issue: Affects: fedora-all [bug 2270827] Created rubygem-shoulda-context tracking bugs for this issue: Affects: fedora-all [bug 2270828] Created rubygem-sinatra tracking bugs for this issue: Affects: epel-7 [bug 2270790] Created rubygem-sqlite3 tracking bugs for this issue: Affects: epel-8 [bug 2270794] Affects: fedora-38 [bug 2270810] Created rubygem-stringex tracking bugs for this issue: Affects: fedora-all [bug 2270829] Created rubygem-tins tracking bugs for this issue: Affects: epel-7 [bug 2270791] Affects: fedora-all [bug 2270830] Created rubygem-webmock tracking bugs for this issue: Affects: fedora-all [bug 2270831] Created whatweb tracking bugs for this issue: Affects: epel-8 [bug 2270797] Affects: fedora-all [bug 2270786]
I don't think this affects generated documents, only rubygem-rdoc is affected if possible.
This is the official announcement: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ This is the patch: https://github.com/ruby/rdoc/commit/33221979e3a6a18de962553b56c396abb5ba3244 And I'd like to elaborate that having `.rdoc_options` file around does not mean the package is vulnerable. It could be in theory, but using upstream sources, the chances are minimal.
Created ruby tracking bugs for this issue: Affects: fedora-38 [bug 2277049] Affects: fedora-39 [bug 2277051] Affects: fedora-40 [bug 2277052] Created ruby:3.1/ruby tracking bugs for this issue: Affects: fedora-38 [bug 2277050] Created rubygem-rdoc tracking bugs for this issue: Affects: fedora-38 [bug 2277053] Affects: fedora-39 [bug 2277054] Affects: fedora-40 [bug 2277055]