2280477 – CVE-2024-32020 rubygem-stringex: git: insecure hardlinks [fedora-all]

Bug 2280477 - CVE-2024-32020 rubygem-stringex: git: insecure hardlinks [fedora-all]

Summary: CVE-2024-32020 rubygem-stringex: git: insecure hardlinks [fedora-all]

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rubygem-stringex
Sub Component:
Version:	40
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Mamoru TASAKA
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2024-32020
TreeView+	depends on / blocked

Reported:	2024-05-14 23:53 UTC by Nick Tait
Modified:	2024-05-22 21:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-15 13:29:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nick Tait 2024-05-14 23:53:00 UTC

More information about this security flaw is available in the following bug:

http://bugzilla.redhat.com/show_bug.cgi?id=2280466

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Nick Tait 2024-05-14 23:53:02 UTC

Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug.  This will ensure that all associated bugs get updated
when new packages are pushed to stable.

=====

# bugfix, security, enhancement, newpackage (required)
type=security

# low, medium, high, urgent (required)
severity=low

# testing, stable
request=testing

# Bug numbers: 1234,9876
bugs=2280466,2280477

# Description of your update
notes=Security fix for [PUT CVEs HERE]

# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3

# Automatically close bugs when this marked as stable
close_bugs=True

# Suggest that users restart after update
suggest_reboot=False

======

Additionally, you may opt to use the bodhi web interface to submit updates:

https://bodhi.fedoraproject.org/updates/new

Comment 2 Vít Ondruch 2024-05-15 14:04:17 UTC

@Nick: could you please elaborate what is the relation between git and rubygem-stringex? And since you are at it, the same question applies also to rubygem-rouge and rubygem-dynect_rest

Comment 3 Nick Tait 2024-05-15 23:15:48 UTC

Red Hat's tooling indicates a similar result for all three packages you mentioned: fedora-38	rubygem-stringex-2.8.6-1.fc38	(git.0, gem)	git+https://src.fedoraproject.org/rpms/rubygem-stringex.git
Which I gather is a gem for git, not the git package itself. So your assessment is correct, sorry about the spam. Thanks for taking a look.

Comment 4 Vít Ondruch 2024-05-16 08:26:48 UTC

(In reply to Nick Tait from comment #3)
> Red Hat's tooling indicates a similar result for all three packages you
> mentioned: fedora-38	rubygem-stringex-2.8.6-1.fc38	(git.0, gem)
> git+https://src.fedoraproject.org/rpms/rubygem-stringex.git
> Which I gather is a gem for git, not the git package itself. So your
> assessment is correct, sorry about the spam. Thanks for taking a look.

Huh, I am still not sure I understand. These are all occurences of `git` word in the source code:

~~~
$ grep --exclude-dir .git -R git
.gitignore:github-test.rb
README.md:# Stringex [<img src="https://codeclimate.com/github/rsl/stringex.svg" />](https://codeclimate.com/github/rsl/stringex) [<img src="https://travis-ci.org/rsl/stringex.svg?branch=master" alt="Build Status" />](https://travis-ci.org/rsl/stringex) [<img src="https://badge.fury.io/rb/stringex.svg" alt="Gem Version" />](http://badge.fury.io/rb/stringex)
README.md:With Stringex version 2.0 and higher, you can localize the different conversions in Stringex. Read more [here](https://github.com/rsl/stringex/wiki/Localization-of-Stringex-conversions). If you add a new language, please submit a pull request so we can make it available to other users also.
README.md:When using Stringex with Ruby on Rails, you automatically get built-in translations for miscellaneous characters, HTML entities, and vulgar fractions. You can see Stringex's standard translations [here](https://github.com/rsl/stringex/tree/master/locales).
README.md:You can easily add your own or customize the built-in translations - read [here](https://github.com/rsl/stringex/wiki/Localization-of-Stringex-conversions). If you add a new language, please submit a pull request so we can make it available to other users also.
README.md:This project conforms to [semver](http://semver.org/). As a result of this policy, you can (and should) specify a dependency on this gem using the [Pessimistic Version Constraint](http://guides.rubygems.org/patterns/) with two digits of precision. For example:
README.md:GIANT thanks to the many contributors who have helped make Stringex better and better: http://github.com/rsl/stringex/contributors
Rakefile:    gem.homepage         = "http://github.com/rsl/stringex"
lib/stringex/unidecoder_data/xa1.yml:- git
lib/stringex/unidecoder_data/xa2.yml:- ggit
lib/stringex/unidecoder_data/xae.yml:- git
lib/stringex/unidecoder_data/xb0.yml:- ggit
stringex.gemspec:  s.homepage = "http://github.com/rsl/stringex".freeze
~~~

Which one could have been interpreted as a dependency on `git` gem? I am afraid there is something completely off with the scanner you use and I'd like to address it.

Comment 5 Vít Ondruch 2024-05-16 08:28:10 UTC

BTW this does not reveal anything:

~~~
$ grep --exclude-dir .git -R "1.11.0"
~~~

Comment 6 Nick Tait 2024-05-22 21:03:05 UTC

I've checked with my team but unfortunately I can't offer any other advice other than this was a false positive.

Note You need to log in before you can comment on or make changes to this bug.