Bug 2110551 (CVE-2022-31163) - CVE-2022-31163 rubygem-tzinfo: arbitrary code execution
Summary: CVE-2022-31163 rubygem-tzinfo: arbitrary code execution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31163
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2110552 2110977 2110978 2110979 2111896 2111914 2111918 2111919
Blocks: 2110553
TreeView+ depends on / blocked
 
Reported: 2022-07-25 15:33 UTC by Marian Rehak
Modified: 2023-05-03 13:19 UTC (History)
28 users (show)

Fixed In Version: rubygem-tzinfo 1.2.10
Clone Of:
Environment:
Last Closed: 2023-03-28 03:50:18 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7242 0 None None None 2022-10-27 13:01:13 UTC
Red Hat Product Errata RHSA-2023:1486 0 None None None 2023-03-28 00:15:13 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:19:28 UTC

Description Marian Rehak 2022-07-25 15:33:27 UTC 
`TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process.

Reference:

https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Comment 1 Marian Rehak 2022-07-25 15:33:44 UTC 
Created rubygem-tzinfo tracking bugs for this issue:

Affects: epel-7 [bug 2110552]
Comment 4 errata-xmlrpc 2022-10-27 13:01:10 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:7242 https://access.redhat.com/errata/RHSA-2022:7242
Comment 6 errata-xmlrpc 2023-03-28 00:15:10 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2023:1486 https://access.redhat.com/errata/RHSA-2023:1486
Comment 7 Product Security DevOps Team 2023-03-28 03:50:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31163
Comment 8 errata-xmlrpc 2023-05-03 13:19:26 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
Note You need to log in before you can comment on or make changes to this bug.