CVE-2017-0903

NameCVE-2017-0903
DescriptionRubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1421-1, DSA-4031-1
Debian Bugs879231

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.1 (PTS)jessie, jessie (lts)2.1.5-2+deb8u14fixed
ruby2.3 (PTS)stretch (security)2.3.3-1+deb9u11fixed
stretch (lts), stretch2.3.3-1+deb9u12fixed
rubygems (PTS)bullseye3.2.5-2fixed
bookworm3.3.15-2fixed
sid, trixie3.4.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby1.9.1sourcewheezy(not affected)
ruby1.9.1source(unstable)(unfixed)
ruby2.1sourcejessie2.1.5-2+deb8u4DLA-1421-1
ruby2.1source(unstable)(unfixed)
ruby2.3sourcestretch2.3.3-1+deb9u2DSA-4031-1
ruby2.3source(unstable)2.3.5-1879231
rubygemssourcewheezy(not affected)
rubygemssource(unstable)3.2.0~rc.1-1

Notes

[wheezy] - ruby1.9.1 <not-affected> (Vulnerable code introduced later)
[wheezy] - rubygems <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2017/10/10/2
https://justi.cz/security/2017/10/07/rubygems-org-rce.html
Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
Search for package or bug name: Reporting problems