CVE-2021-41816

Name	CVE-2021-41816
Description	CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5067-1
Debian Bugs	1002995

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby2.1 (PTS)	jessie, jessie (lts)	2.1.5-2+deb8u14	fixed
ruby2.3 (PTS)	stretch (security)	2.3.3-1+deb9u11	fixed
	stretch (lts), stretch	2.3.3-1+deb9u12	fixed
ruby2.5 (PTS)	buster, buster (lts)	2.5.5-3+deb10u7	fixed
	buster (security)	2.5.5-3+deb10u6	fixed
ruby2.7 (PTS)	bullseye	2.7.4-1+deb11u1	fixed
	bullseye (security)	2.7.4-1+deb11u2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
ruby2.1	source	jessie	(not affected)
ruby2.1	source	(unstable)	(unfixed)
ruby2.3	source	(unstable)	(not affected)
ruby2.5	source	(unstable)	(not affected)
ruby2.7	source	bullseye	2.7.4-1+deb11u1	DSA-5067-1
ruby2.7	source	(unstable)	2.7.5-1
ruby3.0	source	(unstable)	3.0.3-1		1002995

Notes

- ruby2.5 <not-affected> (Vulnerable code introduced later)
- ruby2.3 <not-affected> (Vulnerable code introduced later)
Fixed in Ruby 3.0.3, 2.7.5
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
Introduced by: https://github.com/ruby/cgi/commit/3a62e20f76ea42ff0b4d45f2952479eab266ae1c (v0.1.0)
Fixed by: https://github.com/ruby/cgi/commit/c728632c1c09d46cfd4ecbff9caaa3651dd1002a (v0.3.1)
[jessie] - ruby2.1 <not-affected> (Vulnerable code introduced later)