Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Rubocop CVE-2017-8418 #317

Merged
merged 1 commit into from
Jan 8, 2018
Merged

Add Rubocop CVE-2017-8418 #317

merged 1 commit into from
Jan 8, 2018

Conversation

boffbowsh
Copy link
Contributor

RuboCop 0.48.1 and earlier does not use /tmp in safe way,
allowing local users to exploit this to tamper with cache
files belonging to other users.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8418
rubocop/rubocop#4336

@boffbowsh
Add Rubocop CVE-2017-8418
83873c9 
RuboCop 0.48.1 and earlier does not use /tmp in safe way,
allowing local users to exploit this to tamper with cache
files belonging to other users.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8418
rubocop/rubocop#4336
@mveytsman mveytsman merged commit bfcbf88 into rubysec:master Jan 8, 2018
@mveytsman
Copy link
Member

Thanks @boffbowsh !

@aselder
Copy link
Contributor

aselder commented Jan 8, 2018

@boffbowsh Something is not right in this PR.

We're using 0.50.0 and got flagged.

ruby-advisory-db: 293 advisories
Name: rubocop
Version: 0.50.0
Advisory: CVE-2017-8418
Criticality: Low
URL: https://github.com/bbatsov/rubocop/issues/4336
Title: RuboCop: insecure use of /tmp
Solution: upgrade to ~> 0.49.0

@mveytsman
Copy link
Member

Crap I should have caught this, it should be >= not ~>

@aselder
Copy link
Contributor

aselder commented Jan 8, 2018

@mveytsman PR coming momentarily.

@aselder
Copy link
Contributor

aselder commented Jan 8, 2018

@mveytsman #318

@boffbowsh
Copy link
Contributor Author

Oh dear, sorry about that. I copied the template from the README, so I'll send a PR for a documentation change when I get 5 minutes. Thanks for fixing, @aselder.

@boffbowsh boffbowsh deleted the cve-2017-8418-rubocop branch January 9, 2018 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@boffbowsh @mveytsman @aselder