1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| | Fix CVE-2017-17405:
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
https://security-tracker.debian.org/tracker/CVE-2017-17405
Patch copied from snapshot.debian.org:
https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Sun, 24 Dec 2017 16:16:29 +0100
Subject: CVE-2017-17405: command injection attacks via Net::FTP
---
lib/net/ftp.rb | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb
index 369aba8..bfa6c4b 100644
--- a/lib/net/ftp.rb
+++ b/lib/net/ftp.rb
@@ -494,10 +494,10 @@ module Net
blocksize = DEFAULT_BLOCKSIZE, &block) # :yield: data
if @resume
rest_offset = File.size?(localfile)
- f = open(localfile, "a")
+ f = File.open(localfile, "a")
else
rest_offset = nil
- f = open(localfile, "w")
+ f = File.open(localfile, "w")
end
begin
f.binmode
@@ -516,7 +516,7 @@ module Net
# line at a time.
#
def gettextfile(remotefile, localfile = File.basename(remotefile), &block) # :yield: line
- f = open(localfile, "w")
+ f = File.open(localfile, "w")
begin
retrlines("RETR " + remotefile) do |line|
f.puts(line)
@@ -556,7 +556,7 @@ module Net
else
rest_offset = nil
end
- f = open(localfile)
+ f = File.open(localfile)
begin
f.binmode
storbinary("STOR " + remotefile, f, blocksize, rest_offset, &block)
@@ -571,7 +571,7 @@ module Net
# passing in the transmitted data one line at a time.
#
def puttextfile(localfile, remotefile = File.basename(localfile), &block) # :yield: line
- f = open(localfile)
+ f = File.open(localfile)
begin
storlines("STOR " + remotefile, f, &block)
ensure
|