1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| | Fix CVE-2017-17790:
https://github.com/ruby/ruby/pull/1777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790
https://security-tracker.debian.org/tracker/CVE-2017-17790
Patch copied from snapshot.debian.org:
https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Sun, 24 Dec 2017 16:19:08 +0100
Subject: CVE-2017-17790: Fixed command injection in
Resolv::Hosts#lazy_initialize
---
lib/resolv.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/resolv.rb b/lib/resolv.rb
index 5cc0313..417fe0c 100644
--- a/lib/resolv.rb
+++ b/lib/resolv.rb
@@ -186,7 +186,7 @@ class Resolv
unless @initialized
@name2addr = {}
@addr2name = {}
- open(@filename) {|f|
+ File.open(@filename) {|f|
f.each {|line|
line.sub!(/#.*/, '')
addr, hostname, *aliases = line.split(/\s+/)
|