unofficial mirror of guix-devel@gnu.org

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 Fix CVE-2017-17790:

https://github.com/ruby/ruby/pull/1777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790
https://security-tracker.debian.org/tracker/CVE-2017-17790

Patch copied from snapshot.debian.org:

https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz

From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Sun, 24 Dec 2017 16:19:08 +0100
Subject: CVE-2017-17790: Fixed command injection in
 Resolv::Hosts#lazy_initialize

---
 lib/resolv.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/resolv.rb b/lib/resolv.rb
index 5cc0313..417fe0c 100644
--- a/lib/resolv.rb
+++ b/lib/resolv.rb
@@ -186,7 +186,7 @@ class Resolv
         unless @initialized
           @name2addr = {}
           @addr2name = {}
-          open(@filename) {|f|
+          File.open(@filename) {|f|
             f.each {|line|
               line.sub!(/#.*/, '')
               addr, hostname, *aliases = line.split(/\s+/)