bundler-audit 0.5.0 → 0.6.0

data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml

@@ -5,103 +5,103 @@ cve: 2015-7577
 date: 2016-01-25
 url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
 
-title: Nested attributes rejection proc bypass in Active Record 
+title: Nested attributes rejection proc bypass in Active Record
 
 description: |
-  There is a vulnerability in how the nested attributes feature in Active Record 
-  handles updates in combination with destroy flags when destroying records is 
-  disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577. 
-
-  Versions Affected:  3.1.0 and newer 
-  Not affected:       3.0.x and older 
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 
-
-  Impact 
-  ------ 
-  When using the nested attributes feature in Active Record you can prevent the 
-  destruction of associated records by passing the `allow_destroy: false` option 
-  to the `accepts_nested_attributes_for` method. However due to a change in the 
-  commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from 
-  being called because it assumes that the record will be destroyed anyway. 
-
-  However this isn't true if `:allow_destroy` is false so this leads to changes 
-  that would have been rejected being applied to the record. Attackers could use 
-  this do things like set attributes to invalid values and to clear all of the 
-  attributes amongst other things. The severity will be dependent on how the 
-  application has used this feature. 
-
-  All users running an affected release should either upgrade or use one of 
-  the workarounds immediately. 
-
-  Releases 
-  -------- 
-  The FIXED releases are available at the normal locations. 
-
-  Workarounds 
-  ----------- 
-  If you can't upgrade, please use the following monkey patch in an initializer 
-  that is loaded before your application: 
-
-  ``` 
-  $ cat config/initializers/nested_attributes_bypass_fix.rb 
-  module ActiveRecord 
-    module NestedAttributes 
-      private 
-
-      def reject_new_record?(association_name, attributes) 
-        will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes) 
-      end 
-
-      def call_reject_if(association_name, attributes) 
-        return false if will_be_destroyed?(association_name, attributes) 
-
-        case callback = self.nested_attributes_options[association_name][:reject_if] 
-        when Symbol 
-          method(callback).arity == 0 ? send(callback) : send(callback, attributes) 
-        when Proc 
-          callback.call(attributes) 
-        end 
-      end 
-
-      def will_be_destroyed?(association_name, attributes) 
-        allow_destroy?(association_name) && has_destroy_flag?(attributes) 
-      end 
-
-      def allow_destroy?(association_name) 
-        self.nested_attributes_options[association_name][:allow_destroy] 
-      end 
-    end 
-  end 
-  ``` 
-
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided patches for 
-  the two supported release series. They are in git-am format and consist of a 
-  single changeset. 
-
-  * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series 
-  * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series 
-  * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series 
-  * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series 
-
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
-  of earlier unsupported releases are advised to upgrade as soon as possible as we 
-  cannot guarantee the continued availability of security fixes for unsupported 
-  releases. 
-
-  Credits 
-  ------- 
-  Thank you to Justin Coyne for reporting the problem and working with us to fix it. 
-
-  [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325 
+  There is a vulnerability in how the nested attributes feature in Active Record
+  handles updates in combination with destroy flags when destroying records is
+  disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
+
+  Versions Affected:  3.1.0 and newer
+  Not affected:       3.0.x and older
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+
+  Impact
+  ------
+  When using the nested attributes feature in Active Record you can prevent the
+  destruction of associated records by passing the `allow_destroy: false` option
+  to the `accepts_nested_attributes_for` method. However due to a change in the
+  commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
+  being called because it assumes that the record will be destroyed anyway.
+
+  However this isn't true if `:allow_destroy` is false so this leads to changes
+  that would have been rejected being applied to the record. Attackers could use
+  this do things like set attributes to invalid values and to clear all of the
+  attributes amongst other things. The severity will be dependent on how the
+  application has used this feature.
+
+  All users running an affected release should either upgrade or use one of
+  the workarounds immediately.
+
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+
+  Workarounds
+  -----------
+  If you can't upgrade, please use the following monkey patch in an initializer
+  that is loaded before your application:
+
+  ```
+  $ cat config/initializers/nested_attributes_bypass_fix.rb
+  module ActiveRecord
+    module NestedAttributes
+      private
+
+      def reject_new_record?(association_name, attributes)
+        will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes)
+      end
+
+      def call_reject_if(association_name, attributes)
+        return false if will_be_destroyed?(association_name, attributes)
+
+        case callback = self.nested_attributes_options[association_name][:reject_if]
+        when Symbol
+          method(callback).arity == 0 ? send(callback) : send(callback, attributes)
+        when Proc
+          callback.call(attributes)
+        end
+      end
+
+      def will_be_destroyed?(association_name, attributes)
+        allow_destroy?(association_name) && has_destroy_flag?(attributes)
+      end
+
+      def allow_destroy?(association_name)
+        self.nested_attributes_options[association_name][:allow_destroy]
+      end
+    end
+  end
+  ```
+
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
+
+  * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
+  * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
+  * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
+  * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+  of earlier unsupported releases are advised to upgrade as soon as possible as we
+  cannot guarantee the continued availability of security fixes for unsupported
+  releases.
+
+  Credits
+  -------
+  Thank you to Justin Coyne for reporting the problem and working with us to fix it.
+
+  [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
 
 unaffected_versions:
   - "~> 3.0.0"
   - "< 3.0.0"
 
 patched_versions:
-  - "~> 5.0.0.beta1.1"
-  - "~> 4.2.5.1" 
-  - "~> 4.1.14.1"
+  - ">= 5.0.0.beta1.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml

@@ -0,0 +1,73 @@
+---
+gem: activerecord
+framework: rails
+cve: 2016-6317
+date: 2016-08-11
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
+
+title: Unsafe Query Generation Risk in Active Record
+
+description: |
+  There is a vulnerability when Active Record is used in conjunction with JSON
+  parameter parsing. This vulnerability is similar to CVE-2012-2660,
+  CVE-2012-2694 and CVE-2013-0155.
+
+  Impact
+  ------
+
+  Due to the way Active Record interprets parameters in combination with the way
+  that JSON parameters are parsed, it is possible for an attacker to issue
+  unexpected database queries with "IS NULL" or empty where clauses.  This issue
+  does *not* let an attacker insert arbitrary values into an SQL query, however
+  they can cause the query to check for NULL or eliminate a WHERE clause when
+  most users wouldn't expect it.
+
+  For example, a system has password reset with token functionality:
+
+  ```ruby
+      unless params[:token].nil?
+        user = User.find_by_token(params[:token])
+        user.reset_password!
+      end
+  ```
+
+  An attacker can craft a request such that `params[:token]` will return
+  `[nil]`.  The `[nil]` value will bypass the test for nil, but will still add
+  an "IN ('xyz', NULL)" clause to the SQL query.
+
+  Similarly, an attacker can craft a request such that `params[:token]` will
+  return an empty hash.  An empty hash will eliminate the WHERE clause of the
+  query, but can bypass the `nil?` check.
+
+  Note that this impacts not only dynamic finders (`find_by_*`) but also
+  relations (`User.where(:name => params[:name])`).
+
+  All users running an affected release should either upgrade or use one of the
+  work arounds immediately. All users running an affected release should upgrade
+  immediately. Please note, this vulnerability is a variant of CVE-2012-2660,
+  CVE-2012-2694, and CVE-2013-0155.  Even if you upgraded to address those
+  issues, you must take action again.
+
+  If this chance in behavior impacts your application, you can manually decode
+  the original values from the request like so:
+
+      `ActiveSupport::JSON.decode(request.body)`
+
+  Workarounds
+  -----------
+  This problem can be mitigated by casting the parameter to a string before
+  passing it to Active Record.  For example:
+
+    ```ruby
+      unless params[:token].nil? || params[:token].to_s.empty?
+        user = User.find_by_token(params[:token].to_s)
+        user.reset_password!
+      end
+    ```
+
+unaffected_versions:
+  - "< 4.2.0"
+  - ">= 5.0.0"
+
+patched_versions:
+  - ">= 4.2.7.1"

data/data/ruby-advisory-db/gems/administrate/CVE-2016-3098.yml

@@ -0,0 +1,14 @@
+---
+gem: administrate
+cve: 2016-3098
+title: Cross-site request forgery (CSRF) vulnerability in administrate gem
+date: 2016-04-01
+url: http://seclists.org/oss-sec/2016/q2/0
+
+description: >-
+  `Administrate::ApplicationController` actions didn't have CSRF
+  protection. Remote attackers can hijack user's sessions and use any
+  functionality that administrate exposes on their behalf.
+
+patched_versions:
+  - ">= 0.1.5"

data/data/ruby-advisory-db/gems/aescrypt/CVE-2013-7463.yml

@@ -0,0 +1,10 @@
+---
+gem: aescrypt
+cve: 2013-7463
+date: 2013-10-01
+url: https://github.com/Gurpartap/aescrypt/issues/4
+title: Vulnerability in aescrypt because IV is not randomized
+description: |
+  The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the
+  AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to
+  defeat cryptographic protection mechanisms via a chosen plaintext attack.

data/data/ruby-advisory-db/gems/archive-tar-minitar/CVE-2016-10173.yml

@@ -0,0 +1,16 @@
+---
+gem: archive-tar-minitar
+cve: 2016-10173
+url: https://github.com/atoulme/minitar/issues/5
+title: Archive-Tar-Minitar Directory Traversal Vulnerability
+date: 2016-08-22
+description: |
+  Minitar allows attackers to overwrite arbitrary files during archive
+  extraction via a .. (dot dot) in an extracted filename. Analogous
+  vulnerabilities for unzip and tar:
+  https://www.cvedetails.com/cve/CVE-2001-1268/ and
+  http://www.cvedetails.com/cve/CVE-2001-1267/
+
+  Credit: ecneladis
+patched_versions:
+  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml

@@ -17,4 +17,5 @@ description: |
   To resolve this issue, the aforementioned variables (especially `image_path`)
   must be sanitized for shell metacharacters.
 
-  Currently, no fix for this issue exists.
+patched_versions: 
+  - '>= 0.0.5'

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2016-6582.yml

@@ -0,0 +1,43 @@
+---
+gem: doorkeeper
+cve: 2016-6582
+date: 2016-08-18
+url: "http://www.openwall.com/lists/oss-security/2016/08/19/2"
+
+title: Doorkeeper gem does not revoke tokens & uses wrong auth/auth method
+
+description: |
+  Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the
+  following ways:
+
+  1. Public clients making valid, unauthenticated calls to revoke a token
+     would not have their token revoked
+  2. Requests were not properly authenticating the *client credentials* but
+     were, instead, looking at the access token in a second location
+  3. Because of 2, the requests were also not authorizing confidential
+     clients' ability to revoke a given token. It should only revoke tokens
+     that belong to it.
+
+  The security implication is: OAuth 2.0 clients who "log out" a user expect
+  to have the corresponding access & refresh tokens revoked, preventing an
+  attacker who may have already hijacked the session from continuing to
+  impersonate the victim. Because of the bug described above, this is not the
+  case. As far as OWASP is concerned, this counts as broken authentication
+  design.
+
+  MITRE has assigned CVE-2016-6582 due to the security issues raised. An
+  attacker, thanks to 1, can replay a hijacked session after a victim logs
+  out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a
+  compromised confidential client could "grief" other clients by revoking
+  their tokens (albeit this is an exceptionally narrow attack with little
+  value).
+
+unaffected_versions:
+  - "< 1.2.0"
+
+patched_versions:
+  - ">= 4.2.0"
+
+related:
+  url:
+    - https://github.com/doorkeeper-gem/doorkeeper/commit/fb938051777a3c9cb071e96fc66458f8f615bd53

data/data/ruby-advisory-db/gems/espeak-ruby/CVE-2016-10193.yml

@@ -0,0 +1,15 @@
+cve: 2016-10193
+gem: espeak-ruby
+url: https://github.com/dejan/espeak-ruby/issues/7
+title: espeak-ruby Gem for Ruby Arbitrary Command Execution
+date: 2016-04-13
+
+description: |
+  espeak-ruby passes user modifiable strings directly to a shell
+  command. An attacker can execute malicious commands by modifying
+  the strings that are passed as arguments to the speak, save, bytes
+  and bytes_wav methods in the lib/espeak/speech.rb library.
+
+patched_versions:
+  - '>= 1.0.3'
+

data/data/ruby-advisory-db/gems/festivaltts4r/CVE-2016-10194.yml

@@ -0,0 +1,12 @@
+cve: 2016-10194
+gem: festivaltts4r
+url: https://github.com/spejman/festivaltts4r/issues/1
+title: festivaltts4r Gem for Ruby Arbitrary Command Execution
+date: 2016-04-23
+
+description: |
+  festivaltts4r passes user modifiable strings directly to a shell
+  command. An attacker can execute malicious commands by modifying
+  the strings that are passed as arguments to the to_speech and
+  and to_mp3 methods in lib/festivaltts4r/festival4r.rb library.
+

data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8968.yml

@@ -0,0 +1,21 @@
+---
+gem: git-fastclone
+cve: 2015-8968
+url: https://hackerone.com/reports/104465
+title: git-fastclone permits arbitrary shell command execution from .gitmodules
+date: 2015-12-11
+description: |
+  Git allows executing arbitrary shell commands using git-remote-ext via a
+  remote URLs. Normally git never requests URLs that the user doesn't
+  specifically request, so this is not a serious security concern. However,
+  submodules did allow the remote repository to specify what URL to clone
+  from.
+
+  If an attacker can instruct a user to run a recursive clone from a
+  repository they control, they can get a client to run an arbitrary shell
+  command. Alternately, if an attacker can MITM an unencrypted git clone,
+  they could exploit this. The ext command will be run if the repository is
+  recursively cloned or if submodules are updated. This attack works when
+  cloning both local and remote repositories.
+patched_versions:
+  - ">= 1.0.1"

data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8969.yml

@@ -0,0 +1,13 @@
+---
+gem: git-fastclone
+cve: 2015-8969
+url: https://hackerone.com/reports/105190
+title: git-fastclone Shell Metacharacter Injection Arbitrary Command Execution
+date: 2015-12-15
+description: |
+  git-fastclone before 1.0.5 passes user modifiable strings directly to a shell
+  command. An attacker can execute malicious commands by modifying the strings
+  that are passed as arguments to "cd " and "git clone " commands in the
+  library.
+patched_versions:
+  - ">= 1.0.5"

data/data/ruby-advisory-db/gems/mail/OSVDB-131677.yml

@@ -1,19 +1,26 @@
 ---
 gem: mail
+cve: 2015-9097
 osvdb: 131677
-url: http://www.mbsd.jp/Whitepaper/smtpi.pdf
-title: Mail Gem for Ruby vulnerable to SMTP Injection via recipient email addresses
+url: https://hackerone.com/reports/137631
+title: SMTP command injection
 date: 2015-12-09
 description: |
-  Because the Mail Gem for Ruby does not validate or impose a length limit on
-  email address fields, an attacker can modify messages sent with the gem via a
-  specially-crafted recipient email address.
+  Because Mail does not disallow CRLF in email addresses, an attacker can
+  inject SMTP commands in specially crafted email addresses passed to
+  RCPT TO and MAIL FROM.
 
-  Applications that validate email address format are not affected by this
-  vulnerability.
+  Not affected by this vulnerability:
+    * Ruby 2.4.0+ with a fix for CVE-2015-9096.
+    * Applications that do not use SMTP delivery.
+    * Applications that validate email addresses to not include CRLF.
 
-  The recipient attack is described in Terada, Takeshi. "SMTP Injection via
-  Recipient Email Addresses." 2015. The attacks described in the paper (Terada,
-  p. 4) can be applied to the library without any modification.
+  The injection attack is described in Terada, Takeshi. "SMTP Injection via
+  Recipient Email Addresses." 2015. The attacks described in the paper
+  (Terada, p. 4) can be applied to the library without any modification.
 patched_versions:
-- ">= 2.6.0"
+- ">= 2.5.5"
+related:
+  url:
+    - http://www.mbsd.jp/Whitepaper/smtpi.pdf
+    - https://github.com/mikel/mail/pull/1097