[Draft] Ruby vulnerability roundup 001

[primeos]

Vulnerable packages (more details)

• [ ] mikutter
• [ ] ppl-address-book
• [ ] ledger-web
• [ ] redmine
• [ ] redmine_4
• [ ] ptask
• [ ] pt
• [ ] taskjuggler
• [ ] frab
• [ ] riemann-dash
• [ ] sensu
• [ ] ejson
• [ ] chefdk
• [ ] rhc
• [ ] sass
• [ ] sassc
• [ ] compass
• [ ] redis-dump
• [ ] lolcat
• [ ] mpdcron
• [ ] fpm
• [ ] bcat
• [ ] metasploit
• [ ] r10k
• [ ] applications/version-management/gitlab/rubyEnv-ee
• [ ] applications/version-management/gitlab/rubyEnv-ce
• [ ] applications/misc/taskjuggler/3.x

Log output

https://gist.githubusercontent.com/primeos/9eb81de24a1d09230566f74fd476b787/raw/bf84f134e9c1bde9e7ad6b10f01d20af9c6e5f8e/log.txt

Can be searched by the path to the Gemfile.lock in nixpkgs, e.g.:

Gemfile: ./pkgs/applications/networking/instant-messengers/mikutter/Gemfile.lock

TODO

This is only a draft by running something as simple as the following script inside a nixpkgs checkout:

#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bundler-audit

set -o errexit
set -o nounset

bundler-audit update

GEMFILES="$(find -name Gemfile.lock)"

#rm -f /tmp/gemfile-paths.txt

for GEMFILE in $GEMFILES; do
  pushd "$(dirname $GEMFILE)" > /dev/null
  echo "Gemfile: $GEMFILE"
  bundler-audit check || echo "$PWD" >> /tmp/gemfile-paths.txt
  popd > /dev/null
done

It might be a good idea to automate this and cc the maintainers (after some testing and maybe with a better output) but I do not have much time for this at the moment. Maybe someone else is interested and has time?

Feedback is welcome.

[aanderse]

The redmine packages were patched against this. A big :+1: for automatically alerting package maintainers if anyone is able to find the time to finish what @primeos has started.

@manveru Didn't I notice a bunch of ruby related PRs from you recently? Off the top of your head do you know if any of these vulnerabilities have been patched?

[manveru]

I haven't checked for vulnerabilities, only reran bundle lock to fetch the latest valid dependencies. So it might've fixed some of those, but I'll have to check manually. I can probably give it some time tonight.

[manveru]

Will track my progress here:

• [ ] applications/misc/taskjuggler/3.x
• [ ] applications/version-management/gitlab/rubyEnv-ce
• [ ] applications/version-management/gitlab/rubyEnv-ee
• [x] bcat: https://github.com/NixOS/nixpkgs/pull/60855
• [ ] chefdk
• [x] compass: https://github.com/NixOS/nixpkgs/pull/60505
• [x] ejson: https://github.com/NixOS/nixpkgs/pull/60811
• [x] fpm: https://github.com/NixOS/nixpkgs/pull/60809
• [ ] frab: https://github.com/NixOS/nixpkgs/pull/59142
• [x] ledger-web: https://github.com/NixOS/nixpkgs/pull/60509
• [x] lolcat: https://github.com/NixOS/nixpkgs/pull/60854
• [ ] metasploit: https://github.com/NixOS/nixpkgs/pull/54405
• [x] mikutter: https://github.com/NixOS/nixpkgs/pull/60808
• [x] mpdcron: https://github.com/NixOS/nixpkgs/pull/60865
• [x] ppl-address-book: https://github.com/NixOS/nixpkgs/pull/60795
• [x] pt: https://github.com/NixOS/nixpkgs/pull/60503
• [x] r10k: https://github.com/NixOS/nixpkgs/pull/60873
• [x] redis-dump: https://github.com/NixOS/nixpkgs/pull/60876
• [x] redmine
• [x] redmine_4
• [x] riemann-dash: https://github.com/NixOS/nixpkgs/pull/60866
• [x] sass: https://github.com/NixOS/nixpkgs/pull/60856
• [x] sensu: https://github.com/NixOS/nixpkgs/pull/60514
• [x] taskjuggler: https://github.com/NixOS/nixpkgs/pull/60867

These packages have some issues I can't resolve:

• [ ] ptask: this is not a Ruby app or in the security logs
• [ ] rhc: not in nixpkgs
• [ ] sassc: not ruby

[FliegendeWurst]

• [x] chefdk: #222412

That was the only remaining package on the list.

I have rerun the script and opened #351833