search

heapsource / active_model_otp

Adds methods to set and authenticate against one time passwords (Two-Factor Authentication). Inspired in AM::SecurePassword
MIT License
773 stars 81 forks source link

Allow rotp update to 6.3.0 to fix CVE-2024-28862 #126

Closed jean-francois-labbe closed 7 months ago

jean-francois-labbe commented 7 months ago

There is a CVE reported on rotp to 6.2.1 and 6.2.2 The fix is to update rotp to >= 6.3.0

Current gemspec prevents the update spec.add_dependency "rotp", "~> 6.2.0"

ruby-advisory-db:
  advisories:   882 advisories
  last updated: 2024-03-18 19:03:51 -0700
  commit:   35ca69bb256418b4cec81327e659ed6c0257d25b
Name: rotp
Version: 6.2.2
CVE: CVE-2024-28862
GHSA: GHSA-x2h8-qmj4-g62f
Criticality: Medium
URL: https://github.com/mdp/rotp/security/advisories/GHSA-x2h8-qmj4-g62f
Title: ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files.
Solution: upgrade to '>= 6.3.0'
jean-francois-labbe commented 7 months ago

There is already a PR here https://github.com/heapsource/active_model_otp/pull/118

spickermann commented 7 months ago

@jean-francois-labbe Thank you for fixing this security issue.

I noticed that the latest release (2.3.2 from April 26, 2023) still depends on rotp ~> 6.2.0 (see: Rubygems and the diff between main and the 2.3.2 tag).

Would you be able to create a new release with the rotp update?

jean-francois-labbe commented 7 months ago

@spickermann thanks for the message but I'm not a maintainer on this project. I can't do anything for you.

Right now I updated my gemfile to reference the commit that fixes the rotp dependency.

  # fix CVE-2024-28862, waiting for a new release
  gem "active_model_otp", github: "heapsource/active_model_otp", ref: "3a4db76f59aaecd133654be4ae43184d2d67bb2b"
spickermann commented 7 months ago

@jean-francois-labbe I am sorry that I mistook you for one of the maintainers.

@guilleiguaran, @bithavoc, @robertomiranda Would one of you be able to release a new version fixing this security vulnerability on Rubygems?

jeffbax commented 7 months ago

@spickermann thanks for the message but I'm not a maintainer on this project. I can't do anything for you.

Right now I updated my gemfile to reference the commit that fixes the rotp dependency.

  # fix CVE-2024-28862, waiting for a new release
  gem "active_model_otp", github: "heapsource/active_model_otp", ref: "3a4db76f59aaecd133654be4ae43184d2d67bb2b"

Ultimately did the same thing for us as well at the moment. A little curious that they are not letting this dependency be a little less rigid by fixing this gem to a patch version in this framework