Closed milda-a closed 2 months ago
thanks for raising, however I think this is a non issue for this project from what I can see
The packaging task in this repo deletes the rdoc gem contents, the only remainder is the gemspec. Looking at the affected code references on the gh advisory, they relate to a lib/rdoc/store.rb
which isn't present in the linux arm64 or macos arm64 source I've looked at
As discussed on slack, I'll close this down for now as we need to remove the gemspec part that's flagging the vuln, but in the future it might be handy to clean up the gemspec along with removing any unneeded libs on traveling ruby 👍
Pre issue-raising checklist
I have already (please mark the applicable with an
x
):Software versions
Expected behaviour
No critical vulnerabilities raised when installing pact standalone. Blocks us from publishing new images internally with pact standalone installations.
Actual behaviour
A critical vulnerability raised for
rdoc v6.5.0
Fixes in versions6.3.4.1, 6.4.1.1, 6.5.1.1, 6.6.3.1
See fixes in official ruby docs https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/Steps to reproduce
Installing pact standalone and running it through a security check.