Add Ruby CVE 2018-16396 (#360) (#361)

https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/

Author: transoceanic2000

rubies/ruby/CVE-2018-16396.yml

@@ -0,0 +1,25 @@
+---
+engine: ruby
+cve: 2018-16396
+url: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
+title: Tainted flags not always propogated in Array#pack and String#unpack
+date: 2018-10-17
+description: |
+  In `Array#pack` and `String#unpack` with some formats, the tainted flags of
+  the original data are not propagated to the returned string/array.
+
+  `Array#pack` method converts the receiver’s contents into a string with
+  specified format. If the receiver contains some tainted objects, the
+  returned string also should be tainted. `String#unpack` method which
+  converts the receiver into an array also should propagate its tainted flag
+  to the objects contained in the returned array. But, with `B`, `b`, `H` and
+  `h` directives, the tainted flags are not propagated. So, if a script
+  processes unreliable inputs by `Array#pack` and/or `String#unpack` with these
+  directives and checks the reliability with tainted flags, the check might be
+  wrong.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.3.8"
+  - "~> 2.4.5"
+  - "~> 2.5.2"