Sync with GitHub Security Advisories

reedloden · reedloden · commit a0dc335f67ad · 2022-09-21T23:31:23.000-07:00
* Add CVE-2022-39224 for arr-pm * Add GHSA-4qw4-jpp4-8gvp for commonmarker * Update CVSSv3 for CVE-2022-27777 in actionview
diff --git a/gems/actionview/CVE-2022-27777.yml b/gems/actionview/CVE-2022-27777.yml
@@ -39,6 +39,7 @@ description: |
   ## Workarounds
 
   Escape the untrusted data before using it as a key for tag helper methods.
+cvss_v3: 6.1
 patched_versions:
 - "~> 5.2.7, >= 5.2.7.1"
 - "~> 6.0.4, >= 6.0.4.8"
diff --git a/gems/arr-pm/CVE-2022-39224.yml b/gems/arr-pm/CVE-2022-39224.yml
@@ -0,0 +1,47 @@
+---
+gem: arr-pm
+cve: 2022-39224
+ghsa: 88cv-mj24-8w3q
+url: https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q
+title: arr-pm vulnerable to arbitrary shell execution when extracting or listing files contained in a malicious rpm
+date: 2022-09-21
+description: |+
+  ### Impact
+
+  Arbitrary shell execution is possible when using RPM::File#files and
+  RPM::File#extract if the RPM contains a malicious "payload compressor" field.
+
+  This vulnerability impacts the `extract` and `files` methods of the
+  `RPM::File` class in the affected versions of this library.
+
+  ### Patches
+
+  Version 0.0.12 is available with a fix for these issues.
+
+  ### Workarounds
+
+  When using an affected version of this library (arr-pm), ensure any RPMs
+  being processed contain valid/known payload compressor values. Such values
+  include: gzip, bzip2, xz, zstd, and lzma.
+
+  You can check the payload compressor field in an rpm by using the rpm command
+  line tool. For example:
+
+  ```
+  % rpm -qp example-1.0-1.x86_64.rpm --qf "%{PAYLOADCOMPRESSOR}\n"
+  gzip
+  ```
+
+  ### Impact on known dependent projects
+
+  This library is used by [fpm](https://github.com/jordansissel/fpm). The
+  vulnerability may impact fpm only when using the flag `-s rpm` or
+  `--input-type rpm` to convert a malicious rpm to another format. It does
+  not impact creating rpms.
+cvss_v3: 7.0
+patched_versions:
+- ">= 0.0.12"
+related:
+  url:
+  - https://github.com/jordansissel/ruby-arr-pm/pull/14
+  - https://github.com/jordansissel/ruby-arr-pm/pull/15
diff --git a/gems/commonmarker/GHSA-4qw4-jpp4-8gvp.yml b/gems/commonmarker/GHSA-4qw4-jpp4-8gvp.yml
@@ -0,0 +1,34 @@
+---
+gem: commonmarker
+ghsa: 4qw4-jpp4-8gvp
+url: https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-4qw4-jpp4-8gvp
+title: Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service
+date: 2022-09-21
+description: |
+  ### Impact
+
+  CommonMarker uses `cmark-gfm` for rendering [Github Flavored
+  Markdown](https://github.github.com/gfm/). A polynomial time complexity issue
+  in cmark-gfm's autolink extension may lead to unbounded resource exhaustion
+  and subsequent denial of service.
+
+  ### Patches
+
+  This vulnerability has been patched in the following CommonMarker release:
+
+  - v0.23.6
+
+  ### Workarounds
+
+  Disable use of the autolink extension.
+
+  ### References
+  https://en.wikipedia.org/wiki/Time_complexity
+patched_versions:
+- ">= 0.23.6"
+related:
+  url:
+  - https://github.com/gjtorikian/commonmarker/pull/190
+  - https://github.com/gjtorikian/commonmarker/releases/tag/v0.23.6
+  ghsa:
+  - cgh3-p57x-9q7q
