Project

General

Profile

Actions
Copy link

Bug #21667

closed

CVE-2024-12224

Bug #21667: CVE-2024-12224

Added by mcandre (Andrew Pennebaker) 3 days ago. Updated 1 day ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
Backport:
3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
[ruby-core:123675]

Description

ruby-build triggers Wiz finding CVE-2024-12224 for the leftover build files, when compiling Ruby from source.

Updated by alanwu (Alan Wu) 2 days ago Actions
Copy link
 #1 [ruby-core:123699]

  • Status changed from Open to Feedback

What version of ruby were you building? Does Wiz point to some file that this is about?

Updated by mcandre (Andrew Pennebaker) 1 day ago Actions
Copy link
 #2 [ruby-core:123704]

Wiz reports a servo/rust-url package. Curious if Ruby is using this package strictly at the point in time when the Ruby language is being compiled, possibly even an integration test suite. Or perhaps servo ends up as a portion of the Ruby standard library.

Updated by alanwu (Alan Wu) 1 day ago Actions
Copy link
 #3 [ruby-core:123709]

  • Status changed from Feedback to Closed

https://rustsec.org/advisories/RUSTSEC-2024-0421.html

This seems to be from MMTk depending on the idna crate. MMTk is experimental and requires a separate build step, so ruby-build probably doesn't even build it.

In any case, we have already upgraded past the vulnerable version in d8774ec98fb.

Updated by mcandre (Andrew Pennebaker) 1 day ago Actions
Copy link
 #4 [ruby-core:123711]

Excellent news, glad to see the patch progressing.

How quickly can we release new versions of Ruby to include this patch?

Actions
Copy link

Also available in: PDF Atom