Source: ruby3.3 Version: 3.3.8-2 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ruby3.3. CVE-2026-41316[0]: | ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 | was published on rubygems.org) introduced an `@_init` instance | variable guard in `ERB#result` and `ERB#run` to prevent code | execution when an ERB object is reconstructed via `Marshal.load` | (deserialization). However, three other public methods that also | evaluate `@src` via `eval()` were not given the same guard: | `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker | who can trigger `Marshal.load` on untrusted data in a Ruby | application that has `erb` loaded can use `ERB#def_module` (zero- | arg, default parameters) as a code execution sink, bypassing the | `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and | 6.0.4 patch the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-41316 https://www.cve.org/CVERecord?id=CVE-2026-41316 [1] https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
