Upgrade tzinfo gem to 1.2.10 to fix arbitrary file loading vulnerability (CVE-2024-xxxx)

[yuzhongqi]

📝 Description

Summary The tzinfo gem versions prior to 1.2.10 are vulnerable to an arbitrary file loading issue when used with the Ruby data source (tzinfo-data). The vulnerability allows malicious time zone identifiers containing newline characters to bypass validation and load unintended Ruby files through the require mechanism.

Impact An attacker could exploit this issue to load and execute arbitrary Ruby files within the application process. For example, a Ruby on Rails application that:

uses tzinfo version 1.2.9,

accepts arbitrary time zone identifiers (e.g., via user input), and

allows file uploads

could be compromised if a crafted identifier triggers file execution.

Versions 2.0.0 and later are not affected.

Affected Versions

tzinfo 0.3.60 and earlier

tzinfo 1.0.0 – 1.2.9 (when used with the tzinfo-data gem)

Fix / Recommendation Upgrade tzinfo to version 1.2.10 or later. This version correctly validates time zone identifiers and prevents path traversal attacks.

Example upgrade (Gemfile):

gem "tzinfo", ">= 1.2.10"

Then run:

bundle update tzinfo

Workaround If upgrading is not immediately possible, validate time zone identifiers before passing them to TZInfo::Timezone.get using the following regex:

\A[A-Za-z0-9+-]+(?:/[A-Za-z0-9+-]+)*\z

Ensure that no untrusted files are placed in directories within the Ruby load path ($LOAD_PATH).

References

Commit (1.2.x fix): 9905ca93abf7bf3e387bd592406e403cd18334c7

Commit (0.3.x fix): 9eddbb5c0e682736f61d0dd803b6031a5db9eadf

Advisory: To be published on Ruby security site (expected CVE-2024 reference)