ruby-advisory-db icon indicating copy to clipboard operation
ruby-advisory-db copied to clipboard

Patched version range very confusing for CVE-2016-2097

Open ken-duck opened this issue 5 years ago • 2 comments

I was looking at ruby-advisory-db/gems/actionview/CVE-2016-2097.yml

The unaffected_versions and patched_version ranges are as follows:

unaffected_versions:
  - ">= 4.2.0"

# "~> 3.2.22.2"  is found in gems/actionpack/CVE-2016-2097.yml
patched_versions:
 - "~> 4.1.14, >= 4.1.14.2"

It would seem that these two version ranges overlap each other. They also don't seem to match the description particularly well.

Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2

It is quite possible that I am reading it wrong, or misunderstand the syntax. Are the patched_versions incorrect or am I in error?

Thanks for the help!

ken-duck avatar Nov 26 '19 17:11 ken-duck

Looks like in old Rails versions that actionpack was affected, while in newer versions, actionview was. So, you need to review both gems/actionpack/CVE-2016-2097.yml and gems/actionview/CVE-2016-2097.yml to get the full picture

patched_versions and unaffected_versions can indeed overlap, and it's fine. Just means that a newer version isn't affected by this vulnerability, so the patch (fix) is only needed for versions outside the unaffected_versions range.

reedloden avatar Dec 01 '19 19:12 reedloden

Ohhhhhh. I see. That certainly explains most of it for me. I am still mildly confused about the two overlapping patched_versions:

patched_versions:

  • "~> 4.1.14, >= 4.1.14.2"

ken-duck avatar Dec 02 '19 05:12 ken-duck

@ken-duck that version range could probably be rewritten as < 4.2.0, >= 4.1.14.2.

postmodern avatar May 23 '23 20:05 postmodern