Crack: Arbitrary code execution — GLSA 201404-04

A vulnerability in Crack might allow remote attackers to execute arbitrary code.

Affected packages

dev-ruby/crack on all architectures
Affected versions < 0.3.2
Unaffected versions >= 0.3.2

Background

Crack is a really simple JSON and XML parsing Ruby gem, ripped from Merb and Rails.

Description

An XML parameter parsing vulnerability has been discovered in Crack.

Impact

A remote attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass security restrictions.

Workaround

There is no known workaround at this time.

Resolution

All Crack users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-ruby/crack-0.3.2"
 

References

Release date
April 07, 2014

Latest revision
April 07, 2014: 1

Severity
high

Exploitable
remote

Bugzilla entries