{"id":"CVE-2018-1000075","details":"RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.","aliases":["GHSA-74pv-v9gh-h25p"],"modified":"2026-03-20T11:25:03.700349Z","published":"2018-03-13T15:29:00.550Z","related":["MGASA-2019-0062","MGASA-2020-0243","SUSE-SU-2019:1804-1","SUSE-SU-2020:1570-1","openSUSE-SU-2019:1771-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"},{"type":"WEB","url":"https://usn.ubuntu.com/3621-1/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4219"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3729"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2028"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0663"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"},{"type":"ADVISORY","url":"http://blog.rubygems.org/2018/02/15/2.7.6-released.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3730"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4259"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0542"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3731"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0591"},{"type":"FIX","url":"https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/rubygems","events":[{"introduced":"0"},{"fixed":"92e98bf8f810bd812f919120d4832df51bc25d83"}]},{"type":"GIT","repo":"https://github.com/rubygems/rubygems","events":[{"introduced":"0"},{"last_affected":"30e740c073e954474b08aa05aaa951e9bb74791c"},{"introduced":"0"},{"last_affected":"056f64c33a4f3783290b7c9c09d387213caf3c3d"},{"introduced":"0"},{"last_affected":"744e413f556ead46aabc659408a99a4c318b6549"},{"introduced":"0"},{"last_affected":"b6f3b5fac7ec01e5dcc57d6768a7e9b456feaea8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.2.9"},{"introduced":"0"},{"last_affected":"2.3.6"},{"introduced":"0"},{"last_affected":"2.4.3"},{"introduced":"0"},{"last_affected":"2.5.0"}]}}],"versions":["bundler-v2.2.0","bundler-v2.2.0.rc.1","bundler-v2.2.0.rc.2","bundler-v2.2.1","bundler-v2.2.2","bundler-v2.2.3","bundler-v2.2.4","bundler-v2.2.5","bundler-v2.2.6","bundler-v2.2.7","bundler-v2.2.8","bundler-v2.2.9","bundler-v2.3.0","bundler-v2.3.1","bundler-v2.3.2","bundler-v2.3.3","bundler-v2.3.4","bundler-v2.3.5","bundler-v2.3.6","v1.5.0","v1.5.1","v1.5.2","v1.6.0","v1.6.1","v1.6.2","v1.7.0","v1.7.1","v1.8.0","v1.8.1","v1.8.2","v2.0.0","v2.0.0.preview2","v2.0.0.preview2.1","v2.0.0.preview2.2","v2.0.0.rc.1","v2.0.0.rc.2","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.0.rc.1","v2.1.0.rc.2","v2.1.1","v2.1.2","v2.1.3","v2.2.0.preview.1","v2.2.0.rc.1","v2.2.1","v2.3.0","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.5.0","v2.5.1","v2.5.2","v2.6.0","v2.6.1","v2.6.10","v2.6.11","v2.6.12","v2.6.13","v2.6.14","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.6.7","v2.6.8","v2.6.9","v2.7.0","v2.7.1","v2.7.10","v2.7.2","v2.7.3","v2.7.4","v2.7.5","v2.7.6","v2.7.7","v2.7.8","v2.7.9","v3.0.0","v3.0.0.beta1","v3.0.0.beta3","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.1.0.pre1","v3.2.0","v3.2.0.rc.1","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000075.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}