Bugzilla – Bug 1193080
VUL-0: CVE-2021-41816: ruby, ruby2.1, ruby2.5, ruby2.7, ruby3.0: Buffer Overrun in CGI.escape_html
Last modified: 2022-09-05 22:50:59 UTC
A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816. We strongly recommend upgrading Ruby.
A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.
Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please update Ruby to 2.7.5 or 3.0.3.
This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable.
cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
cgi gem 0.3.0 or prior
This is an autogenerated message for OBS integration:
This bug (1193080) was mentioned in
https://build.opensuse.org/request/show/933749 Factory / ruby3.0
https://build.opensuse.org/request/show/933750 Factory / ruby2.7
The vulnerable commit  was introduced in ruby 2.7, therefore, versions before 2.7 are not impacted. I double checked that the vulnerable commit has not been backported.
This should be done