Questions about GHSA-qrgf-jqqm-x7xv

[G-Rath]

I came across GHSA-qrgf-jqqm-x7xv which I think has incorrect information but would like to get that confirmed before I submit a change.

The details say "lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors."

Firstly, there is a fog-dragonfly gem that has versions 0.8.1 & 0.8.2 published; it looks the same as the dragonfly gem and links to this repository so I'm guessing it was mistakenly published under that name? If that is the case would it worth yanking the fog-dragonfly gem completely to avoid confusion?

Secondly, I can't find any reference to that specific CVE but the history mentions a few security changes in versions 0.8.4 and 0.8.5, followed by a refactor of the ImageMagick processors in v0.9.0. Am I right in thinking this should now be resolved at least in versions beyond v1?

[markevans]

Hi there - correct I didn't publish fog-dragonfly so don't have control over that (and am not sure why that's there to be honest it does look like a republish of a 10-year old version of dragonfly).
These security problems are resolved yes https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dragonfly+gem and you should use the latest version (1.4) - cheers

[G-Rath]

@markevans awesome, thanks for confirming - I've created github/advisory-database#486 amending the advisory :)