Critical severity9.8NVD Advisory· Published Aug 31, 2017· Updated May 13, 2026

CVE-2017-0899

Description

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rubygems-updateRubyGems	< 2.6.13	2.6.13

Affected products

Hackerone/Rubygemsv5
Range: Versions before 2.6.13

Patches

1bcbc7fe637b

Use a pattern that works on 1.8.7

https://github.com/rubygems/rubygemsSamuel GiddinsAug 25, 2017via ghsa

commit

3 files changed · +4 −4

lib/rubygems/text.rb+1 −1 modified

@@ -10,7 +10,7 @@ module Gem::Text
   # Remove any non-printable characters and make the text suitable for
   # printing.
   def clean_text(text)
-    text.gsub(/[\u0000-\u0008\u000b-\u000c\u000e-\u001F\u007f]/, ".".freeze)
+    text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze)
   end
 
   ##

test/rubygems/test_gem_commands_query_command.rb+2 −2 modified

@@ -132,8 +132,8 @@ def test_execute_details_cleans_text
     spec_fetcher do |fetcher|
       fetcher.spec 'a', 2 do |s|
         s.summary = 'This is a lot of text. ' * 4
-        s.authors = ["Abraham Lincoln \u0001", "\u0002 Hirohito"]
-        s.homepage = "http://a.example.com/\u0003"
+        s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
+        s.homepage = "http://a.example.com/\x03"
       end
 
       fetcher.legacy_platform

test/rubygems/test_gem_text.rb+1 −1 modified

@@ -37,7 +37,7 @@ def test_format_text_trailing # for two spaces after .
   end
 
   def test_format_removes_nonprintable_characters
-    assert_equal "text with weird .. stuff", format_text("text with weird \u001b\u0002 stuff", 40)
+    assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40)
   end
 
   def test_min3

ef0aa611effb

Clean any text present in gems before displaying it

https://github.com/rubygems/rubygemsEvan PhoenixMay 22, 2017via ghsa

commit

4 files changed · +53 −2

lib/rubygems/commands/query_command.rb+1 −1 modified

@@ -226,7 +226,7 @@ def output_versions output, versions
         end
       end
 
-      output << make_entry(matching_tuples, platforms)
+      output << clean_text(make_entry(matching_tuples, platforms))
     end
   end

lib/rubygems/text.rb+8 −1 modified

@@ -6,13 +6,20 @@
 
 module Gem::Text
 
+  ##
+  # Remove any non-printable characters and make the text suitable for
+  # printing.
+  def clean_text(text)
+    text.gsub(/[\u0000-\u0008\u000b-\u000c\u000e-\u001F\u007f]/, ".".freeze)
+  end
+
   ##
   # Wraps +text+ to +wrap+ characters and optionally indents by +indent+
   # characters
 
   def format_text(text, wrap, indent=0)
     result = []
-    work = text.dup
+    work = clean_text(text)
 
     while work.length > wrap do
       if work =~ /^(.{0,#{wrap}})[ \n]/ then

test/rubygems/test_gem_commands_query_command.rb+40 −0 modified

@@ -116,6 +116,46 @@ def test_execute_details
     This is a lot of text. This is a lot of text. This is a lot of text.
     This is a lot of text.
 
+pl (1)
+    Platform: i386-linux
+    Author: A User
+    Homepage: http://example.com
+
+    this is a summary
+    EOF
+
+    assert_equal expected, @ui.output
+    assert_equal '', @ui.error
+  end
+
+  def test_execute_details_cleans_text
+    spec_fetcher do |fetcher|
+      fetcher.spec 'a', 2 do |s|
+        s.summary = 'This is a lot of text. ' * 4
+        s.authors = ["Abraham Lincoln \u0001", "\u0002 Hirohito"]
+        s.homepage = "http://a.example.com/\u0003"
+      end
+
+      fetcher.legacy_platform
+    end
+
+    @cmd.handle_options %w[-r -d]
+
+    use_ui @ui do
+      @cmd.execute
+    end
+
+    expected = <<-EOF
+
+*** REMOTE GEMS ***
+
+a (2)
+    Authors: Abraham Lincoln ., . Hirohito
+    Homepage: http://a.example.com/.
+
+    This is a lot of text. This is a lot of text. This is a lot of text.
+    This is a lot of text.
+
 pl (1)
     Platform: i386-linux
     Author: A User

test/rubygems/test_gem_text.rb+4 −0 modified

@@ -36,6 +36,10 @@ def test_format_text_trailing # for two spaces after .
     assert_equal expected, format_text(text, 78)
   end
 
+  def test_format_removes_nonprintable_characters
+    assert_equal "text with weird .. stuff", format_text("text with weird \u001b\u0002 stuff", 40)
+  end
+
   def test_min3
     assert_equal 1, min3(1, 1, 1)
     assert_equal 1, min3(1, 1, 2)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

blog.rubygems.org/2017/08/27/2.6.13-released.htmlnvdPatchVendor AdvisoryWEB
github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1nvdPatchThird Party AdvisoryWEB
github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491nvdPatchThird Party AdvisoryWEB
hackerone.com/reports/226335nvdExploitPatchThird Party AdvisoryWEB
www.securityfocus.com/bid/100576nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039249nvdThird Party AdvisoryVDB Entry
access.redhat.com/errata/RHSA-2017:3485nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0378nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0583nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0585nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-7gcp-2gmq-w3xhghsaADVISORY
lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdMailing ListThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-0899ghsaADVISORY
security.gentoo.org/glsa/201710-01nvdThird Party AdvisoryWEB
www.debian.org/security/2017/dsa-3966nvdThird Party AdvisoryWEB
web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249ghsaWEB
web.archive.org/web/20170915000000*/http://www.securityfocus.com/bid/100576ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.006
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000