Skip to content

Commit 1d2309d

Browse files
dpark01dpark01
committed
Fix CVE-2026-41316: upgrade Ruby erb gem to >=6.0.4
The erb default gem is bundled into Ruby (which enters via mummer4 → yaggo → ruby) and has a HIGH-severity Marshal deserialization bypass: ERB#def_module evaluates @src via eval() without the @_init guard added in Ruby 2.7.0. Same fix pattern as CVE-2026-33210 (json gem, fe939b2): delete the bundled default gem files and gemspec, then gem install the patched version. GHSA-q339-8rmv-2mhv
1 parent 6d229c8 commit 1d2309d

3 files changed

Lines changed: 18 additions & 3 deletions

File tree

docker/Dockerfile.assemble

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,12 +32,17 @@ COPY docker/install-conda-deps.sh /tmp/
3232
# - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
3333
# - Ruby json gem: mummer4/sequip pull in Ruby (via yaggo), whose bundled json gem
3434
# has CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
35+
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
36+
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
3537
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt \
3638
--x86-only:/tmp/requirements/assemble-x86.txt && \
3739
rm -f /opt/conda/libexec/mafft/dash_client && \
3840
find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
3941
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
40-
gem install json --version '>=2.19.2' --no-document
42+
gem install json --version '>=2.19.2' --no-document && \
43+
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
44+
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
45+
gem install erb --version '>=6.0.4' --no-document
4146

4247
# Copy source code (includes assembly module)
4348
COPY src/ /opt/viral-ngs/source/src/

docker/Dockerfile.mega

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,14 +29,19 @@ COPY docker/install-conda-deps.sh /tmp/
2929
# - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
3030
# - Ruby json gem: mummer4 → yaggo → Ruby, whose bundled json gem has CVE-2026-33210;
3131
# remove the old default gem and install patched version (>=2.19.2)
32+
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
33+
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
3234
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt /tmp/requirements/classify.txt /tmp/requirements/phylo.txt \
3335
--x86-only:/tmp/requirements/assemble-x86.txt \
3436
--x86-only:/tmp/requirements/classify-x86.txt \
3537
--x86-only:/tmp/requirements/phylo-x86.txt && \
3638
rm -f /opt/conda/libexec/mafft/dash_client && \
3739
find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
3840
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
39-
gem install json --version '>=2.19.2' --no-document
41+
gem install json --version '>=2.19.2' --no-document && \
42+
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
43+
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
44+
gem install erb --version '>=6.0.4' --no-document
4045

4146
# Copy source code (includes all modules)
4247
COPY src/ /opt/viral-ngs/source/src/

docker/Dockerfile.phylo

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,17 @@ COPY docker/install-conda-deps.sh /tmp/
2929
# - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
3030
# - Ruby json gem: mummer4 pulls in yaggo → Ruby, whose bundled json gem has
3131
# CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
32+
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
33+
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
3234
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/phylo.txt \
3335
--x86-only:/tmp/requirements/phylo-x86.txt && \
3436
rm -f /opt/conda/libexec/mafft/dash_client && \
3537
find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
3638
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
37-
gem install json --version '>=2.19.2' --no-document
39+
gem install json --version '>=2.19.2' --no-document && \
40+
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
41+
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
42+
gem install erb --version '>=6.0.4' --no-document
3843

3944
# Copy source code (includes phylo module)
4045
COPY src/ /opt/viral-ngs/source/src/

0 commit comments

Comments
 (0)