Skip to content

Commit 465dca9

Browse files
dpark01dpark01
committed
Fix CVE-2026-42246: upgrade Ruby net-imap gem to >=0.6.4
Applies the established gem-fixup pattern to net-imap in the assemble, phylo, and mega images. The gem enters via mummer4 -> yaggo -> ruby (same chain that introduced the json and erb CVEs). Practical exploitability is near-zero (no IMAP connections are made), but the Rego policy correctly surfaces it due to AV:N + VC:H + VI:H. Closes #1065
1 parent 1a3a8a7 commit 465dca9

3 files changed

Lines changed: 18 additions & 3 deletions

File tree

docker/Dockerfile.assemble

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ COPY docker/install-conda-deps.sh /tmp/
3434
# has CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
3535
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
3636
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
37+
# - Ruby net-imap gem: same chain (mummer4 → yaggo → ruby), CVE-2026-42246 (STARTTLS
38+
# stripping via invalid response timing); remove default gem and install >=0.6.4
3739
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt \
3840
--x86-only:/tmp/requirements/assemble-x86.txt && \
3941
rm -f /opt/conda/libexec/mafft/dash_client && \
@@ -42,7 +44,10 @@ RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements
4244
gem install json --version '>=2.19.2' --no-document && \
4345
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
4446
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
45-
gem install erb --version '>=6.0.4' --no-document
47+
gem install erb --version '>=6.0.4' --no-document && \
48+
find /opt/conda/lib/ruby -maxdepth 3 -name 'net-imap*' -exec rm -rf {} + && \
49+
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/net-imap-*.gemspec && \
50+
gem install net-imap --version '>=0.6.4' --no-document
4651

4752
# Copy source code (includes assembly module)
4853
COPY src/ /opt/viral-ngs/source/src/

docker/Dockerfile.mega

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ COPY docker/install-conda-deps.sh /tmp/
3131
# remove the old default gem and install patched version (>=2.19.2)
3232
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
3333
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
34+
# - Ruby net-imap gem: same chain (mummer4 → yaggo → ruby), CVE-2026-42246 (STARTTLS
35+
# stripping via invalid response timing); remove default gem and install >=0.6.4
3436
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt /tmp/requirements/classify.txt /tmp/requirements/phylo.txt \
3537
--x86-only:/tmp/requirements/assemble-x86.txt \
3638
--x86-only:/tmp/requirements/classify-x86.txt \
@@ -41,7 +43,10 @@ RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements
4143
gem install json --version '>=2.19.2' --no-document && \
4244
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
4345
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
44-
gem install erb --version '>=6.0.4' --no-document
46+
gem install erb --version '>=6.0.4' --no-document && \
47+
find /opt/conda/lib/ruby -maxdepth 3 -name 'net-imap*' -exec rm -rf {} + && \
48+
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/net-imap-*.gemspec && \
49+
gem install net-imap --version '>=0.6.4' --no-document
4550

4651
# Copy source code (includes all modules)
4752
COPY src/ /opt/viral-ngs/source/src/

docker/Dockerfile.phylo

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ COPY docker/install-conda-deps.sh /tmp/
3131
# CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
3232
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
3333
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
34+
# - Ruby net-imap gem: same chain (mummer4 → yaggo → ruby), CVE-2026-42246 (STARTTLS
35+
# stripping via invalid response timing); remove default gem and install >=0.6.4
3436
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/phylo.txt \
3537
--x86-only:/tmp/requirements/phylo-x86.txt && \
3638
rm -f /opt/conda/libexec/mafft/dash_client && \
@@ -39,7 +41,10 @@ RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements
3941
gem install json --version '>=2.19.2' --no-document && \
4042
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
4143
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
42-
gem install erb --version '>=6.0.4' --no-document
44+
gem install erb --version '>=6.0.4' --no-document && \
45+
find /opt/conda/lib/ruby -maxdepth 3 -name 'net-imap*' -exec rm -rf {} + && \
46+
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/net-imap-*.gemspec && \
47+
gem install net-imap --version '>=0.6.4' --no-document
4348

4449
# Copy source code (includes phylo module)
4550
COPY src/ /opt/viral-ngs/source/src/

0 commit comments

Comments
 (0)