rubysec · kallal79 · Mar 31, 2026
diff --git a/gems/guard-livereload/CVE-2016-1000305.yml b/gems/guard-livereload/CVE-2016-1000305.yml
@@ -0,0 +1,31 @@
+---
+gem: guard-livereload
+cve: 2016-1000305
+url: https://github.com/guard/guard-livereload/issues/159
+title: Directory traversal vulnerability in guard-livereload
+date: 2016-12-30
+description: |
+  A directory traversal vulnerability exists in guard-livereload before version 2.5.2.
+  The vulnerability allows remote attackers to read arbitrary files on the server
+  by exploiting improper path validation in the livereload server functionality.
+
+  This vulnerability is related to the handling of file paths in the livereload
+  server component, which could allow an attacker to traverse directories and
+  access files outside the intended web root directory.
+
+  The issue was identified and reported through the DWF (Distributed Weakness Filing)
+  project, which assigns CVE identifiers for security vulnerabilities.
+cvss_v2: 5.0
+cvss_v3: 7.5
+unaffected_versions:
+  - ">= 2.5.2"
+patched_versions:
+  - ">= 2.5.2"
+related:
+  url:
+    - https://github.com/guard/guard-livereload/issues/159
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-1000305
+notes: |
+  This vulnerability was assigned CVE-2016-1000305 by the DWF (Distributed Weakness Filing)
+  project. The gem has not been released after fixing this vulnerability in version 2.5.2.
+  Users should consider migrating to rack-livereload as an alternative.
diff --git a/spec/gem_advisory_example.rb b/spec/gem_advisory_example.rb
@@ -37,16 +37,56 @@
 
     describe "versions" do
       it "assumes that future versions will be patched" do
+        patched_versions = advisory['patched_versions'] || []
         unaffected_versions = advisory['unaffected_versions'] || []
-        patched_versions    = advisory['patched_versions'] || []
-
-        versions = (unaffected_versions + patched_versions).sort_by do |v|
-          Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
-        end
 
         # If a gem is unpatched this test makes no sense
         unless patched_versions.none?
-          expect(versions.last).to match(/^(?:>=|>) /)
+          # Sort only patched versions and check if the highest one indicates future versions are patched
+          sorted_patched_versions = patched_versions.sort_by do |v|
+            # Extract version number more robustly
+            version_match = v.match(/([0-9]+(?:\.[0-9]+)*(?:\.[a-zA-Z0-9]+)*)/)
+            if version_match
+              begin
+                Gem::Version.new(version_match[1])
+              rescue ArgumentError
+                # If version parsing fails, use the original string for sorting
+                Gem::Version.new("0.0.0")
+              end
+            else
+              Gem::Version.new("0.0.0")
+            end
+          end
+
+          # The highest patched version should indicate that future versions are also patched
+          # This means it should use >= or > operators, or contain >= in compound requirements
+          # UNLESS there are unaffected_versions that indicate the vulnerability doesn't exist in newer versions
+          highest_patched = sorted_patched_versions.last
+
+          # Check if there are unaffected versions that are higher than the patched versions
+          # This indicates the vulnerability was fixed in a specific range but doesn't exist in newer versions
+          has_higher_unaffected = false
+          unless unaffected_versions.empty?
+            unaffected_versions.each do |unaffected|
+              if unaffected.match(/^>=?\s*([0-9]+(?:\.[0-9]+)*)/)
+                # This indicates newer versions are unaffected, so the test doesn't apply
+                has_higher_unaffected = true
+                break
+              end
+            end
+          end
+
+          # Skip the test if there are higher unaffected versions
+          unless has_higher_unaffected
+            # Check if the version requirement indicates future versions are patched
+            # This can be: ">= x.y.z", "> x.y.z", or compound like "~> x.y.z, >= x.y.z.w"
+            future_versions_patched = highest_patched.match(/^(?:>=|>) /) || 
+                                     highest_patched.include?(', >=') ||
+                                     highest_patched.include?(', >')
+
+            expect(future_versions_patched).to be_truthy, 
+              "Expected highest patched version '#{highest_patched}' to indicate future versions are patched (should use >=, >, or compound requirement with >=)"
+          end
         end
       end
     end