[DRE-maint] Bug#1138259: ruby-view-component: CVE-2026-44836 CVE-2026-44837

[Salvatore Bonaccorso]

Source: ruby-view-component
Version: 4.8.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for ruby-view-component.

CVE-2026-44836[0]:
| view_component is a framework for building reusable, testable, and
| encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0,
| the preview route derives an example name from the URL and calls it
| with public_send. The code does not verify that the requested method
| is one of the preview examples explicitly defined by the preview
| class. As a result, inherited public methods on
| ViewComponent::Preview are route-reachable. The most important one
| is render_with_template, which accepts template: and locals:. Those
| values can come from request params and are later passed to Rails as
| render template:. If previews are exposed, an attacker can render
| internal Rails templates that are not otherwise routable. This
| vulnerability is fixed in 4.9.0.


CVE-2026-44837[1]:
| view_component is a framework for building reusable, testable, and
| encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0,
| the system test entrypoint canonicalizes a user-controlled file path
| with File.realpath, then checks whether the resolved path starts
| with the temp directory path. This is not a safe containment check
| because sibling directories can share the same string prefix. This
| vulnerability is fixed in 4.9.0.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44836
    https://www.cve.org/CVERecord?id=CVE-2026-44836
[1] https://security-tracker.debian.org/tracker/CVE-2026-44837
    https://www.cve.org/CVERecord?id=CVE-2026-44837

Regards,
Salvatore