Bug 1651826 (CVE-2019-3881)
Summary: | CVE-2019-3881 rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amackenz, amasferr, besser82, bkearney, cbillett, cbuissar, chazlett, dmoppert, drieden, hhorak, jorton, lzap, mkudlej, mmorsi, mo, ruby-maint, security-response-team, shreyankg, sisharma, ssaha, s, strzibny, tjochec, tomckay, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | bundler 2.1.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-03 11:32:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1734213, 1734214, 1734215, 1734216, 1931264, 1953046, 1954969 | ||
Bug Blocks: | 1651827, 1997390 |
Description
Sam Fowler
2018-11-21 00:38:38 UTC
Acknowledgments: Name: Lukáš Zapletal (Red Hat) Introduced by: https://github.com/bundler/bundler/commit/2dfb263b0f It seems the first upstream release including this vuln was 1.14. Doran, isn't https://github.com/bundler/bundler/commit/02e7f67727b45 (predating 2dfb263b0f) also vulnerable ? Even if the home is created without 0777, the attacker should still be able to create the path before-hand so that they own it Statement: The version of rubygem-bundler provided in 'Red Hat Gluster Storage 3' does not contain the vulnerable functionality and is not affected by this vulnerability. In reply to comment #6: > Doran, isn't https://github.com/bundler/bundler/commit/02e7f67727b45 > (predating 2dfb263b0f) also vulnerable ? Even if the home is created without > 0777, the attacker should still be able to create the path before-hand so > that they own it You are correct - mkdir_p() will succeed if the directory already exists. Upstream issue: https://github.com/bundler/bundler/issues/6501 Patches used by Debian: https://sources.debian.org/src/bundler/1.17.3-3/debian/patches/0005-Don-t-use-insecure-temporary-directory-as-home-direc.patch/ https://sources.debian.org/src/bundler/1.17.3-3/debian/patches/0006-Remove-temporary-home-directories.patch/ Created rubygem-bundler tracking bugs for this issue: Affects: epel-6 [bug 1734214] Affects: fedora-all [bug 1734213] Upstream has fixed the issue: https://github.com/rubygems/bundler/pull/7416/files This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3881 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588 |