Bug 1692512 (CVE-2019-8320)
Summary: | CVE-2019-8320 rubygems: Delete directory using symlink when decompressing tar | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, hhorak, jfrey, jhardy, jorton, jprause, kdixon, lutter, mastahnke, mtasaka, obarenbo, roliveri, ruby-maint, simaishi, s, tkonishi, vanmeeuwen+fedora, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:51:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1692530, 1695151, 1695152, 1695153, 1695154, 1695155, 1695156, 1696151, 1700309, 1700315, 1713057 | ||
Bug Blocks: | 1692529 |
Description
Pedro Sampaio
2019-03-25 18:42:10 UTC
Created rubygems tracking bugs for this issue: Affects: fedora-all [bug 1692530] The patch for this appears to be in the function: `def install_location(filename, destination_dir)` Comment for function: `If +filename+ is not inside +destination_dir+ an exception is raised.` i.e., the fix: ```ruby begin real_destination = File.expand_path(File.realpath(destination)) rescue # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage nil else raise Gem::Package::PathError.new(real_destination, destination_dir) unless real_destination.start_with? destination_dir + '/' end ``` Thus, according to my weak ruby-fu, it looks like symlinks weren't checked against beforehand. Thus, a symlink could be in destination_dir and "pass" when it should fail, as the system would then resolve the symlink to a location potentially outside of destination dir. RHEL7 and a few other versions impacted. While it appears the flaw was discovered in 2.7.6, upstream seems to indicate that this goes back to at least 2.3, which looks correct. I don't think this is vulnerability, which could be exploited. I opened upstream ticket to revert the "fix": https://github.com/rubygems/rubygems/pull/2722 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1148 https://access.redhat.com/errata/RHSA-2019:1148 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1150 https://access.redhat.com/errata/RHSA-2019:1150 This issue has been addressed in the following products: CloudForms Management Engine 5.10 Via RHSA-2019:1429 https://access.redhat.com/errata/RHSA-2019:1429 |