Bug 1692512 (CVE-2019-8320)

Summary: CVE-2019-8320 rubygems: Delete directory using symlink when decompressing tar
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, hhorak, jfrey, jhardy, jorton, jprause, kdixon, lutter, mastahnke, mtasaka, obarenbo, roliveri, ruby-maint, simaishi, s, tkonishi, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:51:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1692530, 1695151, 1695152, 1695153, 1695154, 1695155, 1695156, 1696151, 1700309, 1700315, 1713057    
Bug Blocks: 1692529    

Description Pedro Sampaio 2019-03-25 18:42:10 UTC
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user’s machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

Upstream patch:

https://bugs.ruby-lang.org/attachments/7669

References:

https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

Comment 1 Pedro Sampaio 2019-03-25 19:15:29 UTC
Created rubygems tracking bugs for this issue:

Affects: fedora-all [bug 1692530]

Comment 2 Scott Gayou 2019-04-02 14:52:09 UTC
The patch for this appears to be in the function: `def install_location(filename, destination_dir)`

Comment for function: `If +filename+ is not inside +destination_dir+ an exception is raised.`

i.e., the fix:

```ruby
    begin
      real_destination = File.expand_path(File.realpath(destination))
    rescue
      # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
      nil
    else
      raise Gem::Package::PathError.new(real_destination, destination_dir) unless
        real_destination.start_with? destination_dir + '/'
    end
```

Thus, according to my weak ruby-fu, it looks like symlinks weren't checked against beforehand. Thus, a symlink could be in destination_dir and "pass" when it should fail, as the system would then resolve the symlink to a location potentially outside of destination dir.

Comment 5 Scott Gayou 2019-04-02 15:21:43 UTC
RHEL7 and a few other versions impacted. While it appears the flaw was discovered in 2.7.6, upstream seems to indicate that this goes back to at least 2.3, which looks correct.

Comment 8 Vít Ondruch 2019-04-09 10:52:40 UTC
I don't think this is vulnerability, which could be exploited. I opened upstream ticket to revert the "fix":

https://github.com/rubygems/rubygems/pull/2722

Comment 13 errata-xmlrpc 2019-05-13 09:02:45 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1148 https://access.redhat.com/errata/RHSA-2019:1148

Comment 14 errata-xmlrpc 2019-05-13 09:18:52 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1150 https://access.redhat.com/errata/RHSA-2019:1150

Comment 17 errata-xmlrpc 2019-06-11 05:32:34 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2019:1429 https://access.redhat.com/errata/RHSA-2019:1429