Bug 1692520 (CVE-2019-8324)
| Summary: | CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, hhorak, jaruga, jfrey, jhardy, jorton, jprause, jschluet, kdixon, lutter, mastahnke, mtasaka, obarenbo, roliveri, ruby-maint, security-response-team, simaishi, s, tkonishi, vanmeeuwen+fedora, vondruch |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in RubyGems. A crafted gem with a multi-line name is not handled correctly allowing an attacker to inject arbitrary code to the stub line of gemspec. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-12 13:06:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1692530, 1695768, 1695769, 1695771, 1695772, 1695773, 1695774, 1695775, 1695776, 1695777, 1695778, 1695779, 1695781, 1712500, 1837065 | ||
| Bug Blocks: | 1692529 | ||
|
Description
Pedro Sampaio
2019-03-25 19:05:30 UTC
Created rubygems tracking bugs for this issue: Affects: fedora-all [bug 1692530] The changeset in lib/rubygems/installer.rb has the fix for this. See the addition of verify_spec:
```
# The name and require_paths must be verified first, since it could contain
# ruby code that would be eval'ed in #ensure_loadable_spec
verify_spec
```
Red Hat Enterprise Linux 6 does not look impacted based on a look at the source code. I was able to reproduce this on 7 and various software collections. This one seems pretty nasty. A malicious gem can execute shell commands if an install is run on one. I don't believe the gem install process is supposed to execute any of the package code at any point, but I may be mistaken on that. If so, I'd probably downgrade this. Otherwise, leaving at Important as this could lead to root code execution if a user did the lazy sudo gem install. These are the upstream patches: https://github.com/rubygems/rubygems/commit/00ff3037a577889bd1e555966d9e0d17bea8d28d https://github.com/rubygems/rubygems/commit/be3ad330cd1d7403389a3cc53a68b95a0a2b6491 rhvm-appliance presently includes affected versions of ruby, but installation of custom gems is not part of normal operation of the rhvm-appliance. Customers will be able to consume updates from Red Hat Enterprise Linux channels when they are made available. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1148 https://access.redhat.com/errata/RHSA-2019:1148 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1150 https://access.redhat.com/errata/RHSA-2019:1150 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1151 https://access.redhat.com/errata/RHSA-2019:1151 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1235 https://access.redhat.com/errata/RHSA-2019:1235 This issue has been addressed in the following products: CloudForms Management Engine 5.10 Via RHSA-2019:1429 https://access.redhat.com/errata/RHSA-2019:1429 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-8324 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1972 https://access.redhat.com/errata/RHSA-2019:1972 External References: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:2769 https://access.redhat.com/errata/RHSA-2020:2769 |