Bug 1816270 (CVE-2020-8130)

Summary: CVE-2020-8130 rake: OS Command Injection via egrep in Rake::FileList
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bbuckingham, bcourt, bkearney, bmidwood, bmontgom, btotty, dmetzger, eparis, gblomqui, gmccullo, gtanzill, hhudgeon, hvyas, jburrell, jcantril, jhardy, jokerman, kdixon, lavenel, lutter, lzap, mmccune, mtasaka, nstielau, rchan, rjerrido, roliveri, rtillery, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sponnaga, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rake 12.3.3 Doc Type: If docs needed, set a value
Doc Text:
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-08 13:48:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1816272, 1819123, 1819124, 1820053, 1823713    
Bug Blocks: 1816273    

Description Pedro Sampaio 2020-03-23 17:15:35 UTC 
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.

Upstream patch:

https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee

References:

https://hackerone.com/reports/651518
Comment 1 Pedro Sampaio 2020-03-23 17:16:04 UTC 
Created rubygem-rake tracking bugs for this issue:

Affects: fedora-all [bug 1816272]
Comment 3 Yadnyawalk Tale 2020-03-31 09:11:34 UTC 
External References:

https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Comment 9 Hardik Vyas 2020-04-14 10:32:50 UTC 
Statement:

Red Hat CloudForms 5.10 and Red Hat Satellite 6 contains affected rake version, however, it is not vulnerable since it does not use `egrep` after `FileList` loads file with pipe-character, this makes OS injection practically impossible with it's existing Rakefile. Red Hat may update rake in future releases.

The version of rubygem-rake shipped with Red Hat Gluster Storage includes the vulnerable code, but the module FileList is currently not used by the product and hence this issue has been rated as having a security impact of Low for RHGS.
Comment 10 Hardik Vyas 2020-04-14 10:32:56 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 19 errata-xmlrpc 2021-11-16 14:07:43 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702