The 1.7.0 release of Bundler fixes an issue where a gem may be installed from a source other than expected, if the gem file had multiple, top-level source lines. This could potentially lead to a malicious gem file being installed. From the upstream advisory: "" Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running bundle install might result in the malicious gem being used instead of the expected gem. To mitigate this, the Bundler and Rubygems.org teams worked together to copy almost every gem hosted on gems.github.com to rubygems.org, reducing the number of gems that can be used for such an attack. "" Note that upstream indicate that backporting is not practical. External References: http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
Created rubygem-bundler tracking bugs for this issue: Affects: fedora-all [bug 1146336]
rubygem-bundler-1.7.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-bundler-1.7.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-bundler-1.7.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2180 https://rhn.redhat.com/errata/RHSA-2015-2180.html