Bundler through version 1.17.1 creates a directory with insecure permissions in /tmp/ that, in certain circumstances, is used by Bundler to load rubygems, allowing attackers to write malicious libraries to this location and be later executed. Bundler contains some helper code which creates a temporary directory in case a user's home directory is not present or writeable, however it creates it via non-randomized path, `/tmp/bundler/home/username`. Permissions for this directory are 0777 which allows an attacker to create subdirectory with an arbitrary username. Bundler processes started under an effective user without a home directory will load rubygems from this attacker-writable location, allowing for code execution.
Acknowledgments: Name: Lukáš Zapletal (Red Hat)
Introduced by: https://github.com/bundler/bundler/commit/2dfb263b0f It seems the first upstream release including this vuln was 1.14.
Doran, isn't https://github.com/bundler/bundler/commit/02e7f67727b45 (predating 2dfb263b0f) also vulnerable ? Even if the home is created without 0777, the attacker should still be able to create the path before-hand so that they own it
Statement: The version of rubygem-bundler provided in 'Red Hat Gluster Storage 3' does not contain the vulnerable functionality and is not affected by this vulnerability.
In reply to comment #6: > Doran, isn't https://github.com/bundler/bundler/commit/02e7f67727b45 > (predating 2dfb263b0f) also vulnerable ? Even if the home is created without > 0777, the attacker should still be able to create the path before-hand so > that they own it You are correct - mkdir_p() will succeed if the directory already exists.
Upstream issue: https://github.com/bundler/bundler/issues/6501 Patches used by Debian: https://sources.debian.org/src/bundler/1.17.3-3/debian/patches/0005-Don-t-use-insecure-temporary-directory-as-home-direc.patch/ https://sources.debian.org/src/bundler/1.17.3-3/debian/patches/0006-Remove-temporary-home-directories.patch/
Created rubygem-bundler tracking bugs for this issue: Affects: epel-6 [bug 1734214] Affects: fedora-all [bug 1734213]
Upstream has fixed the issue: https://github.com/rubygems/bundler/pull/7416/files
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3881
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588