Bug 1692512 (CVE-2019-8320) - CVE-2019-8320 rubygems: Delete directory using symlink when decompressing tar
Summary: CVE-2019-8320 rubygems: Delete directory using symlink when decompressing tar
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-8320
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190305,repor...
Depends On: 1695151 1695153 1695156 1692530 1695152 1695154 1695155 1696151 1700309 1700315 1713057
Blocks: 1692529
TreeView+ depends on / blocked
 
Reported: 2019-03-25 18:42 UTC by Pedro Sampaio
Modified: 2019-06-11 05:32 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:51:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1148 None None None 2019-05-13 09:02:47 UTC
Red Hat Product Errata RHSA-2019:1150 None None None 2019-05-13 09:18:53 UTC
Red Hat Product Errata RHSA-2019:1429 None None None 2019-06-11 05:32:36 UTC
JBoss Issue Tracker THREESCALE-2164 Major New Rebuild of AMP system, zync, backend for rubygems CVEs 2019-08-23 06:49:45 UTC

Description Pedro Sampaio 2019-03-25 18:42:10 UTC
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user’s machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

Upstream patch:

https://bugs.ruby-lang.org/attachments/7669

References:

https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

Comment 1 Pedro Sampaio 2019-03-25 19:15:29 UTC
Created rubygems tracking bugs for this issue:

Affects: fedora-all [bug 1692530]

Comment 2 Scott Gayou 2019-04-02 14:52:09 UTC
The patch for this appears to be in the function: `def install_location(filename, destination_dir)`

Comment for function: `If +filename+ is not inside +destination_dir+ an exception is raised.`

i.e., the fix:

```ruby
    begin
      real_destination = File.expand_path(File.realpath(destination))
    rescue
      # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
      nil
    else
      raise Gem::Package::PathError.new(real_destination, destination_dir) unless
        real_destination.start_with? destination_dir + '/'
    end
```

Thus, according to my weak ruby-fu, it looks like symlinks weren't checked against beforehand. Thus, a symlink could be in destination_dir and "pass" when it should fail, as the system would then resolve the symlink to a location potentially outside of destination dir.

Comment 5 Scott Gayou 2019-04-02 15:21:43 UTC
RHEL7 and a few other versions impacted. While it appears the flaw was discovered in 2.7.6, upstream seems to indicate that this goes back to at least 2.3, which looks correct.

Comment 8 Vít Ondruch 2019-04-09 10:52:40 UTC
I don't think this is vulnerability, which could be exploited. I opened upstream ticket to revert the "fix":

https://github.com/rubygems/rubygems/pull/2722

Comment 13 errata-xmlrpc 2019-05-13 09:02:45 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1148 https://access.redhat.com/errata/RHSA-2019:1148

Comment 14 errata-xmlrpc 2019-05-13 09:18:52 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1150 https://access.redhat.com/errata/RHSA-2019:1150

Comment 17 errata-xmlrpc 2019-06-11 05:32:34 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2019:1429 https://access.redhat.com/errata/RHSA-2019:1429


Note You need to log in before you can comment on or make changes to this bug.