Bug 1692520 (CVE-2019-8324) - CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code execution
Summary: CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-8324
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1695772 1692530 1695768 1695769 1695771 1695773 1695774 1695775 1695776 1695777 1695778 1695779 1695781 1712500
Blocks: 1692529
TreeView+ depends on / blocked
 
Reported: 2019-03-25 19:05 UTC by Pedro Sampaio
Modified: 2019-09-29 15:09 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:06:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1402 None None None 2019-06-07 03:19:11 UTC
Red Hat Product Errata RHBA-2019:1463 None None None 2019-06-12 04:30:17 UTC
Red Hat Product Errata RHSA-2019:1148 None None None 2019-05-13 09:02:54 UTC
Red Hat Product Errata RHSA-2019:1150 None None None 2019-05-13 09:18:57 UTC
Red Hat Product Errata RHSA-2019:1151 None None None 2019-05-13 09:23:00 UTC
Red Hat Product Errata RHSA-2019:1235 None None None 2019-05-15 17:53:14 UTC
Red Hat Product Errata RHSA-2019:1429 None None None 2019-06-11 05:32:43 UTC
Red Hat Product Errata RHSA-2019:1972 None None None 2019-07-30 15:59:58 UTC
JBoss Issue Tracker THREESCALE-2164 Major New Rebuild of AMP backend for rubygems CVEs (Due June 12, 2019) 2019-08-28 05:18:29 UTC

Description Pedro Sampaio 2019-03-25 19:05:30 UTC
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

Upstream patch:

https://bugs.ruby-lang.org/attachments/7669

References:

https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

Comment 1 Pedro Sampaio 2019-03-25 19:14:42 UTC
Created rubygems tracking bugs for this issue:

Affects: fedora-all [bug 1692530]

Comment 2 Scott Gayou 2019-04-02 17:02:13 UTC
The changeset in lib/rubygems/installer.rb has the fix for this. See the addition of verify_spec:

```
    # The name and require_paths must be verified first, since it could contain
    # ruby code that would be eval'ed in #ensure_loadable_spec
    verify_spec
```

Comment 4 Scott Gayou 2019-04-03 18:02:20 UTC
Red Hat Enterprise Linux 6 does not look impacted based on a look at the source code. I was able to reproduce this on 7 and various software collections.

This one seems pretty nasty. A malicious gem can execute shell commands if an install is run on one. I don't believe the gem install process is supposed to execute any of the package code at any point, but I may be mistaken on that. If so, I'd probably downgrade this.

Otherwise, leaving at Important as this could lead to root code execution if a user did the lazy sudo gem install.

Comment 9 Doran Moppert 2019-04-29 05:57:43 UTC
rhvm-appliance presently includes affected versions of ruby, but installation of custom gems is not part of normal operation of the rhvm-appliance. Customers will be able to consume updates from Red Hat Enterprise Linux channels when they are made available.

Comment 10 errata-xmlrpc 2019-05-13 09:02:53 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1148 https://access.redhat.com/errata/RHSA-2019:1148

Comment 11 errata-xmlrpc 2019-05-13 09:18:56 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1150 https://access.redhat.com/errata/RHSA-2019:1150

Comment 12 errata-xmlrpc 2019-05-13 09:22:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1151 https://access.redhat.com/errata/RHSA-2019:1151

Comment 13 errata-xmlrpc 2019-05-15 17:53:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1235 https://access.redhat.com/errata/RHSA-2019:1235

Comment 20 errata-xmlrpc 2019-06-11 05:32:42 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2019:1429 https://access.redhat.com/errata/RHSA-2019:1429

Comment 21 Product Security DevOps Team 2019-07-12 13:06:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-8324

Comment 22 errata-xmlrpc 2019-07-30 15:59:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1972 https://access.redhat.com/errata/RHSA-2019:1972


Note You need to log in before you can comment on or make changes to this bug.