Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. References: https://github.com/rubygems/rubygems/issues/3982 https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/ https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
Created rubygem-bundler tracking bugs for this issue: Affects: fedora-all [bug 1959000]
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1960172] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 1960174] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 1960175]
Note that this is not fixed in bundler 2.2.16. This was reported fixed in 2.2.10, but fixes were reverted in the 2.2.11 released only two days later. The current bundler version 2.2.17 remains unfixed.
An upstream PR for a new proper fix for this issue: https://github.com/rubygems/rubygems/pull/4609
This issue was fixed in Bundler 2.2.18: https://github.com/rubygems/rubygems/blob/bundler-v2.2.18/bundler/CHANGELOG.md
https://github.com/rubygems/rubygems/pull/4609#issuecomment-851423668 Just FTR, I have queried Bundler upstream what they think about possible backport. However,they might leave it up to Ruby maintainers.
Note that this is what bundler documentation states regarding the handling of gems with explicitly defined source, and their dependencies: https://bundler.io/man/gemfile.5.html#SOURCE """ You can select an alternate Rubygems repository for a gem using the ':source' option. gem "some_internal_gem", :source => "https://gems.example.com" This forces the gem to be loaded from this source and ignores any global sources declared at the top level of the file. If the gem does not exist in this source, it will not be installed. Bundler will search for child dependencies of this gem by first looking in the source selected for the parent, but if they are not found there, it will fall back on global sources using the ordering described in SOURCE PRIORITY. """ That documentation indicates that dependencies should only be installed from a different source if not found in the same source as the gem with an explicitly defined source. Note that fallback to the use of global sources in case when the private source does not provide the dependency is needed so that source-restriced gems can depend depend on gems from public repos such as RubyGems.org.
(In reply to Vít Ondruch from comment #12) And this is the response: ~~~ This would be pretty hard to backport indeed. It's a big patch and the result of work & refactoring across many versions, for example, it's built on top of #4381 which is also another related security improvement. I guess the only chance would be to completely upgrade bundler on older but still supported rubies like 2.7. ~~~
> Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses > Note that this is not fixed in bundler 2.2.16. This was reported fixed in 2.2.10, but fixes were reverted in the 2.2.11 released only two days later. The current bundler version 2.2.17 remains unfixed. > This issue was fixed in Bundler 2.2.18: Pedro or Tomas. Can you help us to clarify the CVE affected versions of the Bundler? Are the following affected versions correct? Affected versions: * version < 1.16.0: not affected * 1.16.0 <= version <= 2.2.9: affected * 2.2.10: fixed temporarily * 2.2.11 <= version <= 2.2.17: affected * 2.2.18 <= version: fixed. (the latest version is 2.2.19 right now).
(In reply to Jun Aruga from comment #25) > Pedro or Tomas. Can you help us to clarify the CVE affected versions of the > Bundler? Are the following affected versions correct? > > Affected versions: > * version < 1.16.0: not affected > * 1.16.0 <= version <= 2.2.9: affected > * 2.2.10: fixed temporarily > * 2.2.11 <= version <= 2.2.17: affected > * 2.2.18 <= version: fixed. (the latest version is 2.2.19 right now). This flaw affect bundler version 1.16.0 onwards till 2.2.17; except 2.2.10 which had a fix which got reverted in 2.2.11. You got that correct, Jun (comment #25).
In reply to comment #25: > Affected versions: > * version < 1.16.0: not affected The information in the official CVE description about 1.16.0 being the first affected version seems to come from the zofrex's blog post: https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/ which actually provides contradicting information - some parts stating only 1.16.0 and later are affected, and other stating all versions starting with 1.7.0 (which introduced ability to restrict gems to specific sources) are affected. There's bundler 1.7.8 shipped in Red Hat Enterprise Linux 7 and I confirmed the problem with that version. Hence I do not see a reason to assume versions between 1.7.0 and 1.16.0 to be unaffected.
OK, thanks for clarifying the affected versions. > which actually provides contradicting information - some parts stating only 1.16.0 and later are affected, and other stating all versions starting with 1.7.0 (which introduced ability to restrict gems to specific sources) are affected. There's bundler 1.7.8 shipped in Red Hat Enterprise Linux 7 and I confirmed the problem with that version. Hence I do not see a reason to assume versions between 1.7.0 and 1.16.0 to be unaffected. OK. I will keep the info in mind.
Just FYI: yesterday a PR to upgrade the bundled bundler from 2.2.15 to 2.2.20 (= latest version) was opened by a maintainer on Ruby. https://github.com/ruby/ruby/pull/4569
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36327
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982
This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2022:0044 https://access.redhat.com/errata/RHSA-2022:0044
This issue has been addressed in "Red Hat Enterprise Linux 8" via RHSA-2021:3020. In RHSA-2021:3020, ruby 2.7 is updated. The default ruby 2.5 is not updated yet. Could you share the plan of this security update to ruby 2.5?
(In reply to Mark Wang from comment #48) > This issue has been addressed in "Red Hat Enterprise Linux 8" via > RHSA-2021:3020. > In RHSA-2021:3020, ruby 2.7 is updated. The default ruby 2.5 is not updated > yet. > Could you share the plan of this security update to ruby 2.5? Dear Mark, The fixes for Ruby 2.5 are undergoing testing right now, so the release is imminent (unless some blocker is identified). Also, please note that the fix for Ruby 2.{5,6} will differ from Ruby 2.7 and will be based on this PR: https://src.fedoraproject.org/rpms/ruby/pull-request/102
(In reply to Vít Ondruch from comment #49) > Dear Mark, > > The fixes for Ruby 2.5 are undergoing testing right now, so the release is > imminent (unless some blocker is identified). > > Also, please note that the fix for Ruby 2.{5,6} will differ from Ruby 2.7 > and will be based on this PR: > > https://src.fedoraproject.org/rpms/ruby/pull-request/102 Thanks!
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0548 https://access.redhat.com/errata/RHSA-2022:0548
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0547 https://access.redhat.com/errata/RHSA-2022:0547
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0545 https://access.redhat.com/errata/RHSA-2022:0545
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0546 https://access.redhat.com/errata/RHSA-2022:0546
Dear Mark, The fixes for RHEL 8 Ruby 2.5 was released today. You can check below documents. https://access.redhat.com/security/cve/CVE-2020-36327 https://access.redhat.com/articles/6206172
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708