Bug 1980132 (CVE-2021-31799) - CVE-2021-31799 rubygem-rdoc: Command injection vulnerability in RDoc
Summary: CVE-2021-31799 rubygem-rdoc: Command injection vulnerability in RDoc
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31799
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1980567 1980569 1980571 1980838 1980839 1980840 1980842 1980843 1981787 1981788 1995172 1980330 1980568 1980570 1980837 1980841 1986748 1986768 1996669
Blocks: 1980133
TreeView+ depends on / blocked
 
Reported: 2021-07-07 21:05 UTC by Pedro Sampaio
Modified: 2021-09-20 07:58 UTC (History)
18 users (show)

Fixed In Version: rubygem-rdoc 6.3.1, ruby 3.0.2, ruby 2.7.4, ruby 2.6.8
Doc Type: If docs needed, set a value
Doc Text:
An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious Ruby source code could lead to execution of arbitrary commands with the privileges of the user running rdoc.
Clone Of:
Environment:
Last Closed: 2021-08-05 19:07:10 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3130 0 None None None 2021-08-11 04:55:59 UTC
Red Hat Product Errata RHSA-2021:3020 0 None None None 2021-08-05 14:53:50 UTC
Red Hat Product Errata RHSA-2021:3559 0 None None None 2021-09-20 07:58:50 UTC

Description Pedro Sampaio 2021-07-07 21:05:49 UTC
RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

References:

https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/

Comment 1 Yadnyawalk Tale 2021-07-08 05:26:38 UTC
Upstream commit: 
https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7

Comment 3 Tomas Hoger 2021-07-08 09:13:58 UTC
This issue was fixed in RDoc versions distributed with Ruby in Ruby versions 3.0.2, 2.7.4, and 2.6.8:

https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/

Comment 4 Tomas Hoger 2021-07-08 09:16:22 UTC
This issue was introduced in RDoc version 3.11 via the following commit, which added functionality to skip processing of the "tags" files:

https://github.com/ruby/rdoc/commit/4a8b7bed7cd5647db92c620bc6f33e4c309d2212

Comment 6 Tomas Hoger 2021-07-08 21:38:34 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980570]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 1980571]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980567]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980568]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980569]

Comment 9 Tomas Hoger 2021-07-12 12:15:12 UTC
One potential concern related to this issue can be the fact that by default the gem command uses rdoc to generate documentation for all gems it installs.  However, any gems installed has to be trusted, as code included in those gems gets executed - as part of an application requiring particular gems or even during gem installation.  Therefore, this flaw does not seem to open any new exposure in this use case.

Users who prefer to not have rdoc invoked during gem installation can disable its use using the --no-document command line option for 'gem install' or 'gem update' commands.  Additionally, the --no-document option can be made the default via gemrc configuration file - either user-specific ~/.gemrc or system /etc/gemrc.  Adding the following line to a gemrc file makes --no-document default for all gem sub-commands (including 'install' and 'update'):

gem: --no-document

Note that the --no-document option was added in gem / rubygems version 2.0.0.  For earlier versions options --no-rdoc and --no-ri need to be used instead.  Those options can be made default via a gemrc file in a similar way as noted above.

These concerns do not apply to gem installation using Bundler, as it does not invoke rdoc during package installation.

Comment 11 Yadnyawalk Tale 2021-07-16 08:37:41 UTC
The only active version of Red Hat CloudForms is 5.11 atm, which is also in maintenance support phase already and does not ship ruby or rubygem-rdoc directly.

Comment 13 errata-xmlrpc 2021-08-05 14:53:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020

Comment 14 Product Security DevOps Team 2021-08-05 19:07:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31799

Comment 15 Tomas Hoger 2021-08-25 19:44:04 UTC
This issue is currently scored by NVD with the following CVSS score:

9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

There are few differences in how Red Hat scores this issue, notably:

AV:L - RDoc processes source code that is available locally, this vulnerability is not bound to the network stack.  Per the CVSS scoring guide, this issue is to be considered as Local.  Remote attacker can only exploit this issue by first using some other ways to make their malicious source code available locally to where RDoc will be run.

AC:H - An attacker needs to determine a target-specific ways to get their malicious source code on the target system and have it processed by RDoc.  This may involve additional interaction with a victim who will manually run RDoc, implying UI:R.

One generic way to get malicious source code on a target system is via installation of a gem package with the code form a gem packages repository (such as rubygems.org) using the gem command, which invokes RDoc on all installed packages by default.  This use case is already discussed in the comment 9 above, noting that any package installed this way should be considered trusted.  Code included in those packages is typically executed as part of some Ruby application.  Gem packages can also execute arbitrary code during installation via mechanisms to build native extensions.  Therefore, there does not seem to be any trust boundary crossed in this use case.

This issue seems to have the greatest risk for Ruby code hosting services.  For those, attacker may need to be authenticated to upload their malicious source code.  Note that these would only be affected if RDoc is invoked from the directory containing the source code, uses when RDoc is invoked form a different directory with the source code directory specified as RDoc command line argument (e.g. 'rdoc /path/to/malicious/code', possibly along with the use of -o option to specify output directory) are not affected.

Comment 16 errata-xmlrpc 2021-09-20 07:58:49 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559


Note You need to log in before you can comment on or make changes to this bug.