A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user’s machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system. Upstream patch: https://bugs.ruby-lang.org/attachments/7669 References: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
Created rubygems tracking bugs for this issue: Affects: fedora-all [bug 1692530]
The patch for this appears to be in the function: `def install_location(filename, destination_dir)` Comment for function: `If +filename+ is not inside +destination_dir+ an exception is raised.` i.e., the fix: ```ruby begin real_destination = File.expand_path(File.realpath(destination)) rescue # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage nil else raise Gem::Package::PathError.new(real_destination, destination_dir) unless real_destination.start_with? destination_dir + '/' end ``` Thus, according to my weak ruby-fu, it looks like symlinks weren't checked against beforehand. Thus, a symlink could be in destination_dir and "pass" when it should fail, as the system would then resolve the symlink to a location potentially outside of destination dir.
RHEL7 and a few other versions impacted. While it appears the flaw was discovered in 2.7.6, upstream seems to indicate that this goes back to at least 2.3, which looks correct.
I don't think this is vulnerability, which could be exploited. I opened upstream ticket to revert the "fix": https://github.com/rubygems/rubygems/pull/2722
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1148 https://access.redhat.com/errata/RHSA-2019:1148
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1150 https://access.redhat.com/errata/RHSA-2019:1150
This issue has been addressed in the following products: CloudForms Management Engine 5.10 Via RHSA-2019:1429 https://access.redhat.com/errata/RHSA-2019:1429