An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. Upstream patch: https://bugs.ruby-lang.org/attachments/7669 References: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
Created rubygems tracking bugs for this issue: Affects: fedora-all [bug 1692530]
The changeset in lib/rubygems/installer.rb has the fix for this. See the addition of verify_spec: ``` # The name and require_paths must be verified first, since it could contain # ruby code that would be eval'ed in #ensure_loadable_spec verify_spec ```
Red Hat Enterprise Linux 6 does not look impacted based on a look at the source code. I was able to reproduce this on 7 and various software collections. This one seems pretty nasty. A malicious gem can execute shell commands if an install is run on one. I don't believe the gem install process is supposed to execute any of the package code at any point, but I may be mistaken on that. If so, I'd probably downgrade this. Otherwise, leaving at Important as this could lead to root code execution if a user did the lazy sudo gem install.
These are the upstream patches: https://github.com/rubygems/rubygems/commit/00ff3037a577889bd1e555966d9e0d17bea8d28d https://github.com/rubygems/rubygems/commit/be3ad330cd1d7403389a3cc53a68b95a0a2b6491
rhvm-appliance presently includes affected versions of ruby, but installation of custom gems is not part of normal operation of the rhvm-appliance. Customers will be able to consume updates from Red Hat Enterprise Linux channels when they are made available.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1148 https://access.redhat.com/errata/RHSA-2019:1148
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1150 https://access.redhat.com/errata/RHSA-2019:1150
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1151 https://access.redhat.com/errata/RHSA-2019:1151
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1235 https://access.redhat.com/errata/RHSA-2019:1235
This issue has been addressed in the following products: CloudForms Management Engine 5.10 Via RHSA-2019:1429 https://access.redhat.com/errata/RHSA-2019:1429
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-8324
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1972 https://access.redhat.com/errata/RHSA-2019:1972
External References: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:2769 https://access.redhat.com/errata/RHSA-2020:2769