Bug 1958999 (CVE-2020-36327) - CVE-2020-36327 rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source
Summary: CVE-2020-36327 rubygem-bundler: Dependencies of gems with explicit source may...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-36327
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1959000 1960044 1960172 1960173 1960174 1960175 1968488 1968489 1968490 1968491 1968492 1968493 1968494 1968495 1968496 1968497 1968498 1968499 1968500 1968501 1968502 1968503 1968504 1968505 1968506 1968507 2003060 2003062
Blocks: 1959001 1997390
TreeView+ depends on / blocked
 
Reported: 2021-05-10 14:42 UTC by Pedro Sampaio
Modified: 2022-04-17 21:22 UTC (History)
34 users (show)

Fixed In Version: rubygem-bundler 2.2.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. This could lead to installation of a malicious gem version and arbitrary code execution.
Clone Of:
Environment:
Last Closed: 2021-08-05 19:06:56 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3130 0 None None None 2021-08-11 04:55:53 UTC
Red Hat Product Errata RHBA-2021:4018 0 None None None 2021-10-28 01:19:09 UTC
Red Hat Product Errata RHBA-2022:0593 0 None None None 2022-02-22 12:51:53 UTC
Red Hat Product Errata RHBA-2022:0594 0 None None None 2022-02-22 13:48:09 UTC
Red Hat Product Errata RHSA-2021:3020 0 None None None 2021-08-05 14:53:41 UTC
Red Hat Product Errata RHSA-2021:3559 0 None None None 2021-09-20 07:58:45 UTC
Red Hat Product Errata RHSA-2021:3982 0 None None None 2021-10-25 20:51:05 UTC
Red Hat Product Errata RHSA-2022:0044 0 None None None 2022-01-10 07:29:24 UTC
Red Hat Product Errata RHSA-2022:0543 0 None None None 2022-02-16 11:34:38 UTC
Red Hat Product Errata RHSA-2022:0544 0 None None None 2022-02-16 11:35:43 UTC
Red Hat Product Errata RHSA-2022:0545 0 None None None 2022-02-16 11:39:15 UTC
Red Hat Product Errata RHSA-2022:0546 0 None None None 2022-02-16 11:42:28 UTC
Red Hat Product Errata RHSA-2022:0547 0 None None None 2022-02-16 11:28:35 UTC
Red Hat Product Errata RHSA-2022:0548 0 None None None 2022-02-16 11:27:44 UTC
Red Hat Product Errata RHSA-2022:0581 0 None None None 2022-02-21 10:11:29 UTC
Red Hat Product Errata RHSA-2022:0582 0 None None None 2022-02-21 10:12:26 UTC
Red Hat Product Errata RHSA-2022:0708 0 None None None 2022-02-28 18:56:42 UTC

Description Pedro Sampaio 2021-05-10 14:42:52 UTC
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

References:

https://github.com/rubygems/rubygems/issues/3982
https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/

Comment 1 Pedro Sampaio 2021-05-10 14:43:42 UTC
Created rubygem-bundler tracking bugs for this issue:

Affects: fedora-all [bug 1959000]

Comment 3 Tomas Hoger 2021-05-13 08:42:56 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1960172]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1960174]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1960175]

Comment 4 Tomas Hoger 2021-05-13 13:09:59 UTC
Note that this is not fixed in bundler 2.2.16.  This was reported fixed in 2.2.10, but fixes were reverted in the 2.2.11 released only two days later.  The current bundler version 2.2.17 remains unfixed.

Comment 7 Tomas Hoger 2021-05-24 19:38:02 UTC
An upstream PR for a new proper fix for this issue:

https://github.com/rubygems/rubygems/pull/4609

Comment 9 Tomas Hoger 2021-05-26 07:52:17 UTC
This issue was fixed in Bundler 2.2.18:

https://github.com/rubygems/rubygems/blob/bundler-v2.2.18/bundler/CHANGELOG.md

Comment 12 Vít Ondruch 2021-05-31 11:36:47 UTC
https://github.com/rubygems/rubygems/pull/4609#issuecomment-851423668

Just FTR, I have queried Bundler upstream what they think about possible backport. However,they might leave it up to Ruby maintainers.

Comment 13 Tomas Hoger 2021-05-31 12:56:56 UTC
Note that this is what bundler documentation states regarding the handling of gems with explicitly defined source, and their dependencies:

https://bundler.io/man/gemfile.5.html#SOURCE

"""
You can select an alternate Rubygems repository for a gem using the ':source' option.

  gem "some_internal_gem", :source => "https://gems.example.com"

This forces the gem to be loaded from this source and ignores any global sources declared at the top level of the file. If the gem does not exist in this source, it will not be installed.

Bundler will search for child dependencies of this gem by first looking in the source selected for the parent, but if they are not found there, it will fall back on global sources using the ordering described in SOURCE PRIORITY.
"""

That documentation indicates that dependencies should only be installed from a different source if not found in the same source as the gem with an explicitly defined source.  Note that fallback to the use of global sources in case when the private source does not provide the dependency is needed so that source-restriced gems can depend depend on gems from public repos such as RubyGems.org.

Comment 15 Vít Ondruch 2021-05-31 14:02:14 UTC
(In reply to Vít Ondruch from comment #12)
And this is the response:

~~~
This would be pretty hard to backport indeed. It's a big patch and the result of work & refactoring across many versions, for example, it's built on top of #4381 which is also another related security improvement. I guess the only chance would be to completely upgrade bundler on older but still supported rubies like 2.7.
~~~

Comment 25 Jun Aruga 2021-06-08 12:40:49 UTC
> Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses

> Note that this is not fixed in bundler 2.2.16.  This was reported fixed in 2.2.10, but fixes were reverted in the 2.2.11 released only two days later.  The current bundler version 2.2.17 remains unfixed.

> This issue was fixed in Bundler 2.2.18:

Pedro or Tomas. Can you help us to clarify the CVE affected versions of the Bundler? Are the following affected versions correct?

Affected versions:
* version < 1.16.0: not affected
* 1.16.0 <= version <= 2.2.9: affected
* 2.2.10: fixed temporarily
* 2.2.11 <= version <= 2.2.17: affected 
* 2.2.18 <= version: fixed. (the latest version is 2.2.19 right now).

Comment 26 Yadnyawalk Tale 2021-06-08 13:00:25 UTC
(In reply to Jun Aruga from comment #25) 
> Pedro or Tomas. Can you help us to clarify the CVE affected versions of the
> Bundler? Are the following affected versions correct?
> 
> Affected versions:
> * version < 1.16.0: not affected
> * 1.16.0 <= version <= 2.2.9: affected
> * 2.2.10: fixed temporarily
> * 2.2.11 <= version <= 2.2.17: affected 
> * 2.2.18 <= version: fixed. (the latest version is 2.2.19 right now).

This flaw affect bundler version 1.16.0 onwards till 2.2.17; except 2.2.10 which had a fix which got reverted in 2.2.11. You got that correct, Jun (comment #25).

Comment 27 Tomas Hoger 2021-06-09 08:50:42 UTC
In reply to comment #25:
> Affected versions:
> * version < 1.16.0: not affected

The information in the official CVE description about 1.16.0 being the first affected version seems to come from the zofrex's blog post:

https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/

which actually provides contradicting information - some parts stating only 1.16.0 and later are affected, and other stating all versions starting with 1.7.0 (which introduced ability to restrict gems to specific sources) are affected.  There's bundler 1.7.8 shipped in Red Hat Enterprise Linux 7 and I confirmed the problem with that version.  Hence I do not see a reason to assume versions between 1.7.0 and 1.16.0 to be unaffected.

Comment 28 Jun Aruga 2021-06-10 15:11:41 UTC
OK, thanks for clarifying the affected versions.

> which actually provides contradicting information - some parts stating only 1.16.0 and later are affected, and other stating all versions starting with 1.7.0 (which introduced ability to restrict gems to specific sources) are affected.  There's bundler 1.7.8 shipped in Red Hat Enterprise Linux 7 and I confirmed the problem with that version.  Hence I do not see a reason to assume versions between 1.7.0 and 1.16.0 to be unaffected.

OK. I will keep the info in mind.

Comment 29 Jun Aruga 2021-06-15 13:46:49 UTC
Just FYI: yesterday a PR to upgrade the bundled bundler from 2.2.15 to 2.2.20 (= latest version) was opened by a maintainer on Ruby.
https://github.com/ruby/ruby/pull/4569

Comment 34 errata-xmlrpc 2021-08-05 14:53:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020

Comment 35 Product Security DevOps Team 2021-08-05 19:06:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36327

Comment 36 errata-xmlrpc 2021-09-20 07:58:42 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559

Comment 37 errata-xmlrpc 2021-10-25 20:51:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982

Comment 46 errata-xmlrpc 2022-01-10 07:29:21 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:0044 https://access.redhat.com/errata/RHSA-2022:0044

Comment 48 Mark Wang 2022-02-09 01:36:10 UTC
This issue has been addressed in "Red Hat Enterprise Linux 8" via RHSA-2021:3020.
In RHSA-2021:3020, ruby 2.7 is updated. The default ruby 2.5 is not updated yet.
Could you share the plan of this security update to ruby 2.5?

Comment 49 Vít Ondruch 2022-02-09 08:54:52 UTC
(In reply to Mark Wang from comment #48)
> This issue has been addressed in "Red Hat Enterprise Linux 8" via
> RHSA-2021:3020.
> In RHSA-2021:3020, ruby 2.7 is updated. The default ruby 2.5 is not updated
> yet.
> Could you share the plan of this security update to ruby 2.5?

Dear Mark,

The fixes for Ruby 2.5 are undergoing testing right now, so the release is imminent (unless some blocker is identified).

Also, please note that the fix for Ruby 2.{5,6} will differ from Ruby 2.7 and will be based on this PR:

https://src.fedoraproject.org/rpms/ruby/pull-request/102

Comment 50 Mark Wang 2022-02-10 00:58:39 UTC
(In reply to Vít Ondruch from comment #49)
> Dear Mark,
> 
> The fixes for Ruby 2.5 are undergoing testing right now, so the release is
> imminent (unless some blocker is identified).
> 
> Also, please note that the fix for Ruby 2.{5,6} will differ from Ruby 2.7
> and will be based on this PR:
> 
> https://src.fedoraproject.org/rpms/ruby/pull-request/102

Thanks!

Comment 53 errata-xmlrpc 2022-02-16 11:27:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0548 https://access.redhat.com/errata/RHSA-2022:0548

Comment 54 errata-xmlrpc 2022-02-16 11:28:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0547 https://access.redhat.com/errata/RHSA-2022:0547

Comment 55 errata-xmlrpc 2022-02-16 11:34:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543

Comment 56 errata-xmlrpc 2022-02-16 11:35:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544

Comment 57 errata-xmlrpc 2022-02-16 11:39:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0545 https://access.redhat.com/errata/RHSA-2022:0545

Comment 58 errata-xmlrpc 2022-02-16 11:42:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0546 https://access.redhat.com/errata/RHSA-2022:0546

Comment 59 Jun Aruga 2022-02-16 17:21:56 UTC
Dear Mark,
The fixes for RHEL 8 Ruby 2.5 was released today. You can check below documents. 

https://access.redhat.com/security/cve/CVE-2020-36327
https://access.redhat.com/articles/6206172

Comment 61 errata-xmlrpc 2022-02-21 10:11:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581

Comment 62 errata-xmlrpc 2022-02-21 10:12:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582

Comment 64 errata-xmlrpc 2022-02-28 18:56:39 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708


Note You need to log in before you can comment on or make changes to this bug.