Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743214 (CVE-2019-3881) - <dev-ruby/bundler-2.1.2: Insecure use of /tmp (CVE-2019-3881)
Summary: <dev-ruby/bundler-2.1.2: Insecure use of /tmp (CVE-2019-3881)
Status: RESOLVED FIXED
Alias: CVE-2019-3881
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa+]
Keywords:
Depends on:
Blocks: ruby26-stable
  Show dependency tree
 
Reported: 2020-09-18 04:23 UTC by John Helmert III
Modified: 2024-08-10 08:24 UTC (History)
3 users (show)

See Also:
Package list:
dev-ruby/bundler-2.1.4
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-18 04:23:57 UTC 
Description:

Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.


Need to stabilize 2.1.4, and move over anything depending on bundler:0.
Comment 1 Agostino Sarubbo gentoo-dev 2020-09-18 10:08:06 UTC 
arm stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-09-18 15:07:42 UTC 
ppc stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-09-18 15:09:40 UTC 
ppc64 stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-18 23:30:45 UTC 
arm64 done
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-19 07:22:18 UTC 
sparc stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-19 22:12:13 UTC 
amd64 stabled by zlogene
Comment 7 Manfred Knick 2020-09-20 08:28:31 UTC 
(In reply to Sam James from comment #6)
> amd64 stabled by zlogene

This mornings 'emerge -auDN system world' :

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  (dev-ruby/bundler-2.1.4:2/2::gentoo, ebuild scheduled for merge)
    pulled in by >=dev-ruby/bundler-1.17.2[ruby_targets_ruby26]
    required by (dev-lang/ruby-2.6.6-r2:2.6/2.6::gentoo, installed)
    ...


# equery list -p  dev-ruby/bundler

[IP-] [  ] dev-ruby/bundler-1.17.3:0
[-P-] [  ] dev-ruby/bundler-1.17.3-r1:0
[-P-] [  ] dev-ruby/bundler-2.1.4:2              <---


# equery depends dev-ruby/bundler

dev-lang/ruby-2.6.6-r2 (>=dev-ruby/bundler-1.17.2[ruby_targets_ruby26])
dev-ruby/rdoc-6.1.2 (test ? dev-ruby/bundler[ruby_targets_ruby25(-)])
                    (test ? dev-ruby/bundler[ruby_targets_ruby26(-)])


# eselect ruby list

  [1]   ruby25 (with Rubygems)
  [2]   ruby26 (with Rubygems) *
Comment 8 Manfred Knick 2020-09-20 13:37:33 UTC 
(In reply to Manfred Knick from comment #7)

Having hard-masked :2 / updated world / removing hard-mask,
again updating MPT right now, slotted install has succeeded.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 15:33:34 UTC 
(In reply to Manfred Knick from comment #8)
> (In reply to Manfred Knick from comment #7)
> 
> Having hard-masked :2 / updated world / removing hard-mask,
> again updating MPT right now, slotted install has succeeded.

For anyone hitting this issue:

> [blocks B] <dev-ruby/bundler-1.17.3-r1:0 ("<dev-ruby/bundler-1.17.3-r1:0" is hard blocking dev-ruby/bundler-2.1.4) 

is the key line. If we go on packages.gentoo.org [0], we can see that a version satisfying that constraint exists -- we want >=dev-ruby/bundler-1.17.3-r1:0.

The solution is to upgrade slot :0:
# emerge -v1u dev-ruby/bundler:0

I asked Zac about this and it turns out there's a bug for Portage being able to solve this by itself: bug 250286.

[0] https://packages.gentoo.org/packages/dev-ruby/bundler
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-20 16:28:50 UTC 
x86 stable
Comment 11 Pietro 2020-09-21 11:25:39 UTC 
(In reply to Sam James from comment #9)
> (In reply to Manfred Knick from comment #8)
> > (In reply to Manfred Knick from comment #7)
> > 
> > Having hard-masked :2 / updated world / removing hard-mask,
> > again updating MPT right now, slotted install has succeeded.
> 
> For anyone hitting this issue:
> 
> > [blocks B] <dev-ruby/bundler-1.17.3-r1:0 ("<dev-ruby/bundler-1.17.3-r1:0" is hard blocking dev-ruby/bundler-2.1.4) 
> 
> is the key line. If we go on packages.gentoo.org [0], we can see that a
> version satisfying that constraint exists -- we want
> >=dev-ruby/bundler-1.17.3-r1:0.
> 
> The solution is to upgrade slot :0:
> # emerge -v1u dev-ruby/bundler:0
> 
> I asked Zac about this and it turns out there's a bug for Portage being able
> to solve this by itself: bug 250286.
> 
> [0] https://packages.gentoo.org/packages/dev-ruby/bundler

Upgrading package slot seems to have done the job. Thanks.
Comment 12 Rolf Eike Beer archtester 2020-09-21 18:42:19 UTC 
hppa stable
Comment 13 Hans de Graaff gentoo-dev Security 2020-12-12 06:34:16 UTC 
# Hans de Graaff <graaff@gentoo.org> (2020-12-12)
# Security issue with insecure use of /tmp, bug 743214
# This slot masked for removal in 30 days, use slot 2 instead.
dev-ruby/bundler:0
Comment 14 NATTkA bot gentoo-dev 2020-12-12 06:36:57 UTC Comment hidden (obsolete)
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 01:42:29 UTC 
s390 done

all arches done
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 01:44:23 UTC 
Please cleanup, thanks!
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-30 15:54:22 UTC 
Looks like cleanup was done some time ago:

commit cf01c15294dc34304d7366f49772dbfb3ec5c7b3
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Thu Jan 28 06:45:23 2021 +0100

    dev-ruby/bundler: cleanup

    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 delete mode 100644 dev-ruby/bundler/bundler-2.2.0.ebuild
 delete mode 100644 dev-ruby/bundler/bundler-2.2.3.ebuild
 delete mode 100644 dev-ruby/bundler/bundler-2.2.4.ebuild
Comment 18 Larry the Git Cow gentoo-dev 2024-08-10 08:24:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=cf9015f3dee372a335e1d143abb09a32c988e7fa

commit cf9015f3dee372a335e1d143abb09a32c988e7fa
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-08-10 08:23:41 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-10 08:23:53 +0000

    [ GLSA 202408-22 ] Bundler: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/743214
    Bug: https://bugs.gentoo.org/798135
    Bug: https://bugs.gentoo.org/828884
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202408-22.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)