798135 – (CVE-2020-36327) <dev-ruby/bundler-2.2.18: dependency confusion (CVE-2020-36327)

Bug 798135 (CVE-2020-36327) - <dev-ruby/bundler-2.2.18: dependency confusion (CVE-2020-36327)

Summary: <dev-ruby/bundler-2.2.18: dependency confusion (CVE-2020-36327)

Status:	CONFIRMED

Alias:	CVE-2020-36327

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bundler.io/blog/2021/02/15/a-...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	ruby30-stable
Blocks:
	Show dependency tree

Reported:	2021-06-24 01:51 UTC by John Helmert III
Modified:	2023-10-02 15:37 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-06-24 01:51:34 UTC

CVE-2020-36327:

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.


URL indicates this is properly fixed in 2.2.18, so please stabilize.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:22 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:30 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:33 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:38 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:31 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:53 UTC

Package list is empty or all packages have requested keywords.

Comment 8 John Helmert III archtester

2021-08-07 17:28:07 UTC

Ping.