| Summary: | <dev-ruby/bundler-1.7.3: 'bundle install' may install a gem from a source other than expected (CVE-2013-0334) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ruby |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1146335 | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 503570 | ||
| Bug Blocks: | |||
bundler 1.7.3 is now in the tree. We are making a big jump here since we had trouble adding intermediate versions, so I think we should test this new version first before stabling it. This version can now be stabled: =dev-ruby/bundler-1.7.3 Note that x86 first requires bug 503570 CVE-2013-0334 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0334): Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. Arches, please test and mark stable: ==dev-ruby/bundler-1.7.3 Target Keywords : "amd64 x86" Thank you! (In reply to Hans de Graaff from comment #2) > This version can now be stabled: > > =dev-ruby/bundler-1.7.3 > > Note that x86 first requires bug 503570 dependency.bad 18 dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/gnome) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/gnome) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/gnome/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/gnome/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/kde) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/kde) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/kde/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/kde/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/developer) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/developer) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(hardened/linux/x86) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(hardened/linux/x86) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(hardened/linux/x86/selinux) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(hardened/linux/x86/selinux) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]'] Seems like we never properly prepared that version to go stable. I had intended to do that once bug 503570 was done, but Yuri beat me to adding arches. This version is now ready to go stable on amd64 and x86: =dev-ruby/bundler-1.7.3 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Cleanup done. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201609-02 at https://security.gentoo.org/glsa/201609-02 by GLSA coordinator Yury German (BlueKnight). |
From ${URL} : The 1.7.0 release of Bundler fixes an issue where a gem may be installed from a source other than expected, if the gem file had multiple, top-level source lines. This could potentially lead to a malicious gem file being installed. From the upstream advisory: "" Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running bundle install might result in the malicious gem being used instead of the expected gem. To mitigate this, the Bundler and Rubygems.org teams worked together to copy almost every gem hosted on gems.github.com to rubygems.org, reducing the number of gems that can be used for such an attack. "" Note that upstream indicate that backporting is not practical. External References: http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.