Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 523798 (CVE-2013-0334) - <dev-ruby/bundler-1.7.3: 'bundle install' may install a gem from a source other than expected (CVE-2013-0334)
Summary: <dev-ruby/bundler-1.7.3: 'bundle install' may install a gem from a source oth...
Status: RESOLVED FIXED
Alias: CVE-2013-0334
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 503570
Blocks:
  Show dependency tree
 
Reported: 2014-09-26 13:44 UTC by Agostino Sarubbo
Modified: 2016-09-26 04:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-26 13:44:00 UTC
From ${URL} :

The 1.7.0 release of Bundler fixes an issue where a gem may be installed from a source other than expected, if the gem file had multiple, top-level source lines. This could potentially lead to a malicious gem file being installed.

From the upstream advisory:

""
Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name.

This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running bundle install might 
result in the malicious gem being used instead of the expected gem.

To mitigate this, the Bundler and Rubygems.org teams worked together to copy almost every gem hosted on gems.github.com to rubygems.org, reducing the number of gems that can be used for such an attack.
""

Note that upstream indicate that backporting is not practical.

External References:

http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev 2014-09-27 08:34:02 UTC
bundler 1.7.3 is now in the tree. We are making a big jump here since we had trouble adding intermediate versions, so I think we should test this new version first before stabling it.
Comment 2 Hans de Graaff gentoo-dev 2014-10-05 10:00:21 UTC
This version can now be stabled:

=dev-ruby/bundler-1.7.3

Note that x86 first requires bug 503570
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 13:58:53 UTC
CVE-2013-0334 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0334):
  Bundler before 1.7, when multiple top-level source lines are used, allows
  remote attackers to install arbitrary gems by creating a gem with the same
  name as another gem in a different source.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-01-18 05:17:11 UTC
Arches, please test and mark stable:

==dev-ruby/bundler-1.7.3

Target Keywords : "amd64 x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2015-01-21 10:17:41 UTC
(In reply to Hans de Graaff from comment #2)
> This version can now be stabled:
> 
> =dev-ruby/bundler-1.7.3
> 
> Note that x86 first requires bug 503570

  dependency.bad                18
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/gnome) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/gnome) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/gnome/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/gnome/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/kde) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/kde) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop/kde/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/desktop/kde/systemd) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(default/linux/x86/13.0/developer) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(default/linux/x86/13.0/developer) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(hardened/linux/x86) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(hardened/linux/x86) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: DEPEND: x86(hardened/linux/x86/selinux) ['virtual/rubygems[ruby_targets_ruby21]', 'app-text/ronn[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', '>=dev-ruby/rspec-core-2.14.8-r2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]']
   dev-ruby/bundler/bundler-1.7.3.ebuild: RDEPEND: x86(hardened/linux/x86/selinux) ['virtual/rubygems[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
Comment 6 Hans de Graaff gentoo-dev 2015-01-24 09:54:49 UTC
Seems like we never properly prepared that version to go stable. I had intended to do that once bug 503570 was done, but Yuri beat me to adding arches.

This version is now ready to go stable on amd64 and x86:

=dev-ruby/bundler-1.7.3
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-24 10:11:38 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-01-24 10:11:52 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Hans de Graaff gentoo-dev 2015-01-24 10:33:34 UTC
Cleanup done.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-01-31 22:14:11 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-09-26 04:28:39 UTC
This issue was resolved and addressed in
 GLSA 201609-02 at https://security.gentoo.org/glsa/201609-02
by GLSA coordinator Yury German (BlueKnight).