Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743214 (CVE-2019-3881) - <dev-ruby/bundler-2.1.2: Insecure use of /tmp (CVE-2019-3881)
Summary: <dev-ruby/bundler-2.1.2: Insecure use of /tmp (CVE-2019-3881)
Status: IN_PROGRESS
Alias: CVE-2019-3881
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks: ruby26-stable
  Show dependency tree
 
Reported: 2020-09-18 04:23 UTC by John Helmert III
Modified: 2021-05-30 15:54 UTC (History)
3 users (show)

See Also:
Package list:
dev-ruby/bundler-2.1.4
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-18 04:23:57 UTC
Description:

Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.


Need to stabilize 2.1.4, and move over anything depending on bundler:0.
Comment 1 Agostino Sarubbo gentoo-dev 2020-09-18 10:08:06 UTC
arm stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-09-18 15:07:42 UTC
ppc stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-09-18 15:09:40 UTC
ppc64 stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-18 23:30:45 UTC
arm64 done
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-19 07:22:18 UTC
sparc stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-19 22:12:13 UTC
amd64 stabled by zlogene
Comment 7 Manfred Knick 2020-09-20 08:28:31 UTC
(In reply to Sam James from comment #6)
> amd64 stabled by zlogene

This mornings 'emerge -auDN system world' :

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  (dev-ruby/bundler-2.1.4:2/2::gentoo, ebuild scheduled for merge)
    pulled in by >=dev-ruby/bundler-1.17.2[ruby_targets_ruby26]
    required by (dev-lang/ruby-2.6.6-r2:2.6/2.6::gentoo, installed)
    ...


# equery list -p  dev-ruby/bundler

[IP-] [  ] dev-ruby/bundler-1.17.3:0
[-P-] [  ] dev-ruby/bundler-1.17.3-r1:0
[-P-] [  ] dev-ruby/bundler-2.1.4:2              <---


# equery depends dev-ruby/bundler

dev-lang/ruby-2.6.6-r2 (>=dev-ruby/bundler-1.17.2[ruby_targets_ruby26])
dev-ruby/rdoc-6.1.2 (test ? dev-ruby/bundler[ruby_targets_ruby25(-)])
                    (test ? dev-ruby/bundler[ruby_targets_ruby26(-)])


# eselect ruby list

  [1]   ruby25 (with Rubygems)
  [2]   ruby26 (with Rubygems) *
Comment 8 Manfred Knick 2020-09-20 13:37:33 UTC
(In reply to Manfred Knick from comment #7)

Having hard-masked :2 / updated world / removing hard-mask,
again updating MPT right now, slotted install has succeeded.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 15:33:34 UTC
(In reply to Manfred Knick from comment #8)
> (In reply to Manfred Knick from comment #7)
> 
> Having hard-masked :2 / updated world / removing hard-mask,
> again updating MPT right now, slotted install has succeeded.

For anyone hitting this issue:

> [blocks B] <dev-ruby/bundler-1.17.3-r1:0 ("<dev-ruby/bundler-1.17.3-r1:0" is hard blocking dev-ruby/bundler-2.1.4) 

is the key line. If we go on packages.gentoo.org [0], we can see that a version satisfying that constraint exists -- we want >=dev-ruby/bundler-1.17.3-r1:0.

The solution is to upgrade slot :0:
# emerge -v1u dev-ruby/bundler:0

I asked Zac about this and it turns out there's a bug for Portage being able to solve this by itself: bug 250286.

[0] https://packages.gentoo.org/packages/dev-ruby/bundler
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-20 16:28:50 UTC
x86 stable
Comment 11 Pietro 2020-09-21 11:25:39 UTC
(In reply to Sam James from comment #9)
> (In reply to Manfred Knick from comment #8)
> > (In reply to Manfred Knick from comment #7)
> > 
> > Having hard-masked :2 / updated world / removing hard-mask,
> > again updating MPT right now, slotted install has succeeded.
> 
> For anyone hitting this issue:
> 
> > [blocks B] <dev-ruby/bundler-1.17.3-r1:0 ("<dev-ruby/bundler-1.17.3-r1:0" is hard blocking dev-ruby/bundler-2.1.4) 
> 
> is the key line. If we go on packages.gentoo.org [0], we can see that a
> version satisfying that constraint exists -- we want
> >=dev-ruby/bundler-1.17.3-r1:0.
> 
> The solution is to upgrade slot :0:
> # emerge -v1u dev-ruby/bundler:0
> 
> I asked Zac about this and it turns out there's a bug for Portage being able
> to solve this by itself: bug 250286.
> 
> [0] https://packages.gentoo.org/packages/dev-ruby/bundler

Upgrading package slot seems to have done the job. Thanks.
Comment 12 Rolf Eike Beer archtester 2020-09-21 18:42:19 UTC
hppa stable
Comment 13 Hans de Graaff gentoo-dev Security 2020-12-12 06:34:16 UTC
# Hans de Graaff <graaff@gentoo.org> (2020-12-12)
# Security issue with insecure use of /tmp, bug 743214
# This slot masked for removal in 30 days, use slot 2 instead.
dev-ruby/bundler:0
Comment 14 NATTkA bot gentoo-dev 2020-12-12 06:36:57 UTC Comment hidden (obsolete)
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 01:42:29 UTC
s390 done

all arches done
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 01:44:23 UTC
Please cleanup, thanks!
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-30 15:54:22 UTC
Looks like cleanup was done some time ago:

commit cf01c15294dc34304d7366f49772dbfb3ec5c7b3
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Thu Jan 28 06:45:23 2021 +0100

    dev-ruby/bundler: cleanup

    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 delete mode 100644 dev-ruby/bundler/bundler-2.2.0.ebuild
 delete mode 100644 dev-ruby/bundler/bundler-2.2.3.ebuild
 delete mode 100644 dev-ruby/bundler/bundler-2.2.4.ebuild