https://nvd.nist.gov/vuln/detail/CVE-2016-7954 "Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334."
Upstream bug: https://github.com/bundler/bundler/issues/5051 Looking at this bug it becomes clear that this is not something that can be fixed in bundler without breaking backward compatibility. A structural fix is planned for bundler 2.x (not released yet) but even then I assume we'll need to keep bundler 1.x around. Upstream also claims that this is not a very likely attack vector in the first place, since some of the requirements to make use of it open up much easier attacks first. In addition, it requires a non-standard source specification in the Gemfile, something that most packages don't do. I propose that we close this bug without further action.