Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679490 (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325) - <dev-ruby/rubygems-2.7.9: multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325)
Summary: <dev-ruby/rubygems-2.7.9: multiple vulnerabilities (CVE-2019-8320, CVE-2019-8...
Status: RESOLVED FIXED
Alias: CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blog.rubygems.org/2019/03/05/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-05 05:05 UTC by Hans de Graaff
Modified: 2019-04-21 15:05 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/rubygems-2.7.9
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2019-03-05 05:05:41 UTC
Today we’re disclosing several vulnerablities to RubyGems. They have all been reported via hackerone.

We strongly recommend to upgrade the latest stable version of RubyGems 3.0.3 or 2.7.8. If you can’t upgrade RubyGems 2.7 or 3.0, please use this patch for RubyGems 2.6.

The following vulnerabilities have been reported.

    CVE-2019-8320: Delete directory using symlink when decompressing tar
    CVE-2019-8321: Escape sequence injection vulnerability in verbose
    CVE-2019-8322: Escape sequence injection vulnerability in gem owner
    CVE-2019-8323: Escape sequence injection vulnerability in API response handling
    CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
    CVE-2019-8325: Escape sequence injection vulnerability in errors
Comment 1 Hans de Graaff gentoo-dev Security 2019-03-05 05:33:05 UTC
Fixed versions rubygems-2.7.9 and rubygems-3.0.3 have been added.
Comment 2 Agostino Sarubbo gentoo-dev 2019-03-06 18:35:00 UTC
amd64 stable
Comment 3 Rolf Eike Beer archtester 2019-03-06 21:18:58 UTC
sparc stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-07 21:51:25 UTC
x86 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-10 14:28:34 UTC
arm stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-14 19:38:32 UTC
ia64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-15 23:16:03 UTC
s390 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-17 09:50:07 UTC
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-17 09:55:21 UTC
ppc64 stable
Comment 10 Rolf Eike Beer archtester 2019-03-25 21:40:16 UTC
hppa stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 12:21:20 UTC
alpha stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-04-02 19:19:46 UTC
@maintainer, please drop vulnerable.
Comment 13 Hans de Graaff gentoo-dev Security 2019-04-21 07:27:16 UTC
cleanup done.