CVE-2018-1000079

NameCVE-2018-1000079
DescriptionRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1421-1, DSA-4219-1, DSA-4259-1
NVD severitymedium (attack range: remote)
Debian Bugs895778

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jruby (PTS)jessie1.5.6-9fixed
stretch (security), stretch1.7.26-1+deb9u1fixed
buster, sid9.1.13.0-1vulnerable
ruby2.1 (PTS)jessie2.1.5-2+deb8u3vulnerable
jessie (security)2.1.5-2+deb8u6fixed
ruby2.3 (PTS)stretch2.3.3-1+deb9u2vulnerable
stretch (security)2.3.3-1+deb9u4fixed
ruby2.5 (PTS)buster2.5.1-5fixed
sid2.5.1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jrubysource(unstable)(unfixed)medium895778
jrubysourcejessie(not affected)
jrubysourcestretch1.7.26-1+deb9u1mediumDSA-4219-1
jrubysourcewheezy(not affected)
ruby1.9.1source(unstable)(unfixed)medium
ruby2.1source(unstable)(unfixed)medium
ruby2.1sourcejessie2.1.5-2+deb8u4mediumDLA-1421-1
ruby2.3source(unstable)(unfixed)medium
ruby2.3sourcestretch2.3.3-1+deb9u3mediumDSA-4259-1
ruby2.5source(unstable)2.5.0-5medium
rubygemssource(unstable)(unfixed)medium
rubygemssourcewheezy(not affected)

Notes

[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
[jessie] - jruby <not-affected> (Vulnerable code not present)
[wheezy] - jruby <not-affected> (Vulnerable code not present)
https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/

Search for package or bug name: Reporting problems