CVE-2018-1000079

NameCVE-2018-1000079
DescriptionRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1421-1, DSA-4219-1, DSA-4259-1
NVD severitymedium
Debian Bugs895778

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jruby (PTS)jessie1.5.6-9fixed
jessie (security)1.5.6-9+deb8u2fixed
stretch (security), stretch1.7.26-1+deb9u1fixed
bullseye, sid, buster9.1.17.0-3fixed
ruby2.1 (PTS)jessie2.1.5-2+deb8u3vulnerable
jessie (security)2.1.5-2+deb8u8fixed
ruby2.3 (PTS)stretch2.3.3-1+deb9u6fixed
stretch (security)2.3.3-1+deb9u7fixed
ruby2.5 (PTS)buster2.5.5-3fixed
buster (security)2.5.5-3+deb10u1fixed
bullseye, sid2.5.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jrubysource(unstable)9.1.17.0-1895778
jrubysourcejessie(not affected)
jrubysourcestretch1.7.26-1+deb9u1DSA-4219-1
jrubysourcewheezy(not affected)
ruby1.9.1source(unstable)(unfixed)
ruby2.1source(unstable)(unfixed)
ruby2.1sourcejessie2.1.5-2+deb8u4DLA-1421-1
ruby2.3source(unstable)(unfixed)
ruby2.3sourcestretch2.3.3-1+deb9u3DSA-4259-1
ruby2.5source(unstable)2.5.0-5
rubygemssource(unstable)(unfixed)
rubygemssourcewheezy(not affected)

Notes

[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
[jessie] - jruby <not-affected> (Vulnerable code not present)
[wheezy] - jruby <not-affected> (Vulnerable code not present)
https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/

Search for package or bug name: Reporting problems