CVE-2019-3881

NameCVE-2019-3881
Descriptiontmp_home_path insecure
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs796383, 881749

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bundler (PTS)jessie1.7.4-1fixed
stretch1.13.6-2vulnerable
bullseye, sid, buster1.17.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bundlersource(unstable)1.16.1-2796383, 881749
bundlersourcejessie(not affected)

Notes

[jessie] - bundler <not-affected> (This version just uses mktmpdir which creates temporary directories with 0700 permissions by default.)
Upstream issue: https://github.com/bundler/bundler/issues/6501
https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0006-Don-t-use-insecure-temporary-directory-as-home-direc.patch
https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0007-Remove-temporary-home-directories.patch

Search for package or bug name: Reporting problems