CVE-2019-8320

NameCVE-2019-8320
DescriptionA Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1735-1, DLA-2330-1, DSA-4433-1
NVD severityhigh
Debian Bugs925987

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jruby (PTS)stretch1.7.26-1+deb9u1vulnerable
stretch (security)1.7.26-1+deb9u2fixed
bullseye, sid, buster9.1.17.0-3fixed
ruby2.3 (PTS)stretch2.3.3-1+deb9u8fixed
stretch (security)2.3.3-1+deb9u7fixed
ruby2.5 (PTS)buster, buster (security)2.5.5-3+deb10u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jrubysourcejessie(not affected)
jrubysourcestretch1.7.26-1+deb9u2DLA-2330-1
jrubysource(unstable)9.1.17.0-3925987
ruby2.1sourcejessie2.1.5-2+deb8u7DLA-1735-1
ruby2.1source(unstable)(unfixed)
ruby2.3sourcestretch2.3.3-1+deb9u6DSA-4433-1
ruby2.3source(unstable)(unfixed)
ruby2.5source(unstable)2.5.5-1
rubygemssource(unstable)(unfixed)

Notes

[jessie] - jruby <not-affected> (Vulnerable code introduced later)
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b

Search for package or bug name: Reporting problems