CVE-2019-8320

NameCVE-2019-8320
DescriptionA Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1735-1, DSA-4433-1
NVD severityhigh (attack range: remote)
Debian Bugs925987

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jruby (PTS)jessie1.5.6-9fixed
jessie (security)1.5.6-9+deb8u1fixed
stretch (security), stretch1.7.26-1+deb9u1vulnerable
buster, sid9.1.17.0-3fixed
ruby2.1 (PTS)jessie2.1.5-2+deb8u3vulnerable
jessie (security)2.1.5-2+deb8u7fixed
ruby2.3 (PTS)stretch (security), stretch2.3.3-1+deb9u6fixed
ruby2.5 (PTS)buster, sid2.5.5-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jrubysource(unstable)9.1.17.0-3high925987
jrubysourcejessie(not affected)
ruby2.1source(unstable)(unfixed)high
ruby2.1sourcejessie2.1.5-2+deb8u7highDLA-1735-1
ruby2.3source(unstable)(unfixed)high
ruby2.3sourcestretch2.3.3-1+deb9u6highDSA-4433-1
ruby2.5source(unstable)2.5.5-1high
rubygemssource(unstable)(unfixed)high

Notes

[jessie] - jruby <not-affected> (Vulnerable code introduced later)
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b

Search for package or bug name: Reporting problems