| Name | CVE-2018-1000079 |
| Description | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1421-1, DSA-4219-1, DSA-4259-1 |
| Debian Bugs | 895778 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| jruby (PTS) | jessie, jessie (lts) | 1.5.6-9+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 1.7.26-1+deb9u3 | fixed | |
| buster (security), buster, buster (lts) | 9.1.17.0-3+deb10u1 | fixed | |
| bookworm | 9.3.9.0+ds-8 | fixed | |
| sid, trixie | 9.4.8.0+ds-1 | fixed | |
| ruby2.1 (PTS) | jessie, jessie (lts) | 2.1.5-2+deb8u14 | fixed |
| ruby2.3 (PTS) | stretch (security) | 2.3.3-1+deb9u11 | fixed |
| stretch (lts), stretch | 2.3.3-1+deb9u12 | fixed | |
| ruby2.5 (PTS) | buster, buster (lts) | 2.5.5-3+deb10u7 | fixed |
| buster (security) | 2.5.5-3+deb10u6 | fixed | |
| rubygems (PTS) | bullseye | 3.2.5-2 | fixed |
| bookworm | 3.3.15-2 | fixed | |
| sid, trixie | 3.4.20-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| jruby | source | wheezy | (not affected) | |||
| jruby | source | jessie | (not affected) | |||
| jruby | source | stretch | 1.7.26-1+deb9u1 | DSA-4219-1 | ||
| jruby | source | (unstable) | 9.1.17.0-1 | 895778 | ||
| ruby1.9.1 | source | (unstable) | (unfixed) | |||
| ruby2.1 | source | jessie | 2.1.5-2+deb8u4 | DLA-1421-1 | ||
| ruby2.1 | source | (unstable) | (unfixed) | |||
| ruby2.3 | source | stretch | 2.3.3-1+deb9u3 | DSA-4259-1 | ||
| ruby2.3 | source | (unstable) | (unfixed) | |||
| ruby2.5 | source | (unstable) | 2.5.0-5 | |||
| rubygems | source | wheezy | (not affected) | |||
| rubygems | source | (unstable) | 3.2.0~rc.1-1 |
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
[jessie] - jruby <not-affected> (Vulnerable code not present)
[wheezy] - jruby <not-affected> (Vulnerable code not present)
https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/