CVE-2018-1000079

NameCVE-2018-1000079
DescriptionRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1421-1, DSA-4219-1, DSA-4259-1
Debian Bugs895778

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jruby (PTS)jessie, jessie (lts)1.5.6-9+deb8u2fixed
stretch (security), stretch (lts), stretch1.7.26-1+deb9u3fixed
buster (security), buster, buster (lts)9.1.17.0-3+deb10u1fixed
bookworm9.3.9.0+ds-8fixed
sid, trixie9.4.8.0+ds-1fixed
ruby2.1 (PTS)jessie, jessie (lts)2.1.5-2+deb8u14fixed
ruby2.3 (PTS)stretch (security)2.3.3-1+deb9u11fixed
stretch (lts), stretch2.3.3-1+deb9u12fixed
ruby2.5 (PTS)buster, buster (lts)2.5.5-3+deb10u7fixed
buster (security)2.5.5-3+deb10u6fixed
rubygems (PTS)bullseye3.2.5-2fixed
bookworm3.3.15-2fixed
sid, trixie3.4.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jrubysourcewheezy(not affected)
jrubysourcejessie(not affected)
jrubysourcestretch1.7.26-1+deb9u1DSA-4219-1
jrubysource(unstable)9.1.17.0-1895778
ruby1.9.1source(unstable)(unfixed)
ruby2.1sourcejessie2.1.5-2+deb8u4DLA-1421-1
ruby2.1source(unstable)(unfixed)
ruby2.3sourcestretch2.3.3-1+deb9u3DSA-4259-1
ruby2.3source(unstable)(unfixed)
ruby2.5source(unstable)2.5.0-5
rubygemssourcewheezy(not affected)
rubygemssource(unstable)3.2.0~rc.1-1

Notes

[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
[jessie] - jruby <not-affected> (Vulnerable code not present)
[wheezy] - jruby <not-affected> (Vulnerable code not present)
https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/

Search for package or bug name: Reporting problems