| Name | CVE-2019-3881 |
| Description | Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 796383, 881749 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| bundler (PTS) | jessie | 1.7.4-1 | fixed |
| stretch | 1.13.6-2 | vulnerable | |
| buster | 1.17.3-3+deb10u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| bundler | source | wheezy | (unfixed) | end-of-life | ||
| bundler | source | jessie | (not affected) | |||
| bundler | source | (unstable) | 1.16.1-2 | 796383, 881749 |
[stretch] - bundler <no-dsa> (Minor issue)
[jessie] - bundler <not-affected> (This version just uses mktmpdir which creates temporary directories with 0700 permissions by default.)
Upstream issue: https://github.com/bundler/bundler/issues/6501
https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0006-Don-t-use-insecure-temporary-directory-as-home-direc.patch
https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0007-Remove-temporary-home-directories.patch