CVE-2019-8320

NameCVE-2019-8320
DescriptionA Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1735-1, DLA-2330-1, DSA-4433-1, ELA-114-1
Debian Bugs925987

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jruby (PTS)jessie, jessie (lts)1.5.6-9+deb8u2fixed
stretch (security), stretch (lts), stretch1.7.26-1+deb9u3fixed
buster (security), buster, buster (lts)9.1.17.0-3+deb10u1fixed
bookworm9.3.9.0+ds-8fixed
sid, trixie9.4.8.0+ds-1fixed
ruby2.1 (PTS)jessie, jessie (lts)2.1.5-2+deb8u14fixed
ruby2.3 (PTS)stretch (security)2.3.3-1+deb9u11fixed
stretch (lts), stretch2.3.3-1+deb9u12fixed
ruby2.5 (PTS)buster, buster (lts)2.5.5-3+deb10u7fixed
buster (security)2.5.5-3+deb10u6fixed
rubygems (PTS)bullseye3.2.5-2fixed
bookworm3.3.15-2fixed
sid, trixie3.4.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jrubysourcejessie(not affected)
jrubysourcestretch1.7.26-1+deb9u2DLA-2330-1
jrubysource(unstable)9.1.17.0-3925987
ruby1.9.1sourcewheezy1.9.3.194-8.1+deb7u9ELA-114-1
ruby1.9.1source(unstable)(unfixed)
ruby2.1sourcejessie2.1.5-2+deb8u7DLA-1735-1
ruby2.1source(unstable)(unfixed)
ruby2.3sourcestretch2.3.3-1+deb9u6DSA-4433-1
ruby2.3source(unstable)(unfixed)
ruby2.5source(unstable)2.5.5-1
rubygemssource(unstable)3.2.0~rc.1-1

Notes

[jessie] - jruby <not-affected> (Vulnerable code introduced later)
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b

Search for package or bug name: Reporting problems