Posted by hsbt on 5 Mar 2019
There are multiple vulnerabilities in RubyGems bundled with Ruby. It is reported at the official blog of RubyGems.
Details
The following vulnerabilities have been reported.
- CVE-2019-8320: Delete directory using symlink when decompressing tar
- CVE-2019-8321: Escape sequence injection vulnerability in
verbose - CVE-2019-8322: Escape sequence injection vulnerability in
gem owner - CVE-2019-8323: Escape sequence injection vulnerability in API response handling
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
- CVE-2019-8325: Escape sequence injection vulnerability in errors
It is strongly recommended for Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible.
Affected Versions
- Ruby 2.3 series: all
- Ruby 2.4 series: 2.4.5 and earlier
- Ruby 2.5 series: 2.5.3 and earlier
- Ruby 2.6 series: 2.6.1 and earlier
- prior to trunk revision 67168
Workarounds
In principle, you should upgrade your Ruby installation to the latest version. RubyGems 3.0.3 or later includes the fix for the vulnerabilities, so upgrade RubyGems to the latest version if you can’t upgrade Ruby itself.
gem update --system
If you can’t upgrade RubyGems, you can apply the following patches as a workaround.
Regarding Ruby trunk, update to the latest revision.
Credits
This report is based on the official blog of RubyGems.
History
- Originally published at 2019-03-05 00:00:00 UTC
- Link to updated patches at 2019-03-06 05:26:27 UTC
- Mention about upgrading Ruby itself at 2019-04-01 06:00:00 UTC