openSUSE-SU-2019:1771

https://hackerone.com/reports/317353

An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.(CVE-2019-8322)

An issue was discovered in RubyGems.
Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.(CVE-2019-8323)

An issue was discovered in RubyGems. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.(CVE-2019-8321)

A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.(CVE-2019-8320)

An issue was discovered in RubyGems. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.(CVE-2019-8324)

An issue was discovered in RubyGems. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)(CVE-2019-8325)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ruby packages installed that are affected by multiple vulnerabilities:

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. The gem owner command outputs the     contents of the API response directly to stdout.
    Therefore, if the response is crafted, escape sequence     injection may occur. (CVE-2019-8322)

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. Gem::GemcutterUtilities#with_response may     output the API response to stdout as it is. Therefore,     if the API side modifies the response, escape sequence     injection may occur. (CVE-2019-8323)

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. A crafted gem with a multi-line name is     not handled correctly. Therefore, an attacker could     inject arbitrary code to the stub line of gemspec, which     is eval-ed by code in ensure_loadable_spec during the     preinstall check. (CVE-2019-8324)

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. Since Gem::CommandManager#run calls     alert_error without escaping, escape sequence injection     is possible. (There are many ways to cause an error.)     (CVE-2019-8325)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ruby packages installed that are affected by multiple vulnerabilities:

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. The gem owner command outputs the     contents of the API response directly to stdout.
    Therefore, if the response is crafted, escape sequence     injection may occur. (CVE-2019-8322)

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. Gem::GemcutterUtilities#with_response may     output the API response to stdout as it is. Therefore,     if the API side modifies the response, escape sequence     injection may occur. (CVE-2019-8323)

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. A crafted gem with a multi-line name is     not handled correctly. Therefore, an attacker could     inject arbitrary code to the stub line of gemspec, which     is eval-ed by code in ensure_loadable_spec during the     preinstall check. (CVE-2019-8324)

  - An issue was discovered in RubyGems 2.6 and later     through 3.0.2. Since Gem::CommandManager#run calls     alert_error without escaping, escape sequence injection     is possible. (There are many ways to cause an error.)     (CVE-2019-8325)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. (CVE-2019-8322)

An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. (CVE-2019-8323)

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) (CVE-2019-8325)

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. (CVE-2019-8324)

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues :

Changes in ruby2.5 :

Update to 2.5.5 and 2.5.4 :

https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/

Security issues fixed :

  - CVE-2019-8320: Delete directory using symlink when     decompressing tar (bsc#1130627)

  - CVE-2019-8321: Escape sequence injection vulnerability     in verbose (bsc#1130623)

  - CVE-2019-8322: Escape sequence injection vulnerability     in gem owner (bsc#1130622)

  - CVE-2019-8323: Escape sequence injection vulnerability     in API response handling (bsc#1130620)

  - CVE-2019-8324: Installing a malicious gem may lead to     arbitrary code execution (bsc#1130617)

  - CVE-2019-8325: Escape sequence injection vulnerability     in errors (bsc#1130611)

Ruby 2.5 was updated to 2.5.3 :

This release includes some bug fixes and some security fixes.

Security issues fixed :

  - CVE-2018-16396: Tainted flags are not propagated in     Array#pack and String#unpack with some directives     (bsc#1112532)

  - CVE-2018-16395: OpenSSL::X509::Name equality check does     not work correctly (bsc#1112530)

Ruby 2.5 was updated to 2.5.1 :

This release includes some bug fixes and some security fixes.

Security issues fixed :

  - CVE-2017-17742: HTTP response splitting in WEBrick     (bsc#1087434)

  - CVE-2018-6914: Unintentional file and directory creation     with directory traversal in tempfile and tmpdir     (bsc#1087441)

  - CVE-2018-8777: DoS by large request in WEBrick     (bsc#1087436)

  - CVE-2018-8778: Buffer under-read in String#unpack     (bsc#1087433)

  - CVE-2018-8779: Unintentional socket creation by poisoned     NUL byte in UNIXServer and UNIXSocket (bsc#1087440)

  - CVE-2018-8780: Unintentional directory traversal by     poisoned NUL byte in Dir (bsc#1087437)

  - Multiple vulnerabilities in RubyGems were fixed :

  - CVE-2018-1000079: Fixed path traversal issue during gem     installation allows to write to arbitrary filesystem     locations (bsc#1082058)

  - CVE-2018-1000075: Fixed infinite loop vulnerability due     to negative size in tar header causes Denial of Service     (bsc#1082014)

  - CVE-2018-1000078: Fixed XSS vulnerability in homepage     attribute when displayed via gem server (bsc#1082011)

  - CVE-2018-1000077: Fixed that missing URL validation on     spec home attribute allows malicious gem to set an     invalid homepage URL (bsc#1082010)

  - CVE-2018-1000076: Fixed improper verification of     signatures in tarball allows to install mis-signed gem     (bsc#1082009)

  - CVE-2018-1000074: Fixed unsafe Object Deserialization     Vulnerability in gem owner allowing arbitrary code     execution on specially crafted YAML (bsc#1082008)

  - CVE-2018-1000073: Fixed path traversal when writing to a     symlinked basedir outside of the root (bsc#1082007)

Other changes :

  - Fixed Net::POPMail methods modify frozen literal when     using default arg

  - ruby: change over of the Japanese Era to the new emperor     May 1st 2019 (bsc#1133790)

  - build with PIE support (bsc#1130028)

Changes in ruby-bundled-gems-rpmhelper :

  - Add a new helper for bundled ruby gems.

This update was imported from the SUSE:SLE-15:Update update project.

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - rubygems: Installing a malicious gem may lead to     arbitrary code execution (CVE-2019-8324)

  - rubygems: Escape sequence injection vulnerability in     gem owner (CVE-2019-8322)

  - rubygems: Escape sequence injection vulnerability in     API response handling (CVE-2019-8323)

  - rubygems: Escape sequence injection vulnerability in     errors (CVE-2019-8325)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues :

Changes in ruby2.5 :

Update to 2.5.5 and 2.5.4 :

https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/

Security issues fixed :

CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627)

CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623)

CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622)

CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620)

CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617)

CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611)

Ruby 2.5 was updated to 2.5.3 :

This release includes some bug fixes and some security fixes.

Security issues fixed: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532)

CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530)

Ruby 2.5 was updated to 2.5.1 :

This release includes some bug fixes and some security fixes.

Security issues fixed: CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)

CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441)

CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)

CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)

CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440)

CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437)

Multiple vulnerabilities in RubyGems were fixed :

  - CVE-2018-1000079: Fixed path traversal issue during gem     installation allows to write to arbitrary filesystem     locations (bsc#1082058)

  - CVE-2018-1000075: Fixed infinite loop vulnerability due     to negative size in tar header causes Denial of Service     (bsc#1082014)

  - CVE-2018-1000078: Fixed XSS vulnerability in homepage     attribute when displayed via gem server (bsc#1082011)

  - CVE-2018-1000077: Fixed that missing URL validation on     spec home attribute allows malicious gem to set an     invalid homepage URL (bsc#1082010)

  - CVE-2018-1000076: Fixed improper verification of     signatures in tarball allows to install mis-signed gem     (bsc#1082009)

  - CVE-2018-1000074: Fixed unsafe Object Deserialization     Vulnerability in gem owner allowing arbitrary code     execution on specially crafted YAML (bsc#1082008)

  - CVE-2018-1000073: Fixed path traversal when writing to a     symlinked basedir outside of the root (bsc#1082007)

Other changes: Fixed Net::POPMail methods modify frozen literal when using default arg

ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790)

build with PIE support (bsc#1130028)

Changes in ruby-bundled-gems-rpmhelper: Add a new helper for bundled ruby gems.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ruby packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the OpenSSL library in Ruby     before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2,     and 2.6.x before 2.6.0-preview3. When two     OpenSSL::X509::Name objects are compared using ==,     depending on the ordering, non-equal objects may return     true. When the first argument is one character longer     than the second, or the second argument contains a     character that is one less than a character in the same     position of the first argument, the result of == will     be true. This could be leveraged to create an     illegitimate certificate that may be accepted as     legitimate and then used in signing or encryption     operations.(CVE-2018-16395)

  - An issue was discovered in Ruby before 2.3.8, 2.4.x     before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before     2.6.0-preview3. It does not taint strings that result     from unpacking tainted strings with some     formats.(CVE-2018-16396)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-8322)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-8323)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-8324)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-8325)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for ruby is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es) :

* rubygems: Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324)

* rubygems: Escape sequence injection vulnerability in gem owner (CVE-2019-8322)

* rubygems: Escape sequence injection vulnerability in API response handling (CVE-2019-8323)

* rubygems: Escape sequence injection vulnerability in errors (CVE-2019-8325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.

CVE-2018-1000074

Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file

CVE-2018-1000075

an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop

CVE-2018-1000076

Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.

CVE-2018-1000077

Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL

CVE-2018-1000078

Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server

CVE-2019-8321

Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible

CVE-2019-8322

The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line of gemspec

CVE-2019-8325

Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

For Debian 8 'Jessie', these problems have been fixed in version 1.5.6-9+deb8u1.

We recommend that you upgrade your jruby packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - rubygems: Installing a malicious gem may lead to     arbitrary code execution (CVE-2019-8324)

  - rubygems: Escape sequence injection vulnerability in gem     owner (CVE-2019-8322)

  - rubygems: Escape sequence injection vulnerability in API     response handling (CVE-2019-8323)

  - rubygems: Escape sequence injection vulnerability in     errors (CVE-2019-8325)

From Red Hat Security Advisory 2019:1235 :

An update for ruby is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es) :

* rubygems: Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324)

* rubygems: Escape sequence injection vulnerability in gem owner (CVE-2019-8322)

* rubygems: Escape sequence injection vulnerability in API response handling (CVE-2019-8323)

* rubygems: Escape sequence injection vulnerability in errors (CVE-2019-8325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Rebase to latest minor version fixes CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Rubygems included in the interpreter for the Ruby language, which may result in denial of service or the execution of arbitrary code.

Several vulnerabilities have been discovered in rubygems embedded in ruby2.1, the interpreted scripting language.

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination.

CVE-2019-8322

The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

CVE-2019-8325

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

For Debian 8 'Jessie', these problems have been fixed in version 2.1.5-2+deb8u7.

We recommend that you upgrade your ruby2.1 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

RubyGems Security Advisories :

CVE-2019-8320: Delete directory using symlink when decompressing tar

CVE-2019-8321: Escape sequence injection vulnerability in 'verbose'

CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner'

CVE-2019-8323: Escape sequence injection vulnerability in API response handling

CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution

CVE-2019-8325: Escape sequence injection vulnerability in errors

ID	Name	Product	Family	Severity
127811	Amazon Linux AMI : ruby20 / ruby21,ruby24 (ALAS-2019-1255)	Nessus	Amazon Linux Local Security Checks	high
127299	NewStart CGSL CORE 5.05 / MAIN 5.05 : ruby Multiple Vulnerabilities (NS-SA-2019-0084)	Nessus	NewStart CGSL Local Security Checks	medium
127292	NewStart CGSL CORE 5.04 / MAIN 5.04 : ruby Multiple Vulnerabilities (NS-SA-2019-0080)	Nessus	NewStart CGSL Local Security Checks	medium
126961	Amazon Linux 2 : ruby (ALAS-2019-1249)	Nessus	Amazon Linux Local Security Checks	medium
126904	openSUSE Security Update : ruby-bundled-gems-rpmhelper / ruby2.5 (openSUSE-2019-1771)	Nessus	SuSE Local Security Checks	high
126846	EulerOS 2.0 SP2 : ruby (EulerOS-SA-2019-1718)	Nessus	Huawei Local Security Checks	high
126617	SUSE SLED15 / SLES15 Security Update : ruby-bundled-gems-rpmhelper, ruby2.5 (SUSE-SU-2019:1804-1)	Nessus	SuSE Local Security Checks	high
125569	EulerOS Virtualization for ARM 64 3.0.2.0 : ruby (EulerOS-SA-2019-1617)	Nessus	Huawei Local Security Checks	high
125524	EulerOS 2.0 SP5 : ruby (EulerOS-SA-2019-1597)	Nessus	Huawei Local Security Checks	medium
125316	CentOS 7 : ruby (CESA-2019:1235)	Nessus	CentOS Local Security Checks	medium
125297	Debian DLA-1796-1 : jruby security update	Nessus	Debian Local Security Checks	high
125208	Scientific Linux Security Update : ruby on SL7.x x86_64 (20190515)	Nessus	Scientific Linux Local Security Checks	medium
125201	RHEL 7 : ruby (RHSA-2019:1235)	Nessus	Red Hat Local Security Checks	medium
125191	Oracle Linux 7 : ruby (ELSA-2019-1235)	Nessus	Oracle Linux Local Security Checks	medium
124728	Fedora 28 : ruby (2019-feac6674b7)	Nessus	Fedora Local Security Checks	high
124574	Fedora 29 : ruby (2019-a155364f3c)	Nessus	Fedora Local Security Checks	high
124096	Debian DSA-4433-1 : ruby2.3 - security update	Nessus	Debian Local Security Checks	high
123522	Debian DLA-1735-1 : ruby2.1 security update	Nessus	Debian Local Security Checks	high
122883	FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f)	Nessus	FreeBSD Local Security Checks	high

CVE-2019-8325

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins