[v2.6] ruby-bundler: installation from rogue source vulnerability (CVE-2013-0334)
Bundler 1.7 is a security-only release to address CVE-2013-0334, a
vulnerability where a gem might be installed from an
unintended source server, particularly while using both rubygems.org and
gems.github.com.
Versions Affected: All versions < 1.7.0
Not Affected: Any Gemfile with one or zero sources
Fixed Versions: 1.7.0
Releases: 1.7.0 (2014-09-14)
Impact:
Any Gemfile with multiple top-level `source` lines cannot reliably
control the gem server that a particular gem is
fetched from. As a result, Bundler might install the wrong gem if more
than one source provides a gem with the same
name.
This is especially possible in the case of Github’s legacy gem server,
hosted at gems.github.com. An attacker might
create a malicious gem on Rubygems.org with the same name as a
commonly-used Github gem. From that point forward,
running `bundle install` might result in the malicious gem being used
instead of the expected gem.
To mitigate this, the Bundler and Rubygems.org teams worked together to
copy almost every gem hosted on gems.github.com
to rubygems.org, reducing the number of gems that can be used for such
an attack.
Resolution:
To resolve this issue, upgrade to Bundler 1.7 by running `gem install
bundler`. The next time you run `bundle install`
for any Gemfile that contains multiple sources, each gem available from
multiple sources will print a warning.
For every warning printed, edit the Gemfile to either specify a
`:source` option for that gem, or move the `gem` line
into a block that is passed to a `source` method call.
Workarounds:
If you are unable to upgrade to Bundler 1.7, it is possible to work
around the issue by removing all but one `source`
line from your Gemfile. Gems from other sources must be installed via
the `:git` option, which is not susceptible to
this issue, or unpacked into the application repository and used via the
`:path`option.
Unfortunately, backporting a fix for this issue proved impractical, as
previous versions of Bundler lacked the ability
to distinguish between gem servers.
Credits:
Thanks to Andreas Loupasakis and Fotos Georgiadis for reporting this
issue, James Tucker, Tony Arcieri, Eric Hodel,
Michael Koziarski, and Kurt Seifried for assistance with the eventual
solution, and David Radcliffe for importing
legacy Github gems into Rubygems.org.
André Arko (indirect), Tim Moore (
tmoore), and the Bundler team
(@bundlerio)
team () bundler io
References:
http://seclists.org/oss-sec/2014/q3/648
http://bundler.io/v1.7/whats\_new.html
http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
(from redmine: issue id 3474, created on 2014-10-27, closed on 2015-05-22)
- Relations:
- parent #3472 (closed)
- Changesets:
- Revision 58bc3dae by Kaarle Ritvanen on 2014-12-10T01:06:53Z:
main/ruby-rails: upgrade to 3.2.21
fixes #2579
fixes #2805
fixes #2808
fixes #2942
fixes #3151
fixes #3474
fixes #3580
fixes #3584
CVE-2013-0334
CVE-2013-4389
CVE-2013-4492
CVE-2013-6414
CVE-2013-6415
CVE-2013-6417
CVE-2014-0081
CVE-2014-0082
CVE-2014-0130
CVE-2014-3482
CVE-2014-3483
CVE-2014-7818
CVE-2014-7819