Multiple vulnerabilities in RubyGems

There are multiple vulnerabilities in RubyGems bundled with Ruby. It is reported at the official blog of RubyGems.

Details

The following vulnerabilities have been reported.

  • CVE-2019-8320: Delete directory using symlink when decompressing tar
  • CVE-2019-8321: Escape sequence injection vulnerability in verbose
  • CVE-2019-8322: Escape sequence injection vulnerability in gem owner
  • CVE-2019-8323: Escape sequence injection vulnerability in API response handling
  • CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
  • CVE-2019-8325: Escape sequence injection vulnerability in errors

It is strongly recommended for Ruby users to take one of the following workarounds as soon as possible.

Affected Versions

  • Ruby 2.4 series: 2.4.5 and earlier
  • Ruby 2.5 series: 2.5.3 and earlier
  • Ruby 2.6 series: 2.6.1 and earlier
  • prior to trunk revision 67168

Workarounds

RubyGems 2.7.6.2/2.7.9/3.0.3 or later includes the fix for the vulnerabilities, so upgrade RubyGems to the latest version.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

About the trunk, update to the latest revision.

Credits

This report is based on the official blog of RubyGems.

History

  • Originally published at 2019-03-05 00:00:00 UTC
  • Link to updated patches at 2019-03-06 05:26:27 UTC