Posted by hsbt on 5 Mar 2019
There are multiple vulnerabilities in RubyGems bundled with Ruby. It is reported at the official blog of RubyGems.
The following vulnerabilities have been reported.
- CVE-2019-8320: Delete directory using symlink when decompressing tar
- CVE-2019-8321: Escape sequence injection vulnerability in
- CVE-2019-8322: Escape sequence injection vulnerability in
- CVE-2019-8323: Escape sequence injection vulnerability in API response handling
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
- CVE-2019-8325: Escape sequence injection vulnerability in errors
It is strongly recommended for Ruby users to take one of the following workarounds as soon as possible.
- Ruby 2.4 series: 2.4.5 and earlier
- Ruby 2.5 series: 2.5.3 and earlier
- Ruby 2.6 series: 2.6.1 and earlier
- prior to trunk revision 67168
RubyGems 188.8.131.52/2.7.9/3.0.3 or later includes the fix for the vulnerabilities, so upgrade RubyGems to the latest version.
gem update --system
If you can’t upgrade RubyGems, you can apply the following patches as a workaround.
About the trunk, update to the latest revision.
This report is based on the official blog of RubyGems.
- Originally published at 2019-03-05 00:00:00 UTC
- Link to updated patches at 2019-03-06 05:26:27 UTC