Bugzilla – Bug 898205
VUL-0: CVE-2013-0334: rubygem-bundler: Bundler may install gems from a different source than expected
Last modified: 2016-03-23 07:15:22 UTC
via oss-sec http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html Bundler may install gems from a different source than expected (CVE-2013-0334) by André Arko on Aug 14 2014 Versions Affected: All versions < 1.7.0 Not Affected: Any Gemfile with one or zero sources Fixed Versions: 1.7.0 Releases: 1.7.0 Bundler 1.7 is a security-only release to address CVE-2013-0334, a vulnerability where a gem might be installed from an unintended source server, particularly while using both rubygems.org and gems.github.com. Impact Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running bundle install might result in the malicious gem being used instead of the expected gem. To mitigate this, the Bundler and Rubygems.org teams worked together to copy almost every gem hosted on gems.github.com to rubygems.org, reducing the number of gems that can be used for such an attack. Resolution To resolve this issue, upgrade to Bundler 1.7 by running gem install bundler. The next time you run bundle install for any Gemfile that contains multiple sources, each gem available from multiple sources will print a warning. For every warning printed, edit the Gemfile to either specify a :source option for that gem, or move the gem line into a block that is passed to a source method call. For detailed information about the changes to how sources are handled in Bundler version 1.7, see the release announcement. Workarounds If you are unable to upgrade to Bundler 1.7, it is possible to work around the issue by removing all but one source line from your Gemfile. Gems from other sources must be installed via the :git option, which is not susceptible to this issue, or unpacked into the application repository and used via the :pathoption. Unfortunately, backporting a fix for this issue proved impractical, as previous versions of Bundler lacked the ability to distinguish between gem servers. Credits Thanks to Andreas Loupasakis and Fotos Georgiadis for reporting this issue, James Tucker, Tony Arcieri, Eric Hodel, Michael Koziarski, and Kurt Seifried for assistance with the eventual solution, and David Radcliffe for importing legacy Github gems into Rubygems.org.
Created attachment 607666 [details] list of packages that have to be checked
Affected packages: SLE-11-SP3: rubygem-bundler SLE-11-SP3-PRODUCTS: rubygem-bundler SLE-11-SP3-UPTU: rubygem-bundler SLE-12: rubygem-bundler
bugbot adjusting priority
All SLE-11-SP3* have bundler 1.0.21 . The fix can not be backported (see statement in comment#1 "backporting a fix for this issue proved impractical"). The question is, should we update bundler to 1.7.0 for this issue? or live with it?
SLE12 has bundler version 1.7.3 which is not affected.
https://fate.suse.com/318165
ECO is approved, we can proceed.
2 SR will appear in short regarding opensuse 13.1 and 13.2.
This is an autogenerated message for OBS integration: This bug (898205) was mentioned in https://build.opensuse.org/request/show/290135 13.1 / rubygem-bundler https://build.opensuse.org/request/show/290136 13.2 / rubygem-bundler
This is an autogenerated message for OBS integration: This bug (898205) was mentioned in https://build.opensuse.org/request/show/290171 13.1 / rubygem-bundler https://build.opensuse.org/request/show/290172 13.2 / rubygem-bundler
This is an autogenerated message for OBS integration: This bug (898205) was mentioned in https://build.opensuse.org/request/show/290622 13.2 / rubygem-bundler
the 13.1 submit is still missing?
sorry for that. I realized that there is a bug in 13.1 package on the update process. It affects 13.2 as well, I just confirmed that yesterday. I am working on it. The bug is: 1- install rubygem-bundler 2- check that there is a symlink /bin/bundle 3- update rubygem-bundler You'll see that the /bin/bundle symlink is broken :( It only happens if you update. If you install it the link works. I tried SLE11SP3 and the error can't be reproduced there, so SLE11SP3 is fine.
This is an autogenerated message for OBS integration: This bug (898205) was mentioned in https://build.opensuse.org/request/show/291164 13.1 / rubygem-bundler
This is an autogenerated message for OBS integration: This bug (898205) was mentioned in https://build.opensuse.org/request/show/291166 13.2 / rubygem-bundler
Assigning it to the security team. Sorry for the mess. I just created another bug for SLE12 regarding the CA pem files. Bug 922719 - rubygem-bundler contains certificate authorities pem files https://bugzilla.suse.com/show_bug.cgi?id=922719
how to reproduce the CVE bug: 1- install rubygem-bundler 2- create a Gemfile.lock with this content source "http://rubygems.org" source "https://www.rubygems.org" gem 'rake' 3- run "bundle install" If you run it with an insecure version, it will install rake without any complaint. If you run it with the patched version, it should give you a warning and it will tell you where you installed it from.
openSUSE-SU-2015:0628-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 898205 CVE References: CVE-2013-0334 Sources used: openSUSE 13.2 (src): rubygem-bundler-1.8.4-2.4.1 openSUSE 13.1 (src): rubygem-bundler-1.8.4-3.4.1
SUSE-SU-2015:0795-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 898205 CVE References: CVE-2013-0334 Sources used: WebYaST 1.3 (src): rubygem-bundler-1.7.0-0.7.1 SUSE Studio Onsite 1.3 (src): rubygem-bundler-1.7.0-0.7.1, rubygem-bundler19-1.7.0-0.12.1 SUSE Linux Enterprise Software Development Kit 11 SP3 (src): rubygem-bundler-1.7.0-0.7.1 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): rubygem-bundler-1.7.0-0.7.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-bundler-1.7.0-0.7.1 SUSE Cloud 4 (src): rubygem-bundler-1.7.0-0.7.1
released