Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Debian 8 Jessie DLA-1735-1 Critical Ruby2.1 Escape Injection Threat

debian lts
Calendar Grey March 29, 2019
Dist Debian Esm H88
Package : ruby2.1 Version : 2.1.5-2+deb8u7 CVE ID : CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-20
Several vulnerabilities have been discovered in rubygems embedded in ruby2.1, the interpreted scripting language

Summary

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems. Before
making new directories or touching files (which now include
path-checking code for symlinks), it would delete the target
destination.

CVE-2019-8322

The gem owner command outputs the contents of the API response
directly to stdout. Therefore, if the response is crafted, escape
sequence injection may occur.

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line
of gemspec, which is eval-ed by code in ensure_loadable_spec during
the preinstall check.

CVE-2019-8325

An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Since Gem::CommandManager#run calls alert_error without escaping,

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: ruby2.1
Version: 2.1.5-2+deb8u7
CVE ID: CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.