[v3.0] ruby-bundler: installation from rogue source vulnerability (CVE-2013-0334)
Bundler 1.7 is a security-only release to address CVE-2013-0334, a
vulnerability where a gem might be installed from an
unintended source server, particularly while using both rubygems.org and
gems.github.com.
Versions Affected: All versions < 1.7.0
Not Affected: Any Gemfile with one or zero sources
Fixed Versions: 1.7.0
Releases: 1.7.0 (2014-09-14)
Impact:
Any Gemfile with multiple top-level `source` lines cannot reliably
control the gem server that a particular gem is
fetched from. As a result, Bundler might install the wrong gem if more
than one source provides a gem with the same
name.
This is especially possible in the case of Github’s legacy gem server,
hosted at gems.github.com. An attacker might
create a malicious gem on Rubygems.org with the same name as a
commonly-used Github gem. From that point forward,
running `bundle install` might result in the malicious gem being used
instead of the expected gem.
To mitigate this, the Bundler and Rubygems.org teams worked together to
copy almost every gem hosted on gems.github.com
to rubygems.org, reducing the number of gems that can be used for such
an attack.
Resolution:
To resolve this issue, upgrade to Bundler 1.7 by running `gem install
bundler`. The next time you run `bundle install`
for any Gemfile that contains multiple sources, each gem available from
multiple sources will print a warning.
For every warning printed, edit the Gemfile to either specify a
`:source` option for that gem, or move the `gem` line
into a block that is passed to a `source` method call.
Workarounds:
If you are unable to upgrade to Bundler 1.7, it is possible to work
around the issue by removing all but one `source`
line from your Gemfile. Gems from other sources must be installed via
the `:git` option, which is not susceptible to
this issue, or unpacked into the application repository and used via the
`:path`option.
Unfortunately, backporting a fix for this issue proved impractical, as
previous versions of Bundler lacked the ability
to distinguish between gem servers.
Credits:
Thanks to Andreas Loupasakis and Fotos Georgiadis for reporting this
issue, James Tucker, Tony Arcieri, Eric Hodel,
Michael Koziarski, and Kurt Seifried for assistance with the eventual
solution, and David Radcliffe for importing
legacy Github gems into Rubygems.org.
André Arko (indirect), Tim Moore (
tmoore), and the Bundler team
(@bundlerio)
team () bundler io
References:
http://seclists.org/oss-sec/2014/q3/648
http://bundler.io/v1.7/whats\_new.html
http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
(from redmine: issue id 3476, created on 2014-10-27, closed on 2015-05-22)
- Relations:
- parent #3472 (closed)
- Changesets:
- Revision 0d683347 by Kaarle Ritvanen on 2014-12-09T14:31:50Z:
ruby-rails: upgrade to 4.0.12 (CVE-2013-0334, CVE-2014-7818, CVE-2014-7819)
fixes #3476
fixes #3582
fixes #3586