Allele Security Alert
ASA-2019-00361
Identifier(s)
ASA-2019-00361, CVE-2019-8324
Title
Installing a malicious gem may lead to arbitrary code execution
Vendor(s)
RubyGems.org
Product(s)
RubyGems
Affected version(s)
RubyGems 2.6 and later through 3.0.2
Fixed version(s)
RubyGems 3.0.3
RubyGems 2.7.8
Proof of concept
Unknown
Description
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
Technical details
Unknown
Credits
nyangawa (Chaitin Tech)
Reference(s)
March 2019 Security Advisories
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
Also verify spec require_paths when pre install task
https://github.com/rubygems/rubygems/commit/00ff3037a577889bd1e555966d9e0d17bea8d28d
[Installer] Validate spec name before checking the ruby spec is loadable
https://github.com/rubygems/rubygems/commit/52b88f1229c2796d3e3a8eab6a830f2afdec2e31
ruby-2.4.5-rubygems-v2.patch
https://bugs.ruby-lang.org/attachments/7669
CVE-2019-8324
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324
CVE-2019-8324
https://nvd.nist.gov/vuln/detail/CVE-2019-8324
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 19, 2019