CVE-2019-8320

Priority
Description
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later
through 3.0.2. Before making new directories or touching files (which now
include path-checking code for symlinks), it would delete the target
destination. If that destination was hidden behind a symlink, a malicious
gem could delete arbitrary files on the user's machine, presuming the
attacker could guess at paths. Given how frequently gem is run as sudo, and
how predictable paths are on modern systems (/tmp, /usr, etc.), this could
likely lead to data loss or an unusable system.
Assigned-to
leosilva
Notes
tyhicksruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems.
Package
Source: jruby (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [code not present])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):not-affected (9.1.17.0-3)
Ubuntu 20.04 (Focal Fossa):not-affected (9.1.17.0-3)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [1.9.3.484-2ubuntu1.14])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [2.0.0.484-1ubuntu2.13])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2.3.1-2~16.04.12)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (2.5.1-1ubuntu1.2)
Ubuntu 19.10 (Eoan Ermine):released (2.5.5-1)
Ubuntu 20.04 (Focal Fossa):released (2.5.5-1)
More Information

Updated: 2020-03-18 21:42:43 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)