Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: rubygems-update
date: 2019-03-05
url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
cve: 2019-8320
title: Delete directory using symlink when decompressing tar
description: |
  A Directory Traversal issue was discovered in RubyGems 2.7.6 and later
  through 3.0.2. Before making new directories or touching files (which now
  include path-checking code for symlinks), it would delete the target
  destination. If that destination was hidden behind a symlink, a malicious gem
  could delete arbitrary files on the user’s machine, presuming the attacker
  could guess at paths. Given how frequently gem is run as sudo, and how
  predictable paths are on modern systems (/tmp, /usr, etc.), this could
  likely lead to data loss or an unusable system.
unaffected_versions:
- "< 2.7.6"
patched_versions:
- ">= 3.0.3"
- "~> 2.7.9"