Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2018-1000076

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.

Related bugs and status

CVE-2018-1000076 (Candidate) is related to these bugs:

Bug #1849195: CVE-2018-1000076: rubygems: Improper verification of signatures in tarball allows to install mis-signed gem

Summary				In	Importance	Status
	1849195	CVE-2018-1000076: rubygems: Improper verification of signatures in tarball allows to install mis-signed gem		StarlingX	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://blog.rubygems.o...
MISC: https://github.com/rub...
MLIST: [debian-lts-announce] ...
MLIST: [debian-lts-announce] ...
UBUNTU: USN-3621-1
MLIST: [debian-lts-announce] ...
DEBIAN: DSA-4219
MLIST: [debian-lts-announce] ...
DEBIAN: DSA-4259
REDHAT: RHSA-2018:3729
REDHAT: RHSA-2018:3730
REDHAT: RHSA-2018:3731
MLIST: [debian-lts-announce] ...
SUSE: openSUSE-SU-2019:1771
REDHAT: RHSA-2019:2028
REDHAT: RHSA-2020:0542
REDHAT: RHSA-2020:0591
REDHAT: RHSA-2020:0663