Contents

---
library: rubygems
cve: 2019-8320
url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
title: Delete directory using symlink when decompressing tar
date: 2019-03-05
description: |
  A Directory Traversal issue was discovered in RubyGems 2.7.6 and later
  through 3.0.2. Before making new directories or touching files (which now
  include path-checking code for symlinks), it would delete the target
  destination. If that destination was hidden behind a symlink, a malicious gem
  could delete arbitrary files on the user’s machine, presuming the attacker
  could guess at paths. Given how frequently gem is run as sudo, and how
  predictable paths are on modern systems (/tmp, /usr, etc.), this could
  likely lead to data loss or an unusable system.
unaffected_versions:
  - "< 2.7.6"
patched_versions:
  - ">= 3.0.3"
  - "~> 2.7.9"

Version data entries

2 entries across 2 versions & 1 rubygems

Version	Path
bundler-budit-0.6.2	data/ruby-advisory-db/libraries/rubygems/CVE-2019-8320.yml
bundler-budit-0.6.1	data/ruby-advisory-db/libraries/rubygems/CVE-2019-8320.yml