CVE-2018-1000076
Published: 13 March 2018
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
From the Ubuntu security team
It was discovered that the RubyGems embedded in JRuby did not properly verify cryptographic signatures of gems. An attacker could use this vulnerability to trick a victim into installing a malicious gem.
Priority
CVSS 3 base score: 9.8
Status
Package | Release | Status |
---|---|---|
jruby Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
bionic |
Needs triage
|
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Not vulnerable
(9.1.17.0-2)
|
|
eoan |
Not vulnerable
(9.1.17.0-3)
|
|
focal |
Not vulnerable
(9.1.17.0-3)
|
|
groovy |
Not vulnerable
(9.1.17.0-3)
|
|
hirsute |
Not vulnerable
(9.1.17.0-3)
|
|
impish |
Not vulnerable
(9.1.17.0-3)
|
|
precise |
Does not exist
|
|
trusty |
Needed
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support, was needs-triage)
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was released [2.0.0.484-1ubuntu2.6])
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.1 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
artful |
Released
(2.3.3-1ubuntu1.4)
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(2.3.1-2~16.04.7)
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Released
(2.5.1-1)
|
|
cosmic |
Released
(2.5.1-1)
|
|
disco |
Released
(2.5.1-1)
|
|
eoan |
Released
(2.5.1-1)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Notes
Author | Note |
---|---|
tyhicks | ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076
- https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
- https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
- https://ubuntu.com/security/notices/USN-3621-1
- NVD
- Launchpad
- Debian