Bundler: Insecure installation — GLSA 201609-02

A vulnerability has been found in Bundler, allowing injection of arbitrary code via the gem installation process.

Affected Packages

dev-ruby/bundler on all architectures
Affected versions < 1.7.3
Unaffected versions >= 1.7.3

Background

Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.

Description

Bundler, allows the installation of gems from different sources with the same names, when multiple top-level gem sources are used.

Impact

Remote attackers could inject arbitrary code via the gem install process.

Workaround

There is no known workaround at this time.

Resolution

All Bundler users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-ruby/bundler-1.7.3"
 

References

Release Date
September 26, 2016

Latest Revision
September 26, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries