tmp_home_path insecure

[boutil]

Hi,

If the home directory of the user is not writable the function tmp_home_path from lib/bundler.rb, creates an insecure temporary directory in tmp/:

• it is a world writable
• it has a with a predictable name.
  Moreover, this temporary directory is not removed at the end.

See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796383
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881749
for more details.

Thanks in advance.

[ghost]

Potentially useful information, for whoever attempts to fix this:

[Here's] how we suggest you (a Linux application developer) pick the right directory to use [for temporary files]:

1. You need a place to put your socket (or other communication primitive) and your code runs privileged: use a subdirectory beneath /run. (Or beneath /var/run for extra compatibility.)
2. You need a place to put your socket (or other communication primitive) and your code runs unprivileged: use a subdirectory beneath $XDG_RUNTIME_DIR.
3. You need a place to put your larger downloads and downloads in progress and run unprivileged: use $XDG_DOWNLOAD_DIR.
4. You need a place to put cache files which should be persistent and run unprivileged: use $XDG_CACHE_HOME.
5. Nothing of the above applies and you need to place a small file that needs no persistency: use $TMPDIR with a fallback on /tmp. And use mkstemp(), and mkdtemp() and nothing homegrown.
6. Otherwise use $TMPDIR with a fallback on /var/tmp. Also use mkstemp()/mkdtemp().

(Source.)

[colby-swandale]

Thanks for the report, we will take a look at this issue when we can.

[d-hat]

This issue was assigned CVE-2019-3881.

Debian has patches relating to this issue:

https://sources.debian.org/src/bundler/1.17.3-3/debian/patches/0005-Don-t-use-insecure-temporary-directory-as-home-direc.patch/
https://sources.debian.org/src/bundler/1.17.3-3/debian/patches/0006-Remove-temporary-home-directories.patch/