Control: reassign -1 ruby-bundler
Control: tags -1 + security
Quack,
This repository is created by bundler, and there is no code in the
redmine package specifying this repository, so this is using the default
Bundler behavior.
In fact someone already reported about this directory being created and
left over in #796383, without seeing the security implications.
Also I looked into the code and in /usr/lib/ruby/vendor_ruby/bundler.rb
you can read the 'tmp_home_path' method:
path = Pathname.new(Dir.tmpdir).join("bundler", "home")
SharedHelpers.filesystem_access(path) do |tmp_home_path|
unless tmp_home_path.exist?
tmp_home_path.mkpath
tmp_home_path.chmod(0o777)
This is really horrible and I wonder how it was not found out earlier.
Anyway, reassigning and thanks for findind this out.
\_o<
--
Marc Dequènes
