### Key Information #### Vulnerability Overview - **CVE ID**: CVE-2016-7954 - **Affected Scope**: All stable versions of Bundler - **Vulnerability Description**: Attackers can inject arbitrary code through any secondary gem sources declared in the Gemfile, regardless of whether the source is restricted to specific gems. #### Example ```markdown source "http://public.org" source "http://private.com" gem "foo" gem "bar" gem "baz" ``` #### Source Ambiguity Warning - **Issue**: When a gem can be installed from multiple sources, Bundler displays a warning advising users to restrict the gem's source. - **Solution**: Use the `:source` option or source blocks. #### `:source` Option - **Attempt using `:source` option**: ```markdown source "http://public.org" gem "foo" gem "bar", source: "http://private.com" gem "baz" ``` - **Actual Effect**: All three gems are installed from the secondary source. #### Source Blocks - **Using source blocks**: ```markdown source "http://public.org" gem "newcomb" source "http://private.com" do gem "fair_dice_roll" end gem "insecure_random" ``` - **Actual Effect**: Still fails to resolve the source ambiguity issue. #### Mitigation Measures - **Use Multiple Source Blocks**: Currently, the only way to ensure gems are installed from the intended source is to place each gem declaration within its own source block. #### Fixing Bundler - **Report Date**: April 1, 2016 - **Fix Status**: Patched in Bundler 2 development, but not planned to be backported to Bundler 1 due to required backward-incompatible changes.