[Rubygems-developers] Need to release 0.9.1 due to security exploit

Eric Hodel drbrain at segment7.net
Fri Jan 12 13:59:56 EST 2007


I've checked in fixes for an installation exploit found by Gavin  
Sinclair.  Here's a draft email describing the exploit and how to fix  
RubyGems.  I only supplied patches for the past two versions of  
RubyGems, since tattle says that's what everybody uses.

Subject: RubyGems 0.9.0 and earlier installation exploit

Problem Description:

RubyGems does not check installation paths for gems before writing  
files.

Impact:

Since RubyGems packages are typically installed using root  
permissions, arbitrary files may be overwritten on-disk.  This may  
lead to denial of service, privilege escalation or remote compromise.

Workaround:

No known workarounds

Solution:

a) Upgrade to RubyGems 0.9.1

b) Apply the following patch

For RubyGems 0.9.0:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: installer.rb.extract_files.REL_0_9_0.patch
Type: application/octet-stream
Size: 1234 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070112/dc19ce8c/attachment.obj 
-------------- next part --------------

For RubyGems 0.8.11:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: installer.rb.extract_files.REL_0_8_11.patch
Type: application/octet-stream
Size: 1233 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070112/dc19ce8c/attachment-0001.obj 
-------------- next part --------------

Credit to Gavin Sinclair for finding and reporting this problem.

Testing your updated RubyGems:

$ gem install rspec --version 0.7.5
ERROR:  While executing gem ... (Gem::InstallError)
     attempt to install file into "../web_spec/ 
web_test_html_formatter.rb"

-- 
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!



More information about the Rubygems-developers mailing list