[Rubygems-developers] Need to release 0.9.1 due to security exploit
Eric Hodel
drbrain at segment7.net
Fri Jan 12 13:59:56 EST 2007
I've checked in fixes for an installation exploit found by Gavin
Sinclair. Here's a draft email describing the exploit and how to fix
RubyGems. I only supplied patches for the past two versions of
RubyGems, since tattle says that's what everybody uses.
Subject: RubyGems 0.9.0 and earlier installation exploit
Problem Description:
RubyGems does not check installation paths for gems before writing
files.
Impact:
Since RubyGems packages are typically installed using root
permissions, arbitrary files may be overwritten on-disk. This may
lead to denial of service, privilege escalation or remote compromise.
Workaround:
No known workarounds
Solution:
a) Upgrade to RubyGems 0.9.1
b) Apply the following patch
For RubyGems 0.9.0:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: installer.rb.extract_files.REL_0_9_0.patch
Type: application/octet-stream
Size: 1234 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070112/dc19ce8c/attachment.obj
-------------- next part --------------
For RubyGems 0.8.11:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: installer.rb.extract_files.REL_0_8_11.patch
Type: application/octet-stream
Size: 1233 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070112/dc19ce8c/attachment-0001.obj
-------------- next part --------------
Credit to Gavin Sinclair for finding and reporting this problem.
Testing your updated RubyGems:
$ gem install rspec --version 0.7.5
ERROR: While executing gem ... (Gem::InstallError)
attempt to install file into "../web_spec/
web_test_html_formatter.rb"
--
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
I LIT YOUR GEM ON FIRE!
More information about the Rubygems-developers
mailing list