[Rubygems-developers] Need to release 0.9.1 due to security exploit

Eric Hodel drbrain at segment7.net
Fri Jan 12 15:53:00 EST 2007


On Jan 12, 2007, at 11:17, Eric Hodel wrote:
> On Jan 12, 2007, at 10:59, Eric Hodel wrote:
>
>> I've checked in fixes for an installation exploit found by Gavin
>> Sinclair.  Here's a draft email describing the exploit and how to
>> fix RubyGems.  I only supplied patches for the past two versions of
>> RubyGems, since tattle says that's what everybody uses.
>>
>> b) Apply the following patch
>>
>> For RubyGems 0.9.0:
>>
>> <installer.rb.extract_files.REL_0_9_0.patch>
>>
>> For RubyGems 0.8.11:
>>
>> <installer.rb.extract_files.REL_0_8_11.patch>
>
> Note: I didn't test either of these patches.  the 0.9.0 patch applied
> cleanly with offset.  The 0.8.11 I had to do by hand.
>
> If anybody still has a 0.8.11, please test this patch.

Evan Phoenix reported my patch was bogus.  This patch should apply  
correctly:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: installer.rb.extract_files.REL_0_8_11.patch
Type: application/octet-stream
Size: 1397 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070112/132911d5/attachment-0001.obj 
-------------- next part --------------

-- 
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!



More information about the Rubygems-developers mailing list