[Rubygems-developers] Need to release 0.9.1 due to security exploit
Eric Hodel
drbrain at segment7.net
Fri Jan 12 15:53:00 EST 2007
On Jan 12, 2007, at 11:17, Eric Hodel wrote:
> On Jan 12, 2007, at 10:59, Eric Hodel wrote:
>
>> I've checked in fixes for an installation exploit found by Gavin
>> Sinclair. Here's a draft email describing the exploit and how to
>> fix RubyGems. I only supplied patches for the past two versions of
>> RubyGems, since tattle says that's what everybody uses.
>>
>> b) Apply the following patch
>>
>> For RubyGems 0.9.0:
>>
>> <installer.rb.extract_files.REL_0_9_0.patch>
>>
>> For RubyGems 0.8.11:
>>
>> <installer.rb.extract_files.REL_0_8_11.patch>
>
> Note: I didn't test either of these patches. the 0.9.0 patch applied
> cleanly with offset. The 0.8.11 I had to do by hand.
>
> If anybody still has a 0.8.11, please test this patch.
Evan Phoenix reported my patch was bogus. This patch should apply
correctly:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: installer.rb.extract_files.REL_0_8_11.patch
Type: application/octet-stream
Size: 1397 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070112/132911d5/attachment-0001.obj
-------------- next part --------------
--
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
I LIT YOUR GEM ON FIRE!
More information about the Rubygems-developers
mailing list