[Rubygems-developers] Need to release 0.9.1 due to security exploit

Chad Fowler chad at chadfowler.com
Fri Jan 12 16:07:51 EST 2007


On 1/12/07, Eric Hodel <drbrain at segment7.net> wrote:
> On Jan 12, 2007, at 11:17, Eric Hodel wrote:
> > On Jan 12, 2007, at 10:59, Eric Hodel wrote:
> >
> >> I've checked in fixes for an installation exploit found by Gavin
> >> Sinclair.  Here's a draft email describing the exploit and how to
> >> fix RubyGems.  I only supplied patches for the past two versions of
> >> RubyGems, since tattle says that's what everybody uses.
> >>
> >> b) Apply the following patch
> >>
> >> For RubyGems 0.9.0:
> >>
> >> <installer.rb.extract_files.REL_0_9_0.patch>
> >>
> >> For RubyGems 0.8.11:
> >>
> >> <installer.rb.extract_files.REL_0_8_11.patch>
> >
> > Note: I didn't test either of these patches.  the 0.9.0 patch applied
> > cleanly with offset.  The 0.8.11 I had to do by hand.
> >
> > If anybody still has a 0.8.11, please test this patch.
>
> Evan Phoenix reported my patch was bogus.  This patch should apply
> correctly:
>
>

This works for me (I downgraded to 0.8.11 to try it).  Though if
you're on 0.8.11, you're going to have trouble with spec attributes
that don't work anyway.  Probably a good time to just tell people to
upgrade and give them a window after which we shut them down.

Chad


More information about the Rubygems-developers mailing list