[Rubygems-developers] Need to release 0.9.1 due to security exploit
chad at chadfowler.com
Fri Jan 12 16:07:51 EST 2007
On 1/12/07, Eric Hodel <drbrain at segment7.net> wrote:
> On Jan 12, 2007, at 11:17, Eric Hodel wrote:
> > On Jan 12, 2007, at 10:59, Eric Hodel wrote:
> >> I've checked in fixes for an installation exploit found by Gavin
> >> Sinclair. Here's a draft email describing the exploit and how to
> >> fix RubyGems. I only supplied patches for the past two versions of
> >> RubyGems, since tattle says that's what everybody uses.
> >> b) Apply the following patch
> >> For RubyGems 0.9.0:
> >> <installer.rb.extract_files.REL_0_9_0.patch>
> >> For RubyGems 0.8.11:
> >> <installer.rb.extract_files.REL_0_8_11.patch>
> > Note: I didn't test either of these patches. the 0.9.0 patch applied
> > cleanly with offset. The 0.8.11 I had to do by hand.
> > If anybody still has a 0.8.11, please test this patch.
> Evan Phoenix reported my patch was bogus. This patch should apply
This works for me (I downgraded to 0.8.11 to try it). Though if
you're on 0.8.11, you're going to have trouble with spec attributes
that don't work anyway. Probably a good time to just tell people to
upgrade and give them a window after which we shut them down.
More information about the Rubygems-developers