[Rubygems-developers] Need to release 0.9.1 due to security exploit
drbrain at segment7.net
Tue Jan 16 15:07:33 EST 2007
On Jan 12, 2007, at 22:58, Paul Duncan wrote:
> * Eric Hodel (drbrain at segment7.net) wrote:
>> I've checked in fixes for an installation exploit found by Gavin
>> Sinclair. Here's a draft email describing the exploit and how to fix
>> RubyGems. I only supplied patches for the past two versions of
>> RubyGems, since tattle says that's what everybody uses.
>> Subject: RubyGems 0.9.0 and earlier installation exploit
>> Problem Description:
>> RubyGems does not check installation paths for gems before writing
> The potential security problems with RubyGems are actually much worse
> than that. Documentation and tests are executed as the user doing the
> install (which, as you said, is usually root). That means I can embed
> arbitrary Ruby code in either the documentation template and it will
> usually be run as root. For example:
I don't think there's an easy way around this one.
> Obviously the same thing can be done with unit tests. While
> neither of
> these are a bug with RubyGems per-se, they're both convenient
> places to
> hide sneak away code that will be run as root on a lot of machines at
> install time.
I think I'll pull the ability to run unit tests out of gem install
for 0.9.2. The whole thing is various shades of broken anyhow and
needs a revamp.
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
I LIT YOUR GEM ON FIRE!
More information about the Rubygems-developers