[Rubygems-developers] Need to release 0.9.1 due to security exploit

Eric Hodel drbrain at segment7.net
Tue Jan 16 15:07:33 EST 2007


On Jan 12, 2007, at 22:58, Paul Duncan wrote:
> * Eric Hodel (drbrain at segment7.net) wrote:
>> I've checked in fixes for an installation exploit found by Gavin
>> Sinclair.  Here's a draft email describing the exploit and how to fix
>> RubyGems.  I only supplied patches for the past two versions of
>> RubyGems, since tattle says that's what everybody uses.
>>
>> Subject: RubyGems 0.9.0 and earlier installation exploit
>>
>> Problem Description:
>>
>> RubyGems does not check installation paths for gems before writing
>> files.
>
> The potential security problems with RubyGems are actually much worse
> than that.  Documentation and tests are executed as the user doing the
> install (which, as you said, is usually root).  That means I can embed
> arbitrary Ruby code in either the documentation template and it will
> usually be run as root.  For example:

I don't think there's an easy way around this one.

> Obviously the same thing can be done with unit tests.  While  
> neither of
> these are a bug with RubyGems per-se, they're both convenient  
> places to
> hide sneak away code that will be run as root on a lot of machines at
> install time.

I think I'll pull the ability to run unit tests out of gem install  
for 0.9.2.  The whole thing is various shades of broken anyhow and  
needs a revamp.

-- 
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!



More information about the Rubygems-developers mailing list