[Rubygems-developers] Need to release 0.9.1 due to security exploit

Curt Hibbs curt.hibbs at gmail.com
Tue Jan 16 17:12:17 EST 2007


FYI... As soon as you guys are ready to release something, I ready to
release a new One-Click Ruby Installer that contains it.

Curt

On 1/16/07, Eric Hodel <drbrain at segment7.net> wrote:
>
> On Jan 12, 2007, at 22:58, Paul Duncan wrote:
> > * Eric Hodel (drbrain at segment7.net) wrote:
> >> I've checked in fixes for an installation exploit found by Gavin
> >> Sinclair.  Here's a draft email describing the exploit and how to fix
> >> RubyGems.  I only supplied patches for the past two versions of
> >> RubyGems, since tattle says that's what everybody uses.
> >>
> >> Subject: RubyGems 0.9.0 and earlier installation exploit
> >>
> >> Problem Description:
> >>
> >> RubyGems does not check installation paths for gems before writing
> >> files.
> >
> > The potential security problems with RubyGems are actually much worse
> > than that.  Documentation and tests are executed as the user doing the
> > install (which, as you said, is usually root).  That means I can embed
> > arbitrary Ruby code in either the documentation template and it will
> > usually be run as root.  For example:
>
> I don't think there's an easy way around this one.
>
> > Obviously the same thing can be done with unit tests.  While
> > neither of
> > these are a bug with RubyGems per-se, they're both convenient
> > places to
> > hide sneak away code that will be run as root on a lot of machines at
> > install time.
>
> I think I'll pull the ability to run unit tests out of gem install
> for 0.9.2.  The whole thing is various shades of broken anyhow and
> needs a revamp.
>
> --
> Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
>
> I LIT YOUR GEM ON FIRE!
>
> _______________________________________________
> Rubygems-developers mailing list
> Rubygems-developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/rubygems-developers/attachments/20070116/66f5acc1/attachment-0001.html 


More information about the Rubygems-developers mailing list