[Rubygems-developers] Need to release 0.9.1 due to security exploit
curt.hibbs at gmail.com
Tue Jan 16 17:12:17 EST 2007
FYI... As soon as you guys are ready to release something, I ready to
release a new One-Click Ruby Installer that contains it.
On 1/16/07, Eric Hodel <drbrain at segment7.net> wrote:
> On Jan 12, 2007, at 22:58, Paul Duncan wrote:
> > * Eric Hodel (drbrain at segment7.net) wrote:
> >> I've checked in fixes for an installation exploit found by Gavin
> >> Sinclair. Here's a draft email describing the exploit and how to fix
> >> RubyGems. I only supplied patches for the past two versions of
> >> RubyGems, since tattle says that's what everybody uses.
> >> Subject: RubyGems 0.9.0 and earlier installation exploit
> >> Problem Description:
> >> RubyGems does not check installation paths for gems before writing
> >> files.
> > The potential security problems with RubyGems are actually much worse
> > than that. Documentation and tests are executed as the user doing the
> > install (which, as you said, is usually root). That means I can embed
> > arbitrary Ruby code in either the documentation template and it will
> > usually be run as root. For example:
> I don't think there's an easy way around this one.
> > Obviously the same thing can be done with unit tests. While
> > neither of
> > these are a bug with RubyGems per-se, they're both convenient
> > places to
> > hide sneak away code that will be run as root on a lot of machines at
> > install time.
> I think I'll pull the ability to run unit tests out of gem install
> for 0.9.2. The whole thing is various shades of broken anyhow and
> needs a revamp.
> Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
> I LIT YOUR GEM ON FIRE!
> Rubygems-developers mailing list
> Rubygems-developers at rubyforge.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Rubygems-developers