[Rubygems-developers] Need to release 0.9.1 due to security exploit

Eric Hodel drbrain at segment7.net
Tue Jan 16 22:05:36 EST 2007


On Jan 16, 2007, at 14:11, Paul Duncan wrote:
> * Eric Hodel (drbrain at segment7.net) wrote:
>> On Jan 12, 2007, at 22:58, Paul Duncan wrote:
>>> * Eric Hodel (drbrain at segment7.net) wrote:
> [snipped]
>>>> RubyGems does not check installation paths for gems before writing
>>>> files.
>>>
>>> The potential security problems with RubyGems are actually much  
>>> worse
>>> than that.  Documentation and tests are executed as the user  
>>> doing the
>>> install (which, as you said, is usually root).  That means I can  
>>> embed
>>> arbitrary Ruby code in either the documentation template and it will
>>> usually be run as root.  For example:
>>
>> I don't think there's an easy way around this one.
>
> Easy is certainly subjective, but there are a couple ways to "fix" the
> documentation hole:

Currently no user-generated code is run to create the documentation.   
The RDoc tool doesn't eval anything, so I think generating  
documentation is safe.  (Of course, I'm not 100% certain you can't  
get code eval'd by running RDoc on it, only 99%)

Running unit tests and building extensions is less-safe.

-- 
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!



More information about the Rubygems-developers mailing list