[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")

Paul Duncan pabs at pablotron.org
Wed Jan 17 10:58:48 EST 2007


* Tom Copeland (tom at infoether.com) wrote:
> On Tue, 2007-01-16 at 23:05 -0500, Paul Duncan wrote:
> >  if I
> > wanted to install a trojan on thousands of peoples' machines, all I'd
> > need to do would be to build a malicious gem (see below), called
> > "rails-2.0" and upload it to my gem directory, then sit and wait.
> 
> Hm, but that gem wouldn't be deployed on the RubyForge gem index unless
> it was uploaded to the rails project on RubyForge... so only folks who
> deliberately downloaded the gem from your project area would get
> p0wnd...

That's a good start, but it doesn't address the situation where one of
the mirrors or RubyForge itself is compromised, and a malicious gem is
forcibly inserted into the rotation.

> Yours,
> 
> Tom

-- 
Paul Duncan <pabs at pablotron.org>        OpenPGP Key ID: 0x82C29562
http://www.pablotron.org/               http://www.paulduncan.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070117/29e679de/attachment.bin 


More information about the Rubygems-developers mailing list