[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")

Austin Ziegler halostatue at gmail.com
Wed Jan 17 08:23:14 EST 2007

On 1/17/07, Tom Copeland <tom at infoether.com> wrote:
> On Tue, 2007-01-16 at 23:05 -0500, Paul Duncan wrote:
> >  if I
> > wanted to install a trojan on thousands of peoples' machines, all I'd
> > need to do would be to build a malicious gem (see below), called
> > "rails-2.0" and upload it to my gem directory, then sit and wait.
> Hm, but that gem wouldn't be deployed on the RubyForge gem index unless
> it was uploaded to the rails project on RubyForge... so only folks who
> deliberately downloaded the gem from your project area would get
> p0wnd...

How does that work, Tom? PDF::Writer's gem is pdf-writer but is on the
ruby-pdf project. Transaction::Simple is (I believe)
transaction-simple, but the project name is trans-simple (stupid 15
character project name limit).

Austin Ziegler * halostatue at gmail.com * http://www.halostatue.ca/
               * austin at halostatue.ca * http://www.halostatue.ca/feed/
               * austin at zieglers.ca

More information about the Rubygems-developers mailing list