On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote: > Hello Michael, > > Michael S. Gilbert wrote: > > package: rubygems1.9 > > version: 1.3.1 > > tags: security > > severity: serious > > > > hello, it has been disclosed thet a specially crafted gem archive could > > be used to overwrite system files. confirmed for 1.3.x, but older > > versions may also be affected. please check and help the security > > team prepare updates for the stable releases. see: > > > > http://bugs.gentoo.org/show_bug.cgi?id=278566 > > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472 > > http://redmine.ruby-lang.org/issues/show/1800 > > Thank you for the references. I have just read them. > > In Debian, executables from gems install into a particular directory specific > to > RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system directory > /usr/bin. There should be no risk that they talked about. > > If you think of any problems in Debian, please let me know; otherwise, please > close this ticket.
what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'? i've never used rubygems before, so i'm not sure how paths are configured. would this override the system 'ls'? mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org