[Rubygems-developers] Need to release 0.9.1 due to security exploit

Eric Hodel Fri, 12 Jan 2007 11:16:19 -0800

I've checked in fixes for an installation exploit found by Gavin Sinclair. Here's a draft email describing the exploit and how to fix RubyGems. I only supplied patches for the past two versions of RubyGems, since tattle says that's what everybody uses.


Subject: RubyGems 0.9.0 and earlier installation exploit


Problem Description:

RubyGems does not check installation paths for gems before writing files.


Impact:

Since RubyGems packages are typically installed using root permissions, arbitrary files may be overwritten on-disk. This may lead to denial of service, privilege escalation or remote compromise.


Workaround:

No known workarounds

Solution:

a) Upgrade to RubyGems 0.9.1

b) Apply the following patch

For RubyGems 0.9.0:

installer.rb.extract_files.REL_0_9_0.patch
Description: Binary data


For RubyGems 0.8.11:

installer.rb.extract_files.REL_0_8_11.patch
Description: Binary data


Credit to Gavin Sinclair for finding and reporting this problem.

Testing your updated RubyGems:

$ gem install rspec --version 0.7.5
ERROR:  While executing gem ... (Gem::InstallError)

attempt to install file into "../web_spec/ web_test_html_formatter.rb"


--
Eric Hodel - [EMAIL PROTECTED] - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!

_______________________________________________
Rubygems-developers mailing list
Rubygems-developers@rubyforge.org
http://rubyforge.org/mailman/listinfo/rubygems-developers

[Rubygems-developers] Need to release 0.9.1 due to security exploit

Reply via email to